Introduction
ConfigServer Security & Firewall (CSF) is a popular VPS security tool for Linux. It provides a simple interface for iptables to protect Linux servers. CSF comes with multiple features: a stateful packet inspection firewall (SPI), intrusion detection, a login failure daemon, DDOS protection, and control panel integration. This tutorial covers installation, basic configuration, and essential commands for CSF on Ubuntu 20.04.
1. Deploy Ubuntu Server
- Deploy a new Ubuntu 20.04 Rcs VPS instance.
- Connect to the server via SSH as root.
- Follow our best practices guides to update the Ubuntu server.
2. Prepare for CSF Installation
Ubuntu 20.04 comes with UFW firewall by default, which must be removed before installing CSF.
# apt remove ufw
Install the CSF dependencies.
# apt install perl zip unzip libwww-perl liblwp-protocol-https-perl
CSF requires Sendmail to send alerts to the administrator.
# apt install sendmail-bin
3. Install CSF
Change to /usr/src
# cd /usr/src
Download the CSF distribution.
# wget https://download.configserver.com/csf.tgz
Extract CSF.
# tar -xzf csf.tgz
Change to /usr/src/csf
# cd csf
Run the install script.
# sh install.sh
Verify the required iptables modules for CSF are available.
# perl /usr/local/csf/bin/csftest.pl
Confirm that all tests report OK, and you see the following result.
RESULT: csf should function on this server
Verify CSF status after installation.
# csf -v
You should see a result similar to:
csf: v14.02 (generic) *WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
4. Configure CSF
CSF runs in TESTING mode by default. Edit /etc/csf/csf.conf to disable TESTING mode.
# nano /etc/csf/csf.conf
Locate the line TESTING = "1", and change the value to "0".
TESTING = "0"
Locate the line RESTRICT_SYSLOG = "0", and change the value to "3". This means only members of the RESTRICT_SYSLOG_GROUP may access syslog/rsyslog files.
RESTRICT_SYSLOG = "3"
Save the configuration file.
Stop and reload CSF with the -ra option.
# csf -ra
Common CSF Commands & Configuration
Start CSF
# csf -s
Stop CSF
# csf -f
Restart CSF
You must restart CSF each time the configuration file changes.
# csf -ra
Allow IP traffic by port
Edit /etc/csf/csf.conf
# nano /etc/csf/csf.conf
Locate the following lines and add the required ports.
# Allow incoming TCP ports TCP_IN = 20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077” # Allow outgoing TCP ports TCP_OUT = 20,21,22,25,26,37,43,53,80,110,113,443,465,873,2087”
Restart CSF for the changes to take effect.
# csf -ra
Allow or deny by IP address
Use the -d option to deny by IP, for example, 192.0.2.123.
# csf -d 192.0.2.123
Use the -a option to allow by IP, for example, 192.0.2.123.
# csf -a 192.0.2.123
Remove IP from the allow list.
# csf -ar 192.0.2.123
Remove IP from the deny list.
# csf -dr 192.0.2.123
Deny file
Block IPs by adding a entry to /etc/csf/csf.deny.
192.0.2.123 # deny this IP
192.0.2.0/24 # deny this network
Allow file
Add trusted IPs to /etc/csf/csf.allow.
192.0.2.123 # trust this IP
Check all listening ports with the -p option.
# csf -p
More Information
For more information about VPS security, see the CSF website.