Arch Linux BasedManjaro

How To Install CSF Firewall on Manjaro

r00t

Install CSF Firewall on Manjaro

Securing your Manjaro Linux system is paramount in today’s increasingly complex cybersecurity landscape. ConfigServer Security & Firewall (CSF) offers a robust solution that combines a powerful firewall with intrusion detection capabilities, making it an excellent choice for enhancing your system’s security posture. While Manjaro comes with UFW (Uncomplicated Firewall) by default, CSF provides additional security features that can significantly improve your system’s protection against various threats.

This comprehensive guide will walk you through the process of installing and configuring CSF Firewall on Manjaro Linux, from understanding its fundamentals to implementing advanced security configurations. Whether you’re a system administrator, a security enthusiast, or simply a Manjaro user looking to strengthen your system’s defenses, this tutorial will equip you with the knowledge to effectively deploy CSF on your system.

Understanding CSF Firewall

What is ConfigServer Security & Firewall (CSF)

ConfigServer Security & Firewall, commonly known as CSF, is a comprehensive security application suite that combines a stateful packet inspection firewall with robust intrusion detection capabilities. Unlike simpler firewall solutions, CSF offers a multi-layered approach to security, protecting your system from various attack vectors including brute force attempts, suspicious login activities, and unauthorized access attempts.

At its core, CSF is a sophisticated configuration tool for iptables, the built-in Linux firewall system. It simplifies the complex process of configuring iptables rules while adding numerous security enhancements. CSF isn’t merely a firewall; it’s an integrated security solution designed to provide comprehensive protection for Linux servers and desktops.

Key Features of CSF

CSF includes several noteworthy features that set it apart from standard firewall solutions:

  • Login Failure Daemon (LFD): This component continuously monitors your system logs for failed login attempts across various services. When it detects suspicious activity, such as multiple failed login attempts from the same IP address, it can automatically block that address temporarily or permanently.
  • Intrusion detection: CSF can detect unusual activities and potential security breaches, alerting you to suspicious behavior before it becomes a serious problem.
  • Brute force protection: The firewall automatically blocks IP addresses that attempt multiple unsuccessful logins, preventing password-guessing attacks.
  • Service access control: CSF allows fine-grained control over which IP addresses can access specific services, letting you lock down critical services like SSH, SMTP, and HTTP.
  • Integration options: On Manjaro, CSF can be managed through both command-line interface and potential integration with graphical tools.

Prerequisites for Installing CSF on Manjaro

System Requirements

Before beginning the installation process, ensure your Manjaro system meets these basic requirements:

  • A working Manjaro Linux installation (any desktop environment)
  • Root or sudo access to your system
  • Basic familiarity with terminal commands
  • At least 100MB of free disk space
  • Active internet connection for downloading packages

CSF is relatively lightweight and doesn’t impose significant resource demands on your system, making it suitable for most hardware configurations running Manjaro.

Required Packages and Dependencies

CSF relies on several key dependencies to function properly. The following packages must be installed on your Manjaro system:

  • Perl and various Perl modules
  • iptables (for firewall functionality)
  • wget or curl (for downloading the installation package)
  • tar and gzip utilities (for extracting the downloaded package)
  • Various Perl libraries for network operations

We’ll install these dependencies in the next section, but it’s good to understand what CSF needs to function properly.

Preparing Your Manjaro System

Before installing CSF, it’s essential to update your system and back up any existing firewall configurations:

  1. Update your system packages by running: 
    sudo pacman -Syu
  2. If you’re currently using another firewall like UFW, it’s advisable to back up its configuration before proceeding: 
    sudo cp -r /etc/ufw /etc/ufw.backup
  3. Take note of your current firewall rules if you plan to recreate them in CSF: 
    sudo iptables -L -v

Installing Dependencies on Manjaro

Installing Perl and Required Modules

CSF heavily relies on Perl and several Perl modules for its functionality. Let’s install them using Manjaro’s package manager:

sudo pacman -S perl perl-io-socket-ssl perl-libwww perl-lwp-protocol-https perl-net-ssleay perl-net-libidn perl-io-socket-inet6

This command installs Perl along with essential modules needed for network operations, SSL/TLS connections, and other CSF requirements.

Installing Additional Required Dependencies

Next, let’s install the remaining dependencies that CSF needs to function properly:

sudo pacman -S iptables wget tar gzip sendmail dnsutils unzip git

This installs the firewall backend (iptables), tools for downloading and extracting the CSF package, and additional utilities that CSF might use during operation.

Verifying Dependency Installation

To ensure all dependencies are correctly installed, you can run the following command to check for Perl modules:

perl -e "use IO::Socket::SSL; print \"Perl modules installed correctly\n\";"

If the command outputs “Perl modules installed correctly” without any errors, you’re ready to proceed. If you encounter any errors, you may need to install additional Perl modules using Manjaro’s package manager or through CPAN.

Downloading and Extracting CSF Firewall

Obtaining the CSF Package

The first step in the installation process is to download the latest version of CSF from the official source. Open your terminal and run:

cd /usr/src
sudo wget https://download.configserver.com/csf.tgz

This downloads the compressed CSF package to the /usr/src directory. The official download ensures you get the most recent version with all security updates.

Verifying Download Integrity

It’s always good practice to verify the integrity of downloaded packages, especially security software. While CSF doesn’t provide official checksums, you can check the file size to ensure it downloaded completely:

sudo ls -lh csf.tgz

The file should be several megabytes in size. If it’s only a few kilobytes, the download may have failed and you should try again.

Extracting the CSF Tarball

Now that you have the CSF package, extract it using the following command:

sudo tar -xzf csf.tgz

This will create a new directory named “csf” containing all the necessary files for installation. Let’s navigate to this directory:

cd csf

You’re now ready to begin the actual installation process.

Installation Process

Running the Installation Script

With all dependencies installed and the CSF package extracted, you can now run the installation script:

sudo sh install.sh

This script will automatically copy all necessary files to their respective locations, set up the CSF configuration directory at /etc/csf, and install the CSF and LFD services.

During installation, you might see output indicating which files are being installed and any checks the installer is performing. If the installation is successful, you should see a message confirming that CSF has been installed.

Initial Installation Verification

After installation completes, it’s important to verify that CSF has been installed correctly and that all required modules are available. Run the CSF test script:

sudo perl /usr/local/csf/bin/csftest.pl

This script checks if all the required Perl modules are present and if your system is compatible with CSF. If any modules are missing, the script will inform you, and you’ll need to install them before continuing.

A successful output should look similar to:

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

Basic Configuration of CSF Firewall

Locating and Understanding the Configuration File

The main CSF configuration file is located at /etc/csf/csf.conf. This file contains all the settings that control how CSF operates. You can edit it using your preferred text editor:

sudo nano /etc/csf/csf.conf

The configuration file is well-documented with comments explaining each option. Take some time to familiarize yourself with the available settings before making changes.

Disabling Testing Mode

By default, CSF installs in testing mode, which means it won’t actually block any connections. This allows you to configure CSF without accidentally locking yourself out of the system. To enable CSF’s full functionality, you need to disable testing mode:

  1. Find the line that contains TESTING = "1"
  2. Change it to TESTING = "0"
  3. Save the file and exit the editor

This change is crucial for CSF to function as an actual firewall rather than just logging potential blocks.

Configuring Basic Firewall Rules

Next, you’ll want to configure the basic firewall rules to allow necessary connections while blocking everything else. Here are the key parameters to consider:

  1. TCP_IN – Comma-separated list of allowed incoming TCP ports
  2. TCP_OUT – Comma-separated list of allowed outgoing TCP ports
  3. UDP_IN – Comma-separated list of allowed incoming UDP ports
  4. UDP_OUT – Comma-separated list of allowed outgoing UDP ports

For a basic desktop system, you might use something like:

# Allow incoming SSH, HTTP, HTTPS
TCP_IN = "22,80,443"

# Allow outgoing connections to common ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"

# Allow DNS, NTP and other common UDP services
UDP_IN = "53,123"
UDP_OUT = "53,113,123"

Adjust these settings based on your specific needs and the services running on your system.

Advanced Configuration Options

Security Settings

CSF offers numerous advanced security options that can be fine-tuned to meet your specific requirements:

  1. Login Failure Detection: Configure how CSF responds to failed login attempts by adjusting the following settings:
    • LF_SSHD: Set to “1” to enable SSH login failure detection
    • LF_FTPD: Set to “1” to enable FTP login failure detection
    • LF_LIMIT: The number of login failures allowed before blocking (default is 5)
    • LF_TRIGGER: The time period in which failures are counted (default is 3600 seconds)
  2. Email Notifications: Configure email alerts for security events:
    • LF_ALERT: Set to “1” to enable email alerts
    • LF_ALERT_TO: Email address to receive alerts
    • LF_ALERT_FREQ: Frequency of alerts in seconds

Blocklists and Allow Lists

CSF can automatically import and use blocklists from reputable sources, enhancing your protection against known malicious IPs:

  1. Enable blocklists: Set BLOCKLIST = "1" to enable the use of blocklists
  2. Configure blocklist sources: Review and uncomment the sources you want to use in the BLOCKLIST_COUNTRY section

For your own custom allow lists and deny lists, edit these files:

  • /etc/csf/csf.allow: Add IPs that should always be allowed
  • /etc/csf/csf.deny: Add IPs that should always be blocked

For example, to always allow connections from a trusted IP:

echo "192.168.1.100 # Trusted workstation" >> /etc/csf/csf.allow

Port Access Control

For more granular control over port access, you can use CSF’s port access control features:

  1. Restrict SSH access: To limit SSH access to specific IPs: 
    TCP_IN = "22"

    Then add trusted IPs to /etc/csf/csf.allow

  2. Connection tracking: Set CT_LIMIT to define the maximum number of concurrent connections allowed from a single IP
  3. Connection rate limiting: Configure CT_INTERVAL and CT_BLOCK_TIME to prevent connection flooding

Managing CSF Through Command Line

Essential CSF Commands

Managing CSF through the command line is straightforward with these essential commands:

  1. Check CSF status: To verify if CSF is running 
    sudo csf -l
  2. Start, stop, and restart CSF: 
    sudo csf -s    # Start CSF
sudo csf -f    # Stop CSF
sudo csf -r    # Restart CSF
  3. View current firewall rules: 
    sudo csf -l

    This displays all current iptables rules implemented by CSF.

Adding and Removing IP Addresses

CSF provides simple commands for managing IP address blocking and allowing:

  1. Allow an IP address: 
    sudo csf -a 192.168.1.100 "Trusted workstation"

    This adds the IP to the allow list with a comment for reference.

  2. Block an IP address: 
    sudo csf -d 203.0.113.15 "Suspicious activity"

    This immediately blocks the IP and adds it to the deny list.

  3. Remove an IP from the block list: 
    sudo csf -dr 203.0.113.15
  4. Temporary vs. permanent blocking: Add the -t flag with a time in seconds to make a block temporary: 
    sudo csf -d 203.0.113.15 3600 "Blocked for 1 hour"

These commands provide efficient ways to manage your firewall rules without directly editing configuration files.

Integrating CSF with Manjaro System

Setting up Systemd Services

To ensure CSF starts automatically when your Manjaro system boots, you need to set up systemd services:

  1. First, check if the services are already enabled: 
    sudo systemctl status csf
sudo systemctl status lfd
  2. If not enabled, enable them: 
    sudo systemctl enable csf
sudo systemctl enable lfd
  3. Start the services: 
    sudo systemctl start csf
sudo systemctl start lfd

This ensures that both the firewall (CSF) and the login failure daemon (LFD) start automatically whenever your system boots.

Integrating with System Logging

CSF generates detailed logs that can help you monitor your system’s security. Configure log rotation to manage these logs effectively:

  1. Create a log rotation configuration file: 
    sudo nano /etc/logrotate.d/csf
  2. Add the following content: 
    /var/log/lfd.log {
    rotate 5
    weekly
    missingok
    notifempty
    compress
    delaycompress
    create 640 root root
}
  3. Save and exit the editor

This configuration tells the system to rotate CSF logs weekly, keeping 5 weeks of compressed logs, which helps manage disk space while maintaining security records.

Testing Your CSF Firewall Configuration

Verifying Firewall Effectiveness

After configuring CSF, it’s essential to verify that your firewall is working correctly:

  1. Check if CSF is running: 
    sudo csf -v

    This should display the CSF version and confirm it’s running.

  2. Test your firewall using online port scanning tools:
    • Use services like ShieldsUP! or nmap from another system to scan your Manjaro machine
    • Only the ports you explicitly allowed should appear as open
  3. Verify rule implementation: 
    sudo iptables -L -n -v

    This shows all active iptables rules, which should reflect your CSF configuration.

Connection Testing

Ensure that your allowed services work properly while blocked services are indeed inaccessible:

  1. Test allowed services: Try connecting to services you’ve allowed in your configuration, such as SSH or web servers.
  2. Test blocked services: Attempt to connect to ports that should be blocked, verifying they’re inaccessible.
  3. Test from different networks: If possible, test connections from different networks to ensure your rules work consistently.

A properly configured CSF firewall should allow all legitimate traffic while effectively blocking unauthorized access attempts.

Troubleshooting Common Issues

Addressing Installation Problems

If you encounter issues during installation, try these solutions:

  1. Dependency-related errors: 
    sudo pacman -S perl-io-socket-ssl perl-net-ssleay perl-io-socket-inet6

    This installs commonly missing Perl modules.

  2. Extraction issues: If you have problems extracting the CSF archive, try: 
    sudo rm -rf csf*
sudo wget https://download.configserver.com/csf.tgz
sudo tar -xzf csf.tgz --no-same-owner
  3. Installation script failures: Check for error messages and ensure all dependencies are installed.

Configuration Troubleshooting

For configuration-related issues:

  1. Ports not opening correctly:
    • Verify your TCP_IN/UDP_IN settings in csf.conf
    • Check for conflicts with other firewall rules
    • Ensure TESTING is set to “0”
  2. Services unexpectedly blocked:
    • Check /var/log/lfd.log for automatic blocks
    • Temporarily disable LFD with sudo csf -d and test again
    • Add the service’s IP to csf.allow if needed

Recovering from Lockouts

If you accidentally lock yourself out of your system:

  1. Physical access recovery:
    • Access the system directly
    • Boot into rescue mode
    • Disable CSF with systemctl stop csf
    • Fix the configuration before restarting
  2. SSH lockout recovery:
    • If you have an alternative SSH port configured, try using it
    • If you have another allowed IP, connect from that network
    • As a last resort, reboot the system into recovery mode and fix the configuration

Best Practices for Maintaining CSF on Manjaro

Regular Updates

Keep your CSF installation updated to benefit from the latest security features and bug fixes:

  1. Update CSF: 
    cd /usr/src
sudo rm -rf csf*
sudo wget https://download.configserver.com/csf.tgz
sudo tar -xzf csf.tgz
cd csf
sudo sh install.sh
  2. Update blocklists: Regularly update your blocklists using: 
    sudo csf -u
  3. Stay informed: Follow CSF’s official documentation and forums for security advisories and updates.

Security Auditing

Regularly audit your system’s security to identify and address potential vulnerabilities:

  1. Review CSF logs: Check /var/log/lfd.log regularly for suspicious activities 
    sudo grep ALERT /var/log/lfd.log
  2. Monitor intrusion attempts: Look for patterns in blocked IPs and adjust your configuration accordingly
  3. Periodically review your rules: Ensure your allowed and blocked ports still match your system’s requirements as they may change over time

Backup and Recovery

Maintain backups of your CSF configuration to quickly recover from mishaps:

  1. Create configuration backups: 
    sudo cp -r /etc/csf /etc/csf.backup
  2. Restore from backups when needed: 
    sudo cp -r /etc/csf.backup/* /etc/csf/
sudo csf -r

Following these best practices ensures your CSF firewall remains effective and up-to-date, providing optimal protection for your Manjaro system.

Real-world Security Scenarios

Protecting a Web Server

If you’re running a web server on your Manjaro system, configure CSF to provide robust protection:

  1. Open necessary ports: 
    # In csf.conf
TCP_IN = "22,80,443"
  2. Enable specific protections:
    • Set HTTP_IN = "1" to enable HTTP connection limiting
    • Configure CT_LIMIT to prevent connection flooding
    • Enable SMTP_BLOCK = "1" if you’re not running a mail server
  3. DDoS protection:
    • Set CONNLIMIT = "22;5,80;20,443;20" to limit concurrent connections per IP
    • Enable PORTFLOOD to prevent port flooding attacks

Securing SSH Access

SSH is a common target for attackers. Here’s how to enhance its security with CSF:

  1. Restrict SSH access to specific IPs: 
    # Add to csf.allow
192.168.1.100 # Home IP
203.0.113.15 # Office IP
  2. Set up brute force protection: 
    # In csf.conf
LF_SSHD = "5"
LF_SSHD_PERM = "1"

    This permanently blocks IPs after 5 failed SSH login attempts.

  3. Additional SSH security:
    • Configure email alerts for failed SSH attempts
    • Consider changing the default SSH port (though this is security by obscurity)
    • Implement SSH key authentication alongside CSF protection

These real-world configurations provide practical examples of how to use CSF to protect against common attack scenarios.

Congratulations! You have successfully installed CSF Firewall. Thanks for using this tutorial for installing the CSF Firewall on your Manjaro Linux system. For additional or useful information, we recommend you check the official CSF Firewall website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2025 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button