Config Server Firewall (or CSF) is a free and advanced firewall for most Linux distributions and Linux-based VPS. In addition to the basic functionality of a firewall – filtering packets – CSF includes other security features, such as login/intrusion/flood detections. CSF includes UI integration for cPanel, DirectAdmin, and Webmin, but this tutorial only covers the command line usage. CSF can recognize many attacks, such as port scans, SYN floods, and login brute force attacks on many services. It is configured to temporarily block clients who are detected to be attacking the cloud server.
In this guide, we will walk you through the installation and configuration of the ConfigServer Security & Firewall (CSF) on Debian 11 Server.
Install CSF Firewall on Debian 11
Before installing ConfigServer Firewall, you should update your system. Run the command below to update your system.
$ sudo apt update -y
Once the update is complete, run the following commands to install the required dependencies.
$ sudo apt install wget libio-socket-ssl-perl git perl iptables libnet-libidn-perl libcrypt-ssleay-perl libio-socket-inet6-perl libsocket6-perl sendmail dnsutils unzip -y
With that out of the way, you can now proceed to the next step.
Since CSF is not included in the default Debian and Ubuntu repositories, you need to manually install it. To proceed, download the CSF tarball file which contains all the installation files using the following wget command.
$ wget http://download.configserver.com/csf.tgz
Now run the command below to extract the downloaded file.
$ tar -xvzf csf.tgz
Once you have extracted the file, install CSF using the following command.
$ cd csf && sh install.sh
Once the installation is complete, the firewall should be now installed. To start the CSF firewall, run the following command.
$ sudo systemctl start csf
Run the command below to make sure everything is fine.
$ perl /usr/local/csf/bin/csftest.pl
You will get an output as shown below. This output confirms that CSF is up and running.
root@debian:~/csf# perl /usr/local/csf/bin/csftest.pl Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server
To enable CSF firewall to start on boot, run the following command.
$ systemctl enable csf
You can check the status of CSF using the command below.
systemctl status csf
This output confirms that CSF is up and running. Now let’s configure this firewall.
Configuring CSF Firewall on Debian 11
Once you have installed the CSF firewall, the default rules are active which comes with a configuration file
You should review this configuration file to make sure that it is configured as per your needs. In this file, you can see all the default rules which are active from your system’s perspective. Let’s take a closer look at some of them.
The fewer the number of open ports, the more secure the system is. But you should always have some common ports open. You can see all the ports which are open by default, in the csf.conf file as shown below.
Now let’s configure the CONNLIMIT settings. CONNLIMIT is a security feature in CSF that allows you to limit the number of concurrent a remote connection can have on a specific port. This helps in mitigating the risk of DoS/DDoS attacks.
For example, if you want to limit any IP with no more than 3 concurrent connections, then you should update it as shown below. This setting would allow only 3 concurrent connections on port 22 and 3 concurrent connections on port 443.
Next, let’s configure the PORTFLOOD settings. This option allows us to configure the maximum number of connection requests allowed on a port within a certain time frame.
For example, if you want to block any IP if more than 3 connections are established on port 443 using TCP protocol within 60 seconds, you should update it as shown below. The block will automatically be removed once the 60-second time frame is over since the last connection.
The most basic feature of any firewall is to block and allow IP addresses. You can add the IP address you want to block by manually adding them in
csf.deny file or you can add an entire range of IPs in the csf.deny file.
For example, you can block all the 192.168.1.0/24 IP range.
You can block a single IP of 192.168.2.0 by adding it in the
csf.deny file as shown below.
Open the csf.deny file with the following command.
$ nano /etc/csf/csf.deny
Add the following lines to the bottom of the file. One line at a time.
Once you are done, save and close the file by hitting
Y, and Enter.
One’s opposite to the csf.deny file, the
csf.allow file is used to exclude an IP or range of IPs from all the filters. Note that even if you already added an IP to the csf.deny file, the blocked IP address is still allowed to access your server by adding it in the
$ nano /etc/csf/csf.allow
CSF offers a wide variety of options to set up your own firewall, which is beyond the scope of this tutorial. You can consult the ConfigServer documentation about the settings and how they work.
Once you finish updating all the required settings, save and close the csf.conf file by hitting CTRL+X, Y, and Enter.
CSF also offers a feature of ignoring an IP address from any filter. Unlike allowing an IP address in the csf.allow file, you can not ignore an IP address if it was listed in the csf.deny file.
$ nano /etc/csf/csf.ignore
Now that you have configured all the settings in the csf.conf file, it is time to update the ruleset to apply the changes.
To do that, run the following command.
sudo csf -r
Once the execution of the above command is complete, you will be able to see a message as shown in the following screenshot. If no error messages are displayed, congratulations! Your server’s firewall configuration is now updated and ready for use.
And that wraps up our guide today. We hope you can now install and configure the CSF firewall without a hitch.