ConfigServer Security & Firewall (CSF) is a popular security tool for Linux. It provides a simple interface for iptables to protect Linux servers. CSF comes with multiple features: a stateful packet inspection firewall (SPI), intrusion detection, a login failure daemon, DDOS protection, and control panel integration. This tutorial covers installation, basic configuration, and essential commands for CSF on Ubuntu 20.04.
Ubuntu 20.04 comes with UFW firewall by default, which must be removed before installing CSF.
# apt remove ufw
Install the CSF dependencies.
# apt install perl zip unzip libwww-perl liblwp-protocol-https-perl
CSF requires Sendmail to send alerts to the administrator.
# apt install sendmail-bin
# cd /usr/src
# wget https://download.configserver.com/csf.tgz
# tar -xzf csf.tgz
# cd csf
# sh install.sh
# perl /usr/local/csf/bin/csftest.pl
Confirm that all tests report OK, and you see the following result.
RESULT: csf should function on this server
# csf -v
You should see a result similar to:
csf: v14.02 (generic)
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
# nano /etc/csf/csf.conf
TESTING = "0"
RESTRICT_SYSLOG = "3"
# csf -ra
# csf -s
# csf -f
You must restart CSF each time the configuration file changes.
# csf -ra
# Allow incoming TCP ports
TCP_IN = 20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077”
# Allow outgoing TCP ports
TCP_OUT = 20,21,22,25,26,37,43,53,80,110,113,443,465,873,2087”
Use the -d option to deny by IP, for example, 192.0.2.123.
# csf -d 192.0.2.123
Use the -a option to allow by IP, for example, 192.0.2.123.
# csf -a 192.0.2.123
Remove IP from the allow list.
# csf -ar 192.0.2.123
Remove IP from the deny list.
# csf -dr 192.0.2.123
Block IPs by adding a entry to /etc/csf/csf.deny.
192.0.2.123 # deny this IP
192.0.2.0/24 # deny this network
Add trusted IPs to /etc/csf/csf.allow.
192.0.2.123 # trust this IP
Check all listening ports with the -p option.
# csf -p
For more information, see the CSF website.
Powered by BetterDocs