How to Install and Configure CSF Firewall on Ubuntu Linux

Last updated at Fri, 08 Dec 2017 20:17:19 GMT

Synopsis

CSF also known as Config Server Firewall is a free and open source advance firewall application suite base on iptables that provides additional security to your server. CSF comes with additional security features, such as ssh, su login detection and also recognizes a lot of different types of attack like SYN flood, port scan, DOS and brute force. CSF supports most of common used operating systems like CentOS, openSUSE, RedHat, CloudLinux, Fedora, Slackware, Ubuntu and Debian. You can easily integrate CSF with cPanel, DirectAdmin, and Webmin user interface.

CSF Provides lots of features, some of them are listed below:

• Check and notify login authentication failures for ssh, su, pop3/imap, smtp, ftp, cPanel, password protected web pages.
• Notify potential exploits running on the server.
• Monitor suspicious file and directory, notify if directory or a file changes.
• Protect against SYN Flood and Ping of death.
• Suspicious process reporting and notify if potential exploits running on the server.
• Port Scan tracking and blocking.
• Notify if server load average remains high for a specified length of time.
• Provides system statistics via graphs, e.g. Load Averages, CPU Usage, Memory Usage, etc.
• Download list of blocked IP addresses automatically from sources defined by you.

In this tutorial, we will learn how to install and configure CSF on Ubuntu 16.04 server.

System Requirements

• Newly deployed Ubuntu 16.04 server.
• A static IP address is configured on your server.

Update the System

First, it is recommended to update your system with the latest stable version.
You can update system by running the following command:

apt-get update -y

apt-get upgrade -y

After updating system, restart your system and log in with root user.

Install CSF

By default, Ubuntu 16.04 comes with UFW firewall, so you will need to disable it first.
You can disable UFW with the following command:

ufw disable

CSF is currently not available in Ubuntu repositories, so you will need to download it from the ConfigServer’s website.

You can easily download it with the wget command as shown below:

wget http://download.configserver.com/csf.tgz

Once the download is complete, unpack the downloaded file with the following command:

tar -xvzf csf.tgz

Now, change the directory to CSF and run the following script to install CSF:

cd csf

bash install.sh

If everything is fine, you should see the following output:

 'csf/LICENSE.txt' -> 'webmin/csf/images/LICENSE.txt' 
 'csf/bootstrap/js/bootstrap.min.js' -> 'webmin/csf/images/bootstrap/js/bootstrap.min.js' 
 'csf/bootstrap/css/bootstrap.min.css.map' -> 'webmin/csf/images/bootstrap/css/bootstrap.min.css.map' 
 'csf/bootstrap/css/bootstrap.min.css' -> 'webmin/csf/images/bootstrap/css/bootstrap.min.css' 
 'csf/bootstrap/fonts/glyphicons-halflings-regular.eot' -> 'webmin/csf/images/bootstrap/fonts/glyphicons-halflings-regular.eot' 
 'csf/bootstrap/fonts/glyphicons-halflings-regular.woff2' -> 'webmin/csf/images/bootstrap/fonts/glyphicons-halflings-regular.woff2' 
 'csf/bootstrap/fonts/glyphicons-halflings-regular.svg' -> 'webmin/csf/images/bootstrap/fonts/glyphicons-halflings-regular.svg' 
 'csf/bootstrap/fonts/glyphicons-halflings-regular.ttf' -> 'webmin/csf/images/bootstrap/fonts/glyphicons-halflings-regular.ttf' 
 'csf/bootstrap/fonts/glyphicons-halflings-regular.woff' -> 'webmin/csf/images/bootstrap/fonts/glyphicons-halflings-regular.woff' 
 'csf/configserver.css' -> 'webmin/csf/images/configserver.css' 
 'csf/csf-loader.gif' -> 'webmin/csf/images/csf-loader.gif' 
 'csf/csf.svg' -> 'webmin/csf/images/csf.svg' 
 'csf/csf_small.png' -> 'webmin/csf/images/csf_small.png' 
 'csf/jquery.min.js' -> 'webmin/csf/images/jquery.min.js' 
 'csf/loader.gif' -> 'webmin/csf/images/loader.gif' 
 '/etc/csf/csfwebmin.tgz' -> '/usr/local/csf/csfwebmin.tgz'
 
 Installation Completed

Once csf is installed, you will need to verify whether all of the required firewall modules are available or not.

You can verify it with the following command:

perl /usr/local/csf/bin/csftest.pl

If everything is fine, you should see the following output:

 Testing ip_tables/iptable_filter...OK 
 Testing ipt_LOG...OK 
 Testing ipt_multiport/xt_multiport...OK 
 Testing ipt_REJECT...OK 
 Testing ipt_state/xt_state...OK 
 Testing ipt_limit/xt_limit...OK 
 Testing ipt_recent...OK 
 Testing xt_connlimit...OK 
 Testing ipt_owner/xt_owner...OK 
 Testing iptable_nat/ipt_REDIRECT...OK 
 Testing iptable_nat/ipt_DNAT...OK
 
 RESULT: csf should function on this server

Configure CSF

The default CSF configuration file csf.conf is located inside /etc/csf directory.

Let’s start by configuring the TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options in csf.conf file:

nano /etc/csf/csf.conf

Make the following changes as per your requirements:

 #Enable CSF TESTING = "0"
 
 # Allow incoming TCP ports 
 TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
 
 # Allow outgoing TCP ports
 
 TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"
 
 # Allow incoming UDP ports 
 UDP_IN = "20,21,53"
 
 # Allow outgoing UDP ports 
 # To allow outgoing traceroute add 33434:33523 to this list 
 UDP_OUT = "20,21,53,113,123"
 
 # Allow incoming PING 
 ICMP_IN = "1"
 
 # Set the per IP address incoming ICMP packet rate 
 # To disable rate limiting set to "0" 
 ICMP_IN_RATE = "1/s"
 
 # Allow outgoing PING 
 ICMP_OUT = "1"

Save and close the file, then reload CSF firewall with the following command:

csf -r

You can see the list of default rules of CSF with the following command:

csf -l

To start the CSF firewall, run the following command:

csf -s

To stop the CSF firewall, run the following command:

csf -f

Allow and Block IP Addresses

You can easily allowing and denying IP addresses by editing csf.allow and csf.deny file.

If you want to allow specific IP address or range of IP address, edit the csf.allow file and add the IP address which you want to allow:

nano /etc/csf/csf.allow

Add the following lines:

 192.168.15.12 
 193.192.168.0.0/24

If you don’t want to edit csf.allow file, then you can also allow the IP address by running the following command:

csf -a 192.168.15.12

You should see the following output:

 Adding 192.168.15.12 to csf.allow and iptables ACCEPT... 
 ACCEPT all opt -- in !lo out * 192.168.15.12 -> 0.0.0.0/0 
 ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.15.12

If you want to block specific IP address range, run the following command:

csf -d 192.168.15.0/24

You should see the following output:

 Adding 192.168.15.0/24 to csf.deny and iptables DROP... 
 DROP all opt -- in !lo out * 192.168.15.0/24 -> 0.0.0.0/0 
 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.15.0/24

If you want to delete IP from csf.allow and csf.deny file, just run the following command:

csf -ar 192.168.15.12 
csf -dr 192.168.15.0/24

It is necessary to restart CSF after editing any CSF file.

CSF Advance Configuration

You can also secure your server from DDOS attacks. You can do this by editing csf.conf file:

nano /etc/csf/csf.conf

Update the following lines:

 #Total number of connections allowed from the single host. All IPs with more than 50 connections will be blocked. 
 CT_LIMIT = "50"
 
 #Block IPs permanent 
 CT_PERMANENT = 1
 
 #Block IPs for 600 seconds
 
 CT_BLOCK_TIME = 600
 
 #To set the connection limits for multiple ports. The maximum concurrent connections to port 80 and 22 from single IP is 15.
 
 CONNLIMIT = "80;15,22;15"
 
 #The number of connections to port 80 exceeds 30 in five seconds, all the new connections will be blocked.
 
 PORTFLOOD = "80;tcp;30;5"

Save and close the file, then reload CSF firewall to make this changes:

csf -r

That’s it. You have successfully installed CSF firewall on Ubuntu 16.04 server.

References

• CSF Firewall