In this tutorial, we will show you how to install CSF Firewall on Ubuntu 20.04 LTS. For those of you who didn’t know, ConfigServer Security & Firewall (CSF) is a popular and open-source Stateful Packet Inspection (SPI) security tool for Linux. Further, it provides a simple interface for the iptables to protect the Linux servers. The CSF has multiple features like a stateful packet inspection firewall, intrusion detection, a login-failure daemon, DDOS protection, and control-panel integration.
This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of the ConfigServer Security & Firewall (CSF) on Ubuntu 20.04 (Focal Fossa). You can follow the same instructions for Ubuntu 18.04, 16.04, and any other Debian-based distribution like Linux Mint.
Prerequisites
- A server running one of the following operating systems: Ubuntu 20.04, 18.04, and any other Debian-based distribution like Linux Mint or elementary OS.
- It’s recommended that you use a fresh OS install to prevent any potential issues.
- A
non-root sudo useror access to theroot user. We recommend acting as anon-root sudo user, however, as you can harm your system if you’re not careful when acting as the root.
Install CSF Firewall on Ubuntu 20.04 LTS Focal Fossa
Step 1. First, make sure that all your system packages are up-to-date by running the following apt commands in the terminal.
sudo apt update sudo apt upgrade
Step 2. Installing CSF Firewall on Ubuntu 20.04.
Now we download the latest CSF archive source code from its official site:
wget http://download.configserver.com/csf.tgz
Next, extract the downloaded file and then run its install script:
tar -xvzf csf.tgz cd csf sudo bash install.sh
After that, run the csftest.pl Perl script to verify if all the required iptables modules are installed on your system to make it properly working:
sudo perl /usr/local/csf/bin/csftest.pl
Output:
Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server
Step 3. Configure CSF.
Now configure CSF as per your security standard. You can configure it by editing the file /etc/csf/csf.conf:
nano /etc/csf/csf.conf
Change the following line per your requirements:
TESTING = "0" RESTRICT_SYSLOG = "3" TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995" # Allow incoming UDP ports UDP_IN = "20,21,53,80,443" # Allow outgoing UDP ports # To allow outgoing traceroute add 33434:33523 to this list UDP_OUT = "20,21,53,113,123" # Allow incoming PING. Disabling PING will likely break external uptime # monitoring ICMP_IN = "1"
Save and close the file, then restart the CSF with the following command:
csf -r csf -l
Output:
iptables mangle table ===================== Chain PREROUTING (policy ACCEPT 55 packets, 3332 bytes) num pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 48 packets, 3054 bytes) num pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 24 packets, 15822 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 24 packets, 15822 bytes) num pkts bytes target prot opt in out source destination iptables raw table ================== Chain PREROUTING (policy ACCEPT 51 packets, 3321 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 24 packets, 15966 bytes) num pkts bytes target prot opt in out source destination iptables nat table ================== Chain PREROUTING (policy ACCEPT 12 packets, 1410 bytes) num pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1 packets, 69 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 1 packets, 23 bytes) num pkts bytes target prot opt in out source destination
Step 4. Accessing the CSF Web Interface.
CSF provides a web-based interface to manage the firewall from a web browser. First, edit the CSF main configuration file with the following command:
nano /etc/csf/csf.conf
Add the following lines:
#Enable Web UI UI = "1" #Listening Port UI_PORT = "8080" #Admin username UI_USER = "admin" #Admin user password UI_PASS = "your-password" #Listening Interface UI_IP = ""
Save and close the file when you are finished. Then, you will need to edit the /etc/csf/ui/ui.allow file and add your server IP address and remote machine IP from where you want to access the CSF web UI.
nano /etc/csf/ui/ui.allow
Add your server IP and remote machine IP:
your-server-ip remote-machine-ip
Save and close the file, then restart the CSF and LFD service to apply the changes:
csf -r service lfd restart
Finally, open your web browser and search for the server IP address followed by port 8080:
http://your-server-ip:8080
Congratulations! You have successfully installed CSF. Thanks for using this tutorial for installing ConfigServer Security and Firewall on your Ubuntu 20.04 LTS Focal Fossa system. For additional help or useful information, we recommend you check the official CSF website.
