Tutorials

This is How to Install Config Server Firewall (CSF) on Debian/Ubuntu

ConfigServer and Security Firewall, abbreviated as CSF, is an open-source and advanced firewall designed for Linux systems. It not only provides the basic functionality of a firewall but also offers a wide array of add-on features such as login/intrusion detection, exploit checks, ping of death protection and so much more.

Additionally, it also provides UI integration for widely-used control panels such as cPanel, Webmin, Vesta CP, CyberPanel, and DirectAdmin. You can find a full list of supported features and operating systems on ConfigServer’s official website.

In This How to Install Config Server Firewall (CSF) on Debian/Ubuntu guide, we will walk you through the installation and configuration of the ConfigServer Security & Firewall (CSF) on Debian and Ubuntu.

Step 1: Install CSF Firewall on Debian and Ubuntu

First off, you need to install some dependencies before you get started out with installing the CSF firewall. On your terminal, update the package index:

$ sudo apt update

Next, install the dependencies as shown:

$ sudo apt install wget libio-socket-ssl-perl git perl iptables libnet-libidn-perl libcrypt-ssleay-perl  libio-socket-inet6-perl libsocket6-perl sendmail dnsutils unzip

With that out of the way, you can now proceed to the next step.

Since CSF is not included in the default Debian and Ubuntu repositories, you need to manually install it. To proceed, download the CSF tarball file which contains all the installation files using the following wget command.

$ wget http://download.configserver.com/csf.tgz

This downloads a compressed file called csf.tgz.

Download Config Server Firewall

Next, extract the compressed file.

$ tar -xvzf csf.tgz

This creates a folder called csf.

$ ls -l
Config Server Firewall Files

Next, navigate into the csf folder.

$ cd csf

Then install CSF Firewall by running the installation script shown.

$ sudo bash install.sh

If everything went okay, you should get the output as shown.

Install Config Server Firewall

At this point, CSF is installed. However, you need to verify that the required iptables are loaded. To achieve this, run the command:

$ sudo perl /usr/local/csf/bin/csftest.pl
List CSF Iptables Rules

Step 2: Configure CSF Firewall on Debian and Ubuntu

Some additional configuration is needed Next up, we need to modify a few settings to enable CSF. So, head over to the csf.conf configuration file.

$ sudo nano /etc/csf/csf.conf

Edit the TESTING directive from “1” to “0” as indicated below.

TESTING = "0"
Disable CSF Testing

Next, set the RESTRICT_SYSLOG directive to “3” to restrict rsyslog/syslog access only to members of the RESTRICT_SYSLOG_GROUP.

RESTRICT_SYSLOG = "3"
Restrict CSF Rsyslog Access

Next, you can open TCP and UDP ports by locating the TCP_INTCP_OUTUDP_IN, and UDP_OUT directives.

By default, the following ports are opened.

TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"

UDP_IN = "20,21,53,80,443"

UDP_OUT = "20,21,53,113,123"
Open CSF Ports

Chances are that you don’t need all those ports opened, and best server practices demand that you only open the ports you are using. We recommend that you remove all unnecessary ports and leave the ones which are used by the services running on your system.

Once you are done specifying the ports you need, reload CSF as shown.

$ sudo csf -r

To list all the IP table rules defined on the server, run the command:

$ sudo csf -l

You can start and enable the CSF firewall on startup as follows:

$ sudo systemctl start csf
$ sudo systemctl enable csf

Then confirm that indeed the firewall is running:

$ sudo systemctl status csf
Check CSF Status

Step 3: Blocking and Allowing IP Addresses in CSF Firewall

One of the key functionalities of a firewall is the ability to allow or block IP addresses from accessing the server. With CSF, you can whitelist (allow), blacklist (deny) or ignore IP addresses by modifying the following configuration files:

  • csf.allow
  • csf.deny
  • csf.ignore

Block an IP Address in CSF

To block an IP address, simply access the csf.deny configuration file.

$ sudo nano /etc/csf/csf.deny

Then specify the IP addresses that you want to block. You can specify the IP addresses line by line as shown:

192.168.100.50
192.168.100.120

Or you can use the CIDR notation to block an entire subnet.

192.168.100.0/24

Allow an IP Address in CSF

To allow an IP address through Iptables and exclude it from all filters or blocks, edit the csf.allow configuration file.

$ sudo nano /etc/csf/csf.allow

You can list an IP address per line, or use the CIDR addressing as previously demonstrated when blocking IPs.

NOTE: An IP address will be allowed even when it is explicitly defined in the csf.deny configuration file. To ensure that an IP address is blocked or blacklisted, ensure that it is not listed in the csf.allow file.

Exclude an IP Address in CSF

Additionally, CSF provides you with the ability to exclude an IP address from IPtables or filters. Any IP address in the csf.ignore file will be exempted from the iptables filters. It can only be blocked if specified in the csf.deny file.

To exempt an IP address from the filters, access the csf.ignore file.

$ sudo nano /etc/csf/csf.ignore

Once again, you can list the IPs line by line or use CIDR notation.

Conclusion

And that wraps up our guide today. We hope you can now install and configure the CSF firewall without a hitch.