CSF is also known as "Config Server Firewall" is a free and advanced firewall for Linux systems. It comes with some advanced security features such as intrusion, flood, and login detections. It is designed to defend against many attacks, such as port scans, SYN floods, and login brute force attacks. It also provides integration for cPanel, DirectAdmin, and Webmin.
Prerrequisites
-
A server running Debian 11.
-
A root password is configured on the server.
Getting Started
Before starting, it is recommended to update your system packages to the updated version. You can do it using the following command:
apt-get update -y
Once all the packages are updated, install other required dependencies using the following command:
apt-get install sendmail dnsutils unzip libio-socket-ssl-perl libcrypt-ssleay-perl git perl iptables libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl -y
Install CSF on Debian 11
By default, the CSF package is not included in the Debian 11 default repository. You will need to download it from its official website.
You can download the latest version of CSF with the following command:
wget http://download.configserver.com/csf.tgz
Once the download is completed, extract the downloaded file with the following command:
tar -xvzf csf.tgz
Next, change the directory to CSF and run the install.sh script to install CSF in your server.
cd csf
bash install.sh
Once the CSF has been installed, you should get the following output:
Don't forget to:
1. Configure the following options in the csf configuration to suite your server: TCP_*, UDP_*
2. Restart csf and lfd
3. Set TESTING to 0 once you're happy with the firewall, lfd will not run until you do so
Adding current SSH session IP address to the csf whitelist in csf.allow:
*WARNING* URLGET set to use LWP but perl module is not installed, fallback to using CURL/WGET
Adding 106.222.22.32 to csf.allow only while in TESTING mode (not iptables ACCEPT)
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
'lfd.service' -> '/usr/lib/systemd/system/lfd.service'
'csf.service' -> '/usr/lib/systemd/system/csf.service'
Created symlink /etc/systemd/system/multi-user.target.wants/csf.service → /lib/systemd/system/csf.service.
Created symlink /etc/systemd/system/multi-user.target.wants/lfd.service → /lib/systemd/system/lfd.service.
Failed to disable unit: Unit file firewalld.service does not exist.
Failed to stop firewalld.service: Unit firewalld.service not loaded.
Unit firewalld.service does not exist, proceeding anyway.
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
'/etc/csf/csfwebmin.tgz' -> '/usr/local/csf/csfwebmin.tgz'
Installation Completed
After the installation, verify the required iptables modules for CSF using the following command:
perl /usr/local/csf/bin/csftest.pl
If everything is fine, you should get the following output:
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server
Next, you will need to configure CSF based on your requirements. You can configure it by editing /etc/csf/csf.conf file.
nano /etc/csf/csf.conf
First, find the line TESTING = "1", and change the value to "0" to enable the CSF:
TESTING = "0"
Next, find the line RESTRICT_SYSLOG = "0", and change the value to 3 to set the access of syslog/rsyslog files for only the members of the RESTRICT_SYSLOG_GROUP:
RESTRICT_SYSLOG = "3"
Add your required incoming TCP open ports in the following line:
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
Add your required outgoing TCP ports in the following line:
#Permitir puertos TCP salientes
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"
Add your required incoming UDP open ports in the following line:
#Permitir puertos UDP entrantes
UDP_IN = "20,21,53,80,443"
Add your required outgoing UDP ports in the following line:
#Permitir puertos UDP salientes
UDP_OUT = "20,21,53,113,123"
Save and close the file then reload the CSF firewall to apply the changes:
csf -r
Basic CSF commands
To stop the CSF firewall, run the following command:
csf -s
To flush the CSF firewall, run the following command:
csf -f
To list all IPTABLES rules added by CSF, run the following command:
csf -l
To start the CSF and enable it to start at system reboot, run the following command:
systemctl start csf
systemctl enable csf
To check the status of the CSF firewall, run the following command:
systemctl status csf
You should get the following output:
? csf.service - ConfigServer Firewall & Security - csf
Loaded: loaded (/lib/systemd/system/csf.service; enabled; vendor preset: enabled)
Active: active (exited) since Sat 2021-09-18 15:42:04 UTC; 11s ago
Process: 8022 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)
Main PID: 8022 (code=exited, status=0/SUCCESS)
CPU: 705ms
Sep 18 15:42:04 debian11 csf[8022]: ACCEPT all opt in * out lo ::/0 -> ::/0
Sep 18 15:42:04 debian11 csf[8022]: LOGDROPOUT all opt in * out !lo ::/0 -> ::/0
Sep 18 15:42:04 debian11 csf[8022]: LOGDROPIN all opt in !lo out * ::/0 -> ::/0
Sep 18 15:42:04 debian11 csf[8022]: csf: FASTSTART loading DNS (IPv4)
Sep 18 15:42:04 debian11 csf[8022]: csf: FASTSTART loading DNS (IPv6)
Sep 18 15:42:04 debian11 csf[8022]: LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
Sep 18 15:42:04 debian11 csf[8022]: LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
Sep 18 15:42:04 debian11 csf[8022]: LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0
Sep 18 15:42:04 debian11 csf[8022]: LOCALINPUT all opt in !lo out * ::/0 -> ::/0
Sep 18 15:42:04 debian11 systemd[1]: Finished ConfigServer Firewall & Security - csf.
To allow a specific host by IP address, run the following command:
csf -a 192.168.100.10
To deny a specific host by IP address, run the following command:
csf -d 192.168.100.11
To remove IP from the allow list, run the following command:
csf -ar 192.168.100.10
To remove IP from the deny list, run the following command:
csf -dr 192.168.100.11
You can add trusted IPs by editing /etc/csf/csf.allow file:
nano /etc/csf/csf.allow
Add your trusted IPs:
192.168.100.10
You can add untrusted IPs by editing /etc/csf/csf.deny file:
nano /etc/csf/csf.deny
Add your untrusted IPs:
192.168.100.11