In this article, we are going to shows that how to install ConfigServer Security & Firewall on Ubuntu 18.04 |20.04.
ConfigServer Security & Firewall (CSF) is a popular and open source Stateful Packet Inspection (SPI) security tool for Linux. It is used iptables that provides high level of security Linux servers.
CSF comes with multiple features such as Stateful packet inspection firewall (SPI), intrusion and login failure detection, control panel integration and many more. It is also provides a intuitive web interface to manage iptables to protect Linux servers from threats and attacks.
For more detail about ConfigServer Security & Firewall (CSF), please visit its official website.
Install ConfigServer Security & Firewall on Ubuntu
Simply follow below steps to install ConfigServer Security & Firewall on your Ubuntu system:
Step 1 : Install CSF
By default, the CSF packages are not included in the Ubuntu standard repository. So you will need to download CSF distribution by running below command:
sudo apt update
wget http://download.configserver.com/csf.tgz
Now, you will need to extract the downloaded file and then run its install script. To do that run the command below:
tar -xvzf csf.tgz
cd csf
sudo bash install.sh
Next, run the commands below to verify the CSF is installed and required iptables modules:
sudo perl /usr/local/csf/bin/csftest.pl
The above command will show a output similar as below:
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server
Step 2 : CSF Configuration
When you install CSF, it comes with multiple configuration files, these all the configuration files of csf are located at /etc/csf directory:
- /etc/csf/csf.conf : The main configuration file for managing and controlling CSF.
- /etc/csf/csf.allow : List of allowed IP’s and CIDR addresses on the firewall.
- /etc/csf/csf.deny : List of denied IP’s and CIDR addresses on the firewall.
- /etc/csf/csf.ignore : The list of various ignored IP’s, files of users and CIDR addresses on the firewall.
By default, CSF is installed and runs with testing mode enabled. So first you will need to disable its testing mode.
To do that, Open its main configuration file and edit it to disable TESTING mode, run the command below:
sudo nano /etc/csf/csf.conf
After open the file, find the line TESTING = “1”, and change its value to “0” as show below:
TESTING = "0"
Save the configuration file and reload CSF by running the commands below:
sudo csf -r
sudo service lfd restart
Basic CSF Commands & Configuration
Run the commands below to start CSF:
sudo csf -s
To stop and restart CSF, run the commands below:
sudo csf -f
sudo csf -r
To disable CSF, run the commands below:
sudo csf -x
Run the command below to enable CSF:
sudo cfs -e
To display default firewall rules, run the commands below:
sudo csf -l
To allow IP address, use the -a option as show below:
sudo csf -a 157.38.95.51
Use the -d option to deny IP address
sudo csf -d 157.38.95.51
Run the command below to remove blocked IP from deny list:
sudo csf -dr 157.38.95.51
Run the command below to remove IP from allow list:
sudo csf -ar 157.38.95.51
Deny IPs by adding them to /etc/csf/csf.deny file as show below:
157.38.95.51 # deny this IP
157.38.95.0/51 # deny this network
Add trusted IPs by adding them to /etc/csf/csf.allow file as shown below:
157.38.95.51 # trust this IP
Run the command below to check all listening ports using the -p option:
sudo csf -p
Access the CSF Web Interface
CSF also provides a intuitive web interface based on perl to manage iptables to protect Linux servers.
To install it, run the commands below:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl
Next, open the CSF configuration file and edit the login, password and port:
sudo nano /etc/csf/csf.conf
After open the file, change the below highlighted lines:
This options restricts the ability to modify settings within this file from
the csf UI. Should the parent control panel be compromised, these restricted
options could be used to further compromise the server. For this reason we
recommend leaving this option set to at least "1" and if any of the
restricted items need to be changed, they are done so from the root shell
#
0 = Unrestricted UI
1 = Restricted UI
2 = Disabled UI
RESTRICT_UI = "1"
#
# 1 to enable, 0 to disable
UI = "1"
# Set this to the port that want to bind this service to. You should configure
# this port to be >1023 and different from any other port already being used
#
# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's
# to the port using Advanced Allow Filters (see readme.txt)
UI_PORT = "8080"
# Optionally set the IP address to bind to. Normally this should be left blank
# to bind to all IP addresses on the server.
#
# If the server is configured for IPv6 but the IP to bind to is IPv4, then the
# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use
# ::ffff:1.2.3.4
#
# Leave blank to bind to all IP addresses on the server
UI_IP = ""
# This should be a secure, hard to guess username
#
# This must be changed from the default
UI_USER = "admin"
# This should be a secure, hard to guess password. That is, at least 8
# characters long with a mixture of upper and lowercase characters plus
# numbers and non-alphanumeric characters
#
# This must be changed from the default
UI_PASS = "your_password_here"
# This is the login session timeout. If there is no activity for a logged in
# session within this number of seconds, the session will timeout and a new
Save the configuration file and exit.
Next, add the IPs addresses that are allowed to login via the web interfac:
sudo nano /etc/csf/ui/ui.allow
Run the command below to restart:
sudo service lfd restart
Now, open your web browser and search for the server IP address followed by port 8080:
http://your_server_IP:8080
After access the web interface, login with the account created in the above configuration file.
That’s all.
If you face any error and issue in above steps , please use comment box below to report.
If our tutorials helped you, please consider buying us a coffee. We appreciate your support!
Thank you for your support.