Install CSF (ConfigServer Security & Firewall) on Ubuntu 20.04 LTS

Last Updated: Fri, May 15, 2020
Linux Guides Security System Admin Ubuntu

Introduction

ConfigServer Security & Firewall (CSF) is a popular security tool for Linux. It provides a simple interface for iptables to protect Linux servers. CSF comes with multiple features: a stateful packet inspection firewall (SPI), intrusion detection, a login failure daemon, DDOS protection, and control panel integration. This tutorial covers installation, basic configuration, and essential commands for CSF on Ubuntu 20.04.

Step 1: Deploy Ubuntu Server

Step 2: Prepare for CSF Installation

Ubuntu 20.04 comes with UFW firewall by default, which must be removed before installing CSF.

# apt remove ufw

Install the CSF dependencies.

# apt install perl zip unzip libwww-perl liblwp-protocol-https-perl

CSF requires Sendmail to send alerts to the administrator.

# apt install sendmail-bin

Step 3: Install CSF

  1. Change to /usr/src

    # cd /usr/src
    
  2. Download the CSF distribution.

    # wget https://download.configserver.com/csf.tgz
    
  3. Extract CSF.

    # tar -xzf csf.tgz
    
  4. Change to /usr/src/csf

    # cd csf
    
  5. Run the install script.

    # sh install.sh
    
  6. Verify the required iptables modules for CSF are available.

    # perl /usr/local/csf/bin/csftest.pl
    

    Confirm that all tests report OK, and you see the following result.

    RESULT: csf should function on this server
    
  7. Verify CSF status after installation.

    # csf -v 
    

    You should see a result similar to:

    csf: v14.02 (generic)
    *WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
    

Step 4: Configure CSF

  1. CSF runs in TESTING mode by default. Edit /etc/csf/csf.conf to disable TESTING mode.

    # nano /etc/csf/csf.conf
    
  2. Locate the line TESTING = "1", and change the value to "0".

    TESTING = "0"
    
  3. Locate the line RESTRICT_SYSLOG = "0", and change the value to "3". This means only members of the RESTRICT_SYSLOG_GROUP may access syslog/rsyslog files.

    RESTRICT_SYSLOG = "3"
    
  4. Save the configuration file.

  5. Stop and reload CSF with the -ra option.

    # csf -ra
    

Common CSF Commands & Configuration

Start CSF

# csf -s 

Stop CSF

# csf -f 

Restart CSF

You must restart CSF each time the configuration file changes.

# csf -ra 

Allow IP traffic by port

  1. Edit /etc/csf/csf.conf

    # nano /etc/csf/csf.conf
    
  2. Locate the following lines and add the required ports.

    # Allow incoming TCP ports
    TCP_IN = 20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077”
    
    # Allow outgoing TCP ports
    TCP_OUT = 20,21,22,25,26,37,43,53,80,110,113,443,465,873,2087”
    
  3. Restart CSF for the changes to take effect.

    # csf -ra
    

Allow or deny by IP address

Use the -d option to deny by IP, for example, 192.0.2.123.

# csf -d 192.0.2.123

Use the -a option to allow by IP, for example, 192.0.2.123.

# csf -a 192.0.2.123

Remove IP from the allow list.

# csf -ar 192.0.2.123

Remove IP from the deny list.

# csf -dr 192.0.2.123

Deny file

Block IPs by adding a entry to /etc/csf/csf.deny.

192.0.2.123     # deny this IP
192.0.2.0/24    # deny this network 

Allow file

Add trusted IPs to /etc/csf/csf.allow.

192.0.2.123     # trust this IP

Check all listening ports with the -p option.

# csf -p

More Information

For more information, see the CSF website.

Want to contribute?

You could earn up to $300 by adding new articles