This brief tutorial shows students and new users how to install ConfigServer Security & Firwall (CSF) on Ubuntu 20.04 | 18.04.
CSF a free, open source Stateful Packet Inspection (SPI) firewall software based on iptables that provides high level of security for Linux servers. It also provides login and intrusion detection that can help protect Linux systems from threats and other attacks.
If you’re looking for an easy way to manage iptables firewall on Linux including via a intuitive web interface, then CSF should be a great place to start.
For more about CFS, please visit its web page.
To get started with installing CSF on Ubuntu, follow the steps below:
Install CSF on Ubuntu
Be default CSF packages are not available in Ubuntu repositories. To install, you’ll have to download it and run its install scripts.
To do that run the commands below:
sudo apt update wget http://download.configserver.com/csf.tgz
Once downloaded, run the commands below to extract the downloaded file and install.
tar -xvzf csf.tgz cd csf sudo bash install.sh
After installing, you’ll get a success message.
To validate CSF is installed and functioning, run the commands below:
sudo perl /usr/local/csf/bin/csftest.pl
That will output similar lines as shown below:
Testing ip_tables/iptable_filter.OK Testing ipt_LOG.OK Testing ipt_multiport/xt_multiport.OK Testing ipt_REJECT.OK Testing ipt_state/xt_state.OK Testing ipt_limit/xt_limit.OK Testing ipt_recent.OK Testing xt_connlimit.OK Testing ipt_owner/xt_owner.OK Testing iptable_nat/ipt_REDIRECT.OK Testing iptable_nat/ipt_DNAT.OK RESULT: csf should function on this server
CSF comes with multiple configuration files, all which are stored in the /etc/cfs directory.
Following file are the main configuration files of CSF and their details:
- /etc/csf/csf.conf : The main configuration file.
- /etc/csf/csf.allow : The list of allowed IP’s and CIDR addresses on the firewall.
- /etc/csf/csf.deny : The list of denied IP’s and CIDR addresses on the firewall.
- /etc/csf/csf.ignore : The list of ignored IP’s and CIDR addresses on the firewall.
The first thing to do after installing CSF on a production is to disable its testing mode. By default, CSF is installed with testing mode enabled.
Open its main configuration file and edit the highlighted line shown below:
sudo nano /etc/csf/csf.conf
Then edit the line below and change its value to 0.
There are many more settings that you can turn on and enable in the configuration file. You can restrict and monitor services like SSH, FTP and SMTP and others.
# # lfd will not start while this is enabled TESTING = "0"
After that save your changes and reload CSF using the commands below:
sudo csf -r sudo service lfd restart
To see a lists of default firewall rules, run the commands below:
sudo csf -l
That should load the default rules in the tables.
ptables filter table ===================== Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 9072 21M LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 2 3024 2709K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 3 8786 21M INVALID tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0
To add allow IP through the firewall, simply run the commands below:
sudo csf -a 192.168.1.1
To deny IP address, run the commands below:
sudo csf -d 192.168.1.1
To remove blocked IP, run the commands below:
sudo csf -dr 192.168.1.1
To remove IP from allowed list, run the commands below:
sudo csf -ar 192.168.1.1
To flush and restart CSF, run the commands below:
sudo csf -f sudo csf -r
To disable CFS, run the commands below:
sudo csf -x
To enable, run the commands below:
sudo cfs -e
Access Web Interface
CSF Web comes with a web interface based on perl. This allows you to manage CSF easily from any web browser. To install, run the commands below:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl
After installing, open CSF configuration file and edit the web UI login, password and port.
sudo nano /etc/csf/csf.conf
Then change the highlighted lines
This options restricts the ability to modify settings within this file from the csf UI. Should the parent control panel be compromised, these restricted options could be used to further compromise the server. For this reason we recommend leaving this option set to at least "1" and if any of the restricted items need to be changed, they are done so from the root shell # 0 = Unrestricted UI 1 = Restricted UI 2 = Disabled UI RESTRICT_UI = "1" # # 1 to enable, 0 to disable UI = "1" # Set this to the port that want to bind this service to. You should configure # this port to be >1023 and different from any other port already being used # # Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's # to the port using Advanced Allow Filters (see readme.txt) UI_PORT = "8080" # Optionally set the IP address to bind to. Normally this should be left blank # to bind to all IP addresses on the server. # # If the server is configured for IPv6 but the IP to bind to is IPv4, then the # IP address MUST use the IPv6 representation. For example 126.96.36.199 must use # ::ffff:188.8.131.52 # # Leave blank to bind to all IP addresses on the server UI_IP = "" # This should be a secure, hard to guess username # # This must be changed from the default UI_USER = "admin" # This should be a secure, hard to guess password. That is, at least 8 # characters long with a mixture of upper and lowercase characters plus # numbers and non-alphanumeric characters # # This must be changed from the default UI_PASS = "strong_password_here" # This is the login session timeout. If there is no activity for a logged in # session within this number of seconds, the session will timeout and a new
Save the file and exit.
Next, add the IPs that are allowed to login via the web interface.
sudo nano /etc/csf/ui/ui.allow
sudo service lfd restart
Now go to the server IP address followed by port 8080 and login with the account defined in the configuration file.
This post showed you how to install CSF on Ubuntu 20.04 | 18.04. If you find any error above, please use the form below to report.