How To Install CSF Firewall on Ubuntu 20.04 LTS

Install CSF Firewall on Ubuntu 20.04

In this tutorial, we will show you how to install CSF Firewall on Ubuntu 20.04 LTS. For those of you who didn’t know, ConfigServer Security & Firewall (CSF) is a popular and open-source Stateful Packet Inspection (SPI) security tool for Linux. Further, it provides a simple interface for the iptables to protect the Linux servers. The CSF has multiple features like a stateful packet inspection firewall, intrusion detection, a login-failure daemon, DDOS protection, and control-panel integration.

This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you through the step-by-step installation of the ConfigServer Security & Firewall (CSF) on Ubuntu 20.04 (Focal Fossa). You can follow the same instructions for Ubuntu 18.04, 16.04, and any other Debian-based distribution like Linux Mint.

Install CSF Firewall on Ubuntu 20.04 LTS Focal Fossa

Step 1. First, make sure that all your system packages are up-to-date by running the following apt commands in the terminal.

sudo apt update
sudo apt upgrade

Step 2. Installing CSF Firewall on Ubuntu 20.04.

Now we download the latest CSF archive source code from its official site:

wget http://download.configserver.com/csf.tgz

Next, extract the downloaded file and then run its install script:

tar -xvzf csf.tgz
cd csf
sudo bash install.sh

After that, run the csftest.pl Perl script to verify if all the required iptables modules are installed on your system to make it properly working:

sudo perl /usr/local/csf/bin/csftest.pl

Output:

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

Step 3. Configure CSF.

Now configure CSF as per your security standard. You can configure it by editing the file /etc/csf/csf.conf:

nano /etc/csf/csf.conf

Change the following line per your requirements:

TESTING = "0"
RESTRICT_SYSLOG = "3"
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"

# Allow incoming UDP ports
UDP_IN = "20,21,53,80,443"

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123"

# Allow incoming PING. Disabling PING will likely break external uptime
# monitoring
ICMP_IN = "1"

Save and close the file, then restart the CSF with the following command:

csf -r
csf -l

Output:

iptables mangle table
=====================
Chain PREROUTING (policy ACCEPT 55 packets, 3332 bytes)
num pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 48 packets, 3054 bytes)
num pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 24 packets, 15822 bytes)
num pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 24 packets, 15822 bytes)
num pkts bytes target prot opt in out source destination

iptables raw table
==================
Chain PREROUTING (policy ACCEPT 51 packets, 3321 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 24 packets, 15966 bytes)
num pkts bytes target prot opt in out source destination

iptables nat table
==================
Chain PREROUTING (policy ACCEPT 12 packets, 1410 bytes)
num pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1 packets, 69 bytes)
num pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 1 packets, 23 bytes)
num pkts bytes target prot opt in out source destination

Step 4. Accessing the CSF Web Interface.

CSF provides a web-based interface to manage the firewall from a web browser. First, edit the CSF main configuration file with the following command:

nano /etc/csf/csf.conf

Add the following lines:

#Enable Web UI
UI = "1"

#Listening Port
UI_PORT = "8080"

#Admin username
UI_USER = "admin"

#Admin user password

UI_PASS = "your-password"

#Listening Interface
UI_IP = ""

Save and close the file when you are finished. Then, you will need to edit the /etc/csf/ui/ui.allow file and add your server IP address and remote machine IP from where you want to access the CSF web UI.

nano /etc/csf/ui/ui.allow

Add your server IP and remote machine IP:

your-server-ip
remote-machine-ip

Save and close the file, then restart the CSF and LFD service to apply the changes:

csf -r
service lfd restart

Finally, open your web browser and search for the server IP address followed by port 8080:

http://your-server-ip:8080

Congratulations! You have successfully installed CSF. Thanks for using this tutorial for installing ConfigServer Security and Firewall on your Ubuntu 20.04 LTS Focal Fossa system. For additional help or useful information, we recommend you check the official CSF website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!