ConfigServer Security & Firewall (CSF) is a popular VPS security tool for Linux. It provides a simple interface for iptables to protect Linux servers. CSF comes with multiple features: a stateful packet inspection firewall (SPI), intrusion detection, a login failure daemon, DDOS protection, and control panel integration. This tutorial covers installation, basic configuration, and essential commands for CSF on Ubuntu 20.04.
Deploy a new Ubuntu 20.04 Vultr VPS instance.
Connect to the server via SSH as root.
Follow our best practices guides to update the Ubuntu server.
Ubuntu 20.04 comes with UFW firewall by default, which must be removed before installing CSF.
# apt remove ufw
Install the CSF dependencies.
# apt install perl zip unzip libwww-perl liblwp-protocol-https-perl
CSF requires Sendmail to send alerts to the administrator.
# apt install sendmail-bin
Change to /usr/src
# cd /usr/src
Download the CSF distribution.
# wget https://download.configserver.com/csf.tgz
Extract CSF.
# tar -xzf csf.tgz
Change to /usr/src/csf
# cd csf
Run the install script.
# sh install.sh
Verify the required iptables modules for CSF are available.
# perl /usr/local/csf/bin/csftest.pl
Confirm that all tests report OK, and you see the following result.
RESULT: csf should function on this server
Verify CSF status after installation.
# csf -v
You should see a result similar to:
csf: v14.02 (generic)
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
CSF runs in TESTING mode by default. Edit /etc/csf/csf.conf to disable TESTING mode.
# nano /etc/csf/csf.conf
Locate the line TESTING = "1", and change the value to "0".
TESTING = "0"
Locate the line RESTRICT_SYSLOG = "0", and change the value to "3". This means only members of the RESTRICT_SYSLOG_GROUP may access syslog/rsyslog files.
RESTRICT_SYSLOG = "3"
Save the configuration file.
Stop and reload CSF with the -ra option.
# csf -ra
# csf -s
# csf -f
You must restart CSF each time the configuration file changes.
# csf -ra
Edit /etc/csf/csf.conf
# nano /etc/csf/csf.conf
Locate the following lines and add the required ports.
# Allow incoming TCP ports
TCP_IN = 20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077â
# Allow outgoing TCP ports
TCP_OUT = 20,21,22,25,26,37,43,53,80,110,113,443,465,873,2087â
Restart CSF for the changes to take effect.
# csf -ra
Use the -d option to deny by IP, for example, 192.0.2.123.
# csf -d 192.0.2.123
Use the -a option to allow by IP, for example, 192.0.2.123.
# csf -a 192.0.2.123
Remove IP from the allow list.
# csf -ar 192.0.2.123
Remove IP from the deny list.
# csf -dr 192.0.2.123
Block IPs by adding a entry to /etc/csf/csf.deny.
192.0.2.123 # deny this IP
192.0.2.0/24 # deny this network
Add trusted IPs to /etc/csf/csf.allow.
192.0.2.123 # trust this IP
Check all listening ports with the -p option.
# csf -p
For more information about VPS security, see the CSF website.