Install CSF (ConfigServer Security & Firewall) on Ubuntu 20.04 LTS

Introduction #

ConfigServer Security & Firewall (CSF) is a popular security tool for Linux. It provides a simple interface for iptables to protect Linux servers. CSF comes with multiple features: a stateful packet inspection firewall (SPI), intrusion detection, a login failure daemon, DDOS protection, and control panel integration. This tutorial covers installation, basic configuration, and essential commands for CSF on Ubuntu 20.04.

1. Prepare for CSF Installation #

Ubuntu 20.04 comes with UFW firewall by default, which must be removed before installing CSF.

# apt remove ufw

Install the CSF dependencies.

# apt install perl zip unzip libwww-perl liblwp-protocol-https-perl

CSF requires Sendmail to send alerts to the administrator.

# apt install sendmail-bin

2. Install CSF #

  1. Change to /usr/src
    # cd /usr/src
  2. Download the CSF distribution.
    # wget
  3. Extract CSF.
    # tar -xzf csf.tgz
  4. Change to /usr/src/csf
    # cd csf
  5. Run the install script.
    # sh
  6. Verify the required iptables modules for CSF are available.
    # perl /usr/local/csf/bin/

    Confirm that all tests report OK, and you see the following result.

    RESULT: csf should function on this server
  7. Verify CSF status after installation.
    # csf -v 

    You should see a result similar to:

    csf: v14.02 (generic)
    *WARNING* TESTING mode is enabled - do not forget to disable it in the configuration

3. Configure CSF #

  1. CSF runs in TESTING mode by default. Edit /etc/csf/csf.conf to disable TESTING mode.
    # nano /etc/csf/csf.conf
  2. Locate the line TESTING = “1”, and change the value to “0”.
    TESTING = "0"
  3. Locate the line RESTRICT_SYSLOG = “0”, and change the value to “3”. This means only members of the RESTRICT_SYSLOG_GROUP may access syslog/rsyslog files.
  4. Save the configuration file.
  5. Stop and reload CSF with the -ra option.
    # csf -ra

Common CSF Commands & Configuration #

Start CSF #

# csf -s 

Stop CSF #

# csf -f 

Restart CSF #

You must restart CSF each time the configuration file changes.

# csf -ra 

Allow IP traffic by port #

  1. Edit /etc/csf/csf.conf
    # nano /etc/csf/csf.conf
  2. Locate the following lines and add the required ports.
    # Allow incoming TCP ports
    TCP_IN = 20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077”
    # Allow outgoing TCP ports
    TCP_OUT = 20,21,22,25,26,37,43,53,80,110,113,443,465,873,2087”
  3. Restart CSF for the changes to take effect.
    # csf -ra

Allow or deny by IP address #

Use the -d option to deny by IP, for example,

# csf -d

Use the -a option to allow by IP, for example,

# csf -a

Remove IP from the allow list.

# csf -ar

Remove IP from the deny list.

# csf -dr

Deny file #

Block IPs by adding a entry to /etc/csf/csf.deny.     # deny this IP    # deny this network 

Allow file #

Add trusted IPs to /etc/csf/csf.allow.     # trust this IP

Check all listening ports with the -p option.

# csf -p

More Information #

For more information, see the CSF website.

Powered by BetterDocs