Knowledgebase

Install CSF (ConfigServer Security & Firewall) on Ubuntu 20.04 LTS Print

  • 0

Introduction

ConfigServer Security & Firewall (CSF) is a popular VPS security tool for Linux. It provides a simple interface for iptables to protect Linux servers. CSF comes with multiple features: a stateful packet inspection firewall (SPI), intrusion detection, a login failure daemon, DDOS protection, and control panel integration. This tutorial covers installation, basic configuration, and essential commands for CSF on Ubuntu 20.04.

1. Deploy Ubuntu Server

2. Prepare for CSF Installation

Ubuntu 20.04 comes with UFW firewall by default, which must be removed before installing CSF.

# apt remove ufw

Install the CSF dependencies.

# apt install perl zip unzip libwww-perl liblwp-protocol-https-perl

CSF requires Sendmail to send alerts to the administrator.

# apt install sendmail-bin

3. Install CSF

  1. Change to /usr/src

     # cd /usr/src
  2. Download the CSF distribution.

     # wget https://download.configserver.com/csf.tgz
  3. Extract CSF.

     # tar -xzf csf.tgz
  4. Change to /usr/src/csf

     # cd csf
  5. Run the install script.

     # sh install.sh
  6. Verify the required iptables modules for CSF are available.

     # perl /usr/local/csf/bin/csftest.pl

    Confirm that all tests report OK, and you see the following result.

     RESULT: csf should function on this server
  7. Verify CSF status after installation.

     # csf -v 

    You should see a result similar to:

     csf: v14.02 (generic)
     *WARNING* TESTING mode is enabled - do not forget to disable it in the configuration

4. Configure CSF

  1. CSF runs in TESTING mode by default. Edit /etc/csf/csf.conf to disable TESTING mode.

     # nano /etc/csf/csf.conf
  2. Locate the line TESTING = "1", and change the value to "0".

     TESTING = "0"
  3. Locate the line RESTRICT_SYSLOG = "0", and change the value to "3". This means only members of the RESTRICT_SYSLOG_GROUP may access syslog/rsyslog files.

     RESTRICT_SYSLOG = "3"
  4. Save the configuration file.

  5. Stop and reload CSF with the -ra option.

     # csf -ra

Common CSF Commands & Configuration

Start CSF

# csf -s 

Stop CSF

# csf -f 

Restart CSF

You must restart CSF each time the configuration file changes.

# csf -ra 

Allow IP traffic by port

  1. Edit /etc/csf/csf.conf

     # nano /etc/csf/csf.conf
  2. Locate the following lines and add the required ports.

     # Allow incoming TCP ports
     TCP_IN = 20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077”
    
     # Allow outgoing TCP ports
     TCP_OUT = 20,21,22,25,26,37,43,53,80,110,113,443,465,873,2087”
  3. Restart CSF for the changes to take effect.

     # csf -ra

Allow or deny by IP address

Use the -d option to deny by IP, for example, 192.0.2.123.

# csf -d 192.0.2.123

Use the -a option to allow by IP, for example, 192.0.2.123.

# csf -a 192.0.2.123

Remove IP from the allow list.

# csf -ar 192.0.2.123

Remove IP from the deny list.

# csf -dr 192.0.2.123

Deny file

Block IPs by adding a entry to /etc/csf/csf.deny.

192.0.2.123     # deny this IP
192.0.2.0/24    # deny this network 

Allow file

Add trusted IPs to /etc/csf/csf.allow.

192.0.2.123     # trust this IP

Check all listening ports with the -p option.

# csf -p

More Information

For more information about VPS security, see the CSF website.

Introduction ConfigServer Security & Firewall (CSF) is a popular VPS security tool for Linux. It provides a simple interface for iptables to protect Linux servers. CSF comes with multiple features: a stateful packet inspection firewall (SPI), intrusion detection, a login failure daemon, DDOS protection, and control panel integration. This tutorial covers installation, basic configuration, and essential commands for CSF on Ubuntu 20.04. 1. Deploy Ubuntu Server Deploy a new Ubuntu 20.04 Rcs VPS instance. Connect to the server via SSH as root. Follow our best practices guides to update the Ubuntu server. 2. Prepare for CSF Installation Ubuntu 20.04 comes with UFW firewall by default, which must be removed before installing CSF. # apt remove ufw Install the CSF dependencies. # apt install perl zip unzip libwww-perl liblwp-protocol-https-perl CSF requires Sendmail to send alerts to the administrator. # apt install sendmail-bin 3. Install CSF Change to /usr/src # cd /usr/src Download the CSF distribution. # wget https://download.configserver.com/csf.tgz Extract CSF. # tar -xzf csf.tgz Change to /usr/src/csf # cd csf Run the install script. # sh install.sh Verify the required iptables modules for CSF are available. # perl /usr/local/csf/bin/csftest.pl Confirm that all tests report OK, and you see the following result. RESULT: csf should function on this server Verify CSF status after installation. # csf -v You should see a result similar to: csf: v14.02 (generic) *WARNING* TESTING mode is enabled - do not forget to disable it in the configuration 4. Configure CSF CSF runs in TESTING mode by default. Edit /etc/csf/csf.conf to disable TESTING mode. # nano /etc/csf/csf.conf Locate the line TESTING = "1", and change the value to "0". TESTING = "0" Locate the line RESTRICT_SYSLOG = "0", and change the value to "3". This means only members of the RESTRICT_SYSLOG_GROUP may access syslog/rsyslog files. RESTRICT_SYSLOG = "3" Save the configuration file. Stop and reload CSF with the -ra option. # csf -ra Common CSF Commands & Configuration Start CSF # csf -s Stop CSF # csf -f Restart CSF You must restart CSF each time the configuration file changes. # csf -ra Allow IP traffic by port Edit /etc/csf/csf.conf # nano /etc/csf/csf.conf Locate the following lines and add the required ports. # Allow incoming TCP ports TCP_IN = 20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077” # Allow outgoing TCP ports TCP_OUT = 20,21,22,25,26,37,43,53,80,110,113,443,465,873,2087” Restart CSF for the changes to take effect. # csf -ra Allow or deny by IP address Use the -d option to deny by IP, for example, 192.0.2.123. # csf -d 192.0.2.123 Use the -a option to allow by IP, for example, 192.0.2.123. # csf -a 192.0.2.123 Remove IP from the allow list. # csf -ar 192.0.2.123 Remove IP from the deny list. # csf -dr 192.0.2.123 Deny file Block IPs by adding a entry to /etc/csf/csf.deny. 192.0.2.123 # deny this IP 192.0.2.0/24 # deny this network Allow file Add trusted IPs to /etc/csf/csf.allow. 192.0.2.123 # trust this IP Check all listening ports with the -p option. # csf -p More Information For more information about VPS security, see the CSF website.

Was this answer helpful?
Back

Powered by WHMCompleteSolution