Install CSF (ConfigServer Security & Firewall) on Ubuntu 20.04 LTS

Updated on May 15, 2020
Install CSF (ConfigServer Security & Firewall) on Ubuntu 20.04 LTS header image

Introduction

ConfigServer Security & Firewall (CSF) is a popular VPS security tool for Linux. It provides a simple interface for iptables to protect Linux servers. CSF comes with multiple features: a stateful packet inspection firewall (SPI), intrusion detection, a login failure daemon, DDOS protection, and control panel integration. This tutorial covers installation, basic configuration, and essential commands for CSF on Ubuntu 20.04.

1. Deploy Ubuntu Server

2. Prepare for CSF Installation

Ubuntu 20.04 comes with UFW firewall by default, which must be removed before installing CSF.

# apt remove ufw

Install the CSF dependencies.

# apt install perl zip unzip libwww-perl liblwp-protocol-https-perl

CSF requires Sendmail to send alerts to the administrator.

# apt install sendmail-bin

3. Install CSF

  1. Change to /usr/src

     # cd /usr/src
  2. Download the CSF distribution.

     # wget https://download.configserver.com/csf.tgz
  3. Extract CSF.

     # tar -xzf csf.tgz
  4. Change to /usr/src/csf

     # cd csf
  5. Run the install script.

     # sh install.sh
  6. Verify the required iptables modules for CSF are available.

     # perl /usr/local/csf/bin/csftest.pl

    Confirm that all tests report OK, and you see the following result.

     RESULT: csf should function on this server
  7. Verify CSF status after installation.

     # csf -v 

    You should see a result similar to:

     csf: v14.02 (generic)
     *WARNING* TESTING mode is enabled - do not forget to disable it in the configuration

4. Configure CSF

  1. CSF runs in TESTING mode by default. Edit /etc/csf/csf.conf to disable TESTING mode.

     # nano /etc/csf/csf.conf
  2. Locate the line TESTING = "1", and change the value to "0".

     TESTING = "0"
  3. Locate the line RESTRICT_SYSLOG = "0", and change the value to "3". This means only members of the RESTRICT_SYSLOG_GROUP may access syslog/rsyslog files.

     RESTRICT_SYSLOG = "3"
  4. Save the configuration file.

  5. Stop and reload CSF with the -ra option.

     # csf -ra

Common CSF Commands & Configuration

Start CSF

# csf -s 

Stop CSF

# csf -f 

Restart CSF

You must restart CSF each time the configuration file changes.

# csf -ra 

Allow IP traffic by port

  1. Edit /etc/csf/csf.conf

     # nano /etc/csf/csf.conf
  2. Locate the following lines and add the required ports.

     # Allow incoming TCP ports
     TCP_IN = 20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077”
    
     # Allow outgoing TCP ports
     TCP_OUT = 20,21,22,25,26,37,43,53,80,110,113,443,465,873,2087”
  3. Restart CSF for the changes to take effect.

     # csf -ra

Allow or deny by IP address

Use the -d option to deny by IP, for example, 192.0.2.123.

# csf -d 192.0.2.123

Use the -a option to allow by IP, for example, 192.0.2.123.

# csf -a 192.0.2.123

Remove IP from the allow list.

# csf -ar 192.0.2.123

Remove IP from the deny list.

# csf -dr 192.0.2.123

Deny file

Block IPs by adding a entry to /etc/csf/csf.deny.

192.0.2.123     # deny this IP
192.0.2.0/24    # deny this network 

Allow file

Add trusted IPs to /etc/csf/csf.allow.

192.0.2.123     # trust this IP

Check all listening ports with the -p option.

# csf -p

More Information

For more information about VPS security, see the CSF website.