Install ConfigServer Security & Firewall (CSF) on Ubuntu

By /
How to Install ConfigServer Security & Firewall on Ubuntu 180.4 20.04

In this article, we are going to shows that how to install ConfigServer Security & Firewall on Ubuntu 18.04 |20.04.

ConfigServer Security & Firewall (CSF) is a popular and open source Stateful Packet Inspection (SPI) security tool for Linux. It is used iptables that provides high level of security Linux servers.

CSF comes with multiple features such as Stateful packet inspection firewall (SPI), intrusion and login failure detection, control panel integration and many more. It is also provides a intuitive web interface to manage iptables to protect Linux servers from threats and attacks.

For more detail about ConfigServer Security & Firewall (CSF), please visit its official website.

Table of Contents show

Install ConfigServer Security & Firewall on Ubuntu

Simply follow below steps to install ConfigServer Security & Firewall on your Ubuntu system:

Step 1 : Install CSF

 By default, the CSF packages are not included in the Ubuntu standard repository. So you will need to download CSF distribution by running below command:

sudo apt update
wget http://download.configserver.com/csf.tgz

Now, you will need to extract the downloaded file and then run its install script. To do that run the command below:

tar -xvzf csf.tgz
cd csf
sudo bash install.sh

Next, run the commands below to verify the CSF is installed and required iptables modules:

sudo perl /usr/local/csf/bin/csftest.pl

The above command will show a output similar as below:

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

Step 2 : CSF Configuration

When you install CSF, it comes with multiple configuration files, these all the configuration files of csf are located at /etc/csf directory:

  • /etc/csf/csf.conf : The main configuration file for managing and controlling CSF.
  • /etc/csf/csf.allow : List of allowed IP’s and CIDR addresses on the firewall.
  • /etc/csf/csf.deny : List of denied IP’s and CIDR addresses on the firewall.
  • /etc/csf/csf.ignore : The list of various ignored IP’s, files of users and CIDR addresses on the firewall.

By default, CSF is installed and runs with testing mode enabled. So first you will need to disable its testing mode.

To do that, Open its main configuration file and edit it to disable TESTING mode, run the command below:

sudo nano /etc/csf/csf.conf

After open the file, find the line TESTING = “1”, and change its value to “0” as show below:

TESTING = "0"

Save the configuration file and reload CSF by running the commands below:

sudo csf -r
sudo service lfd restart

Basic CSF Commands & Configuration

Run the commands below to start CSF: 

sudo csf -s

To stop and restart CSF, run the commands below:

sudo csf -f
sudo csf -r

To disable CSF, run the commands below:

sudo csf -x

Run the command below to enable CSF:

sudo cfs -e

To display default firewall rules, run the commands below:

sudo csf -l

To allow IP address, use the -a option as show below:

sudo csf -a 157.38.95.51

Use the -d option to deny IP address

sudo csf -d 157.38.95.51

Run the command below to remove blocked IP from deny list:

sudo csf -dr 157.38.95.51

Run the command below to remove IP from allow list:

sudo csf -ar 157.38.95.51

Deny IPs by adding them to /etc/csf/csf.deny file as show below:

157.38.95.51     # deny this IP
157.38.95.0/51   # deny this network

Add trusted IPs by adding them to /etc/csf/csf.allow file as shown below:

157.38.95.51     # trust this IP

Run the command below to check all listening ports using the -p option:

sudo csf -p

Access the CSF Web Interface

CSF also provides a intuitive web interface based on perl to manage iptables to protect Linux servers.

To install it, run the commands below:

sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl

Next, open the CSF configuration file and edit the login, password and port:

sudo nano /etc/csf/csf.conf

After open the file, change the below highlighted lines:

This options restricts the ability to modify settings within this file from
 the csf UI. Should the parent control panel be compromised, these restricted
 options could be used to further compromise the server. For this reason we
 recommend leaving this option set to at least "1" and if any of the
 restricted items need to be changed, they are done so from the root shell
 #
 0 = Unrestricted UI
 1 = Restricted UI
 2 = Disabled UI
 RESTRICT_UI = "1"
# 
# 1 to enable, 0 to disable
UI = "1"

# Set this to the port that want to bind this service to. You should configure
# this port to be >1023 and different from any other port already being used
#
# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's
# to the port using Advanced Allow Filters (see readme.txt)
UI_PORT = "8080"

# Optionally set the IP address to bind to. Normally this should be left blank
# to bind to all IP addresses on the server.
#
# If the server is configured for IPv6 but the IP to bind to is IPv4, then the
# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use
# ::ffff:1.2.3.4
#
# Leave blank to bind to all IP addresses on the server
UI_IP = ""

# This should be a secure, hard to guess username
# 
# This must be changed from the default
UI_USER = "admin"

# This should be a secure, hard to guess password. That is, at least 8
# characters long with a mixture of upper and lowercase characters plus 
# numbers and non-alphanumeric characters
#
# This must be changed from the default
UI_PASS = "your_password_here"

# This is the login session timeout. If there is no activity for a logged in
# session within this number of seconds, the session will timeout and a new

Save the configuration file and exit.

Next, add the IPs addresses that are allowed to login via the web interfac:

sudo nano /etc/csf/ui/ui.allow

Run the command below to restart:

sudo service lfd restart

Now, open your web browser and search for the server IP address followed by port 8080:

http://your_server_IP:8080

After access the web interface, login with the account created in the above configuration file.

That’s all.

If you face any error and issue in above steps , please use comment box below to report.

If our tutorials helped you, please consider buying us a coffee. We appreciate your support!

Thank you for your support.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top