Security

How To Install CSF Firewall on VestaCP (RHEL/CentOS & Debian/Ubuntu)

How To Install CSF Firewall on VestaCP (RHEL/CentOS &-038; Debian/Ubuntu) &-8211; this Article or News was published on this date:2020-09-27 11:35:47 kindly share it with friends if you find it helpful

VestaCP has a built-in default firewall with iptables and fail2ban. You will find it when you run VestaCP with Linux operating systems including RHEL and CentOS. However, we can exclude iptables and fail2ban in the VestaCP installation command script (ADVANCED INSTALL SETTINGS). Instead, we can replace iptables and fail2ban with CSF Firewall (ConfigServer Security &-038; Firewall) + LFD (Login Failure Daemon).

As I know that CSF has officially supported VestaCP as an optional firewall and provides a user interface (UI) since version 13.05 was released to the public. Although CSF says that they only support VestaCP that runs on CentOS 7, but I have tried it works very well on VestaCP with Debian 8/9 and Ubuntu LTS Server (16.04 – 18.04). Look at the CSF changelog below.

13.05 - Added official CentOS Web Panel (CWP) integration and CWP panel
specific configuration. See /etc/csf/readme.txt for more information
(only tested on CentOS v7)

Added official VestaCP integration and VestaCP specific configuration
(only tested on CentOS v7)

SEE: https://download.configserver.com/csf/changelog.txt

It’s easy to install and configure CSF Firewall on VestaCP, both with RHEL/CentOS and Debian/Ubuntu. Now, follow this guide to install CSF Firewall on your VestaCP.

1.) Download and Install CSF Firewall

$ cd /usr/local/src
$ wget https://download.configserver.com/csf.tgz
$ tar -xzf csf.tgz
$ cd csf
$ sh install.sh

2.) OK… CSF Firewall has been installed on your VestaCP server. Now let’s test your CSF Firewall installation.

$ perl /usr/local/csf/bin/csftest.pl

3.) Next, configure your CSF Firewall settings and make sure to disable testing mode, so CSF can work properly on your VestaCP server. You can configure it via Nano Editor or login to your VestaCP and scroll to the CSF menu (top right), like the image you can see above.

$ nano /etc/csf/csf.conf

Set Testing Mode from “1” to “0”

$ TESTING = "0"

Set RESTRICT_SYSLOG from “0” to “3”

$ RESTRICT_SYSLOG = "3"

4.) If you have a custom port, be sure to always add that port to CSF IPv4 Port Settings and IPv6 Port Settings.

5.) Now, restart CSF &-038; LFD

$ csf -r or service csf restart
$ lfd -r or service lfd restart

CONCLUSION

Installing CSF Firewall + LFD on VestaCP is very easy to do. Of course, CSF Firewall clearly has more complete and more comprehensive features compared to iptables and fail2ban which is the default VestaCP firewall. However, iptables and CSF Firewall can run together on VestaCP without any problems. You can still have iptables firewall installed on your VestaCP without the need to uninstall it, even though you have also installed CSF Firewall.

How To Fix CSF Error open3: exec of /usr/bin/systemctl is-active firewalld failed

How To Fix CSF Error open3: exec of /usr/bin/systemctl is-active firewalld failed &-8211; this Article or News was published on this date:2020-09-27 11:35:36 kindly share it with friends if you find it helpful

As we know that since version 13.05 was released to the public, CSF (ConfigServer Security &-038; Firewall) has fully supported VestaCP with user interface integration. However, if you configure VestaCP and CSF on the Ubuntu 18.04 LTS server you might get the same error message like this when restarting the CSF.:

[email protected]:/usr/local/src/csf- csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
open3: exec of /usr/bin/systemctl is-active firewalld failed: No such file or directory at /usr/sbin/csf line 906.

SOLUTION:

1.) Don’t panic, to solve this problem is very easy. First of all, please open the csf.conf configuration file on your server.

$ nano /etc/csf/csf.conf

2.) Under “SECTION:OS Specific Settings”, please look for the SYSTEMCTL = “/usr/bin/systemctl” line

-------------------------------------------------------------------------------
- SECTION:OS Specific Settings
-------------------------------------------------------------------------------
- Binary locations
IPTABLES = "/sbin/iptables"
IPTABLES_SAVE = "/sbin/iptables-save"
IPTABLES_RESTORE = "/sbin/iptables-restore"
IP6TABLES = "/sbin/ip6tables"
IP6TABLES_SAVE = "/sbin/ip6tables-save"
IP6TABLES_RESTORE = "/sbin/ip6tables-restore"
MODPROBE = "/sbin/modprobe"
IFCONFIG = "/sbin/ifconfig"
SENDMAIL = "/usr/sbin/sendmail"
PS = "/bin/ps"
VMSTAT = "/usr/bin/vmstat"
NETSTAT = "/bin/netstat"
LS = "/bin/ls"
MD5SUM = "/usr/bin/md5sum"
TAR = "/bin/tar"
CHATTR = "/usr/bin/chattr"
UNZIP = "/usr/bin/unzip"
GUNZIP = "/bin/gunzip"
DD = "/bin/dd"
TAIL = "/usr/bin/tail"
GREP = "/bin/grep"
ZGREP = "/usr/bin/zgrep"
IPSET = "/usr/sbin/ipset"
SYSTEMCTL = "/usr/bin/systemctl"
HOST = "/usr/bin/host"
IP = "/sbin/ip"

3.) Then we need to find the location of the systemctl command on your server. Systemctl is a central management tool for controlling init system on CentOS 7. Just run the following command to find the location of systemctl.

$ which systemctl
$ whereis systemctl

4.) Well, you will get output like this after running the above command.

$ which systemctl
/bin/systemctl
$ whereis systemctl
systemctl: /bin/systemctl /usr/share/man/man1/systemctl.1.gz
------------------------------------------------------

5.) Next, we need to open the csf.conf file again

And please change from:

$ SYSTEMCTL = "/usr/bin/systemctl"

To

$ SYSTEMCTL = "/bin/systemctl"

The result will be like this:

-------------------------------------------------------------------------------
- SECTION:OS Specific Settings
-------------------------------------------------------------------------------
- Binary locations
IPTABLES = "/sbin/iptables"
IPTABLES_SAVE = "/sbin/iptables-save"
IPTABLES_RESTORE = "/sbin/iptables-restore"
IP6TABLES = "/sbin/ip6tables"
IP6TABLES_SAVE = "/sbin/ip6tables-save"
IP6TABLES_RESTORE = "/sbin/ip6tables-restore"
MODPROBE = "/sbin/modprobe"
IFCONFIG = "/sbin/ifconfig"
SENDMAIL = "/usr/sbin/sendmail"
PS = "/bin/ps"
VMSTAT = "/usr/bin/vmstat"
NETSTAT = "/bin/netstat"
LS = "/bin/ls"
MD5SUM = "/usr/bin/md5sum"
TAR = "/bin/tar"
CHATTR = "/usr/bin/chattr"
UNZIP = "/usr/bin/unzip"
GUNZIP = "/bin/gunzip"
DD = "/bin/dd"
TAIL = "/usr/bin/tail"
GREP = "/bin/grep"
ZGREP = "/usr/bin/zgrep"
IPSET = "/usr/sbin/ipset"
SYSTEMCTL = "/bin/systemctl"
HOST = "/usr/bin/host"
IP = "/sbin/ip"

6.) OK All Done, now you can restart CSF and LFD with the following command.

$ csf -r
$ lfd -r