In this article you will learn how to install CSF (ConfigServer Security & Firewall) on your Linux Server, in order to lock down public access to services and only allow certain connections, such as logging in to FTP, checking email, or loading websites.ConfigServer Firewall also comes with a service called Login Failure Daemon, or LFD. LFD watches your user activity for excessive login failures which are commonly seen during brute force attacks.

Before you begin installing CSF, make sure that your server is up-to-date by running the following commands :

For Debian based distros (Ubuntu)

# sudo apt-get update && sudo apt-get dist-upgrade

Note that Perl and libwww is a prerequisite to installing CSF.

# sudo apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl

For CentOS (6/7/8)

# sudo yum update

Note that Perl and libwww is a prerequisite to install CSF.

# sudo yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph

Install and Configure ConfigServer Security & Firewall (CSF) in Linux

To download CSF on your server, run the below command :

# cd /usr/src
# wget https://download.configserver.com/csf.tqz

Extract the CSF tarball :

# tar xzf csf.tqz
# cd csf

Run the CSF installation Script :

# sh install.sh 
# perl /usr/local/csf/bin/csftest.pl

The expected output of the above command is as follows:

Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…OK
Testing xt_connlimit…OK
Testing ipt_owner/xt_owner…OK
Testing iptable_nat/ipt_REDIRECT…OK
Testing iptable_nat/ipt_DNAT…OK

RESULT: csf should function on this server

Basic Configuration

You can configure the CSF firewall by editing the file “csf.conf”

# sudo nano /etc/csf/csf.conf

From here you can check the open ports on your server.
Typically, by default, the most common ports are already open.

# Allow incoming TCP ports
TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,93,995”
# Allow outgoing TCP ports
TCP_OUT = ““20,21,22,25,53,80,110,143,443,465,587,93,995”
# Allow incoming UDP ports
UDP_IN = “20,21,53”
# Allow outgoing UDP ports
UDP_OUT = “20,21,53,113,123”

Once you have defined all the settings you prefer, save the configurations, exit the editor, disable and start CSF and LFD services :

# sudo  systemctl restart csf
# sudo  systemctl enable csf
# sudo  systemctl restart lfd
# sudo  systemctl enable lfd

The basic commands to manage CSF from the CLI are :

# csf -s : Start csf 
# csf -f : Stop csf 
# csf -r : Reload/Restart csf

You can Whitelist an IP, by adding it to csf.allow.

# csf -a xxx.xxx.xxx.xxx

Remove or Delete an IP from csf.allow

# csf -ar xxx.xxx.xxx.xxx

Blacklist an IP. ( Add it on csf.deny)

# csf -d xxx.xxx.xxx.xxx

Remove and delete an IP from csf.deny(Unblock it)

# csf -dr xxx.xxx.xxx.xxx

Remove and delete all Its from csf.deny

# csf -df

Search for a pattern match in iptables

# csf -g xxx.xxx.xxx.xxx

Display the list of temporary allow and deny IPs

# csf -t

Display the current firewall rules:

# csf -l

Check for updates on CSF and upgrade:

# csf -u

Disable CSF and LFD:

# csf -x

Enable CSF and LFD if previous disabled

# csf -e

Show CSF version

# csf -v