Introduction
Config Server Firewall (CSF) is an open source firewall that can be used in most Linux based operating system to protect servers against unauthenticated users. CSF continuously monitor server’s log file and notify SSH, SMTP, HTTP, IMAP, POP3 and FTP login authentication failures and many protocols. Thhis firewall allows you to manually block and unblock specific IP addresses temporary or permanently. Also, it provides web-based interface for cPanel, DirectAdmin and Webmin to manage firewall from web browser.
CSF is very simple, easy to install, straightforward and supports a lot of Linux-based operating systems like CentOS, Ubuntu, RedHat, OpenSUSE and Debian. CSF uses login failure daemon handle (LFD) that checks LFD logs at a regular time interval. It finds failed login attempts and block them immediately.
In this tutorial, we will learn how to install and Setup Config Server Firewall on Ubuntu 18.04.
Requirements
- A server running Ubuntu 18.04.
- A static IP address 192.168.0.4 is configured.
- A root password is configured.
Getting Started
First, it is recommended to update your system with the latest stable version. You can update it with the following command:
# apt-get update -y
# apt-get upgrade -y
Once the updation process has been completed, restart your system to apply all the changes.
Install CSF
First, download the latest version of CSF source from their official website. You can download it with the following command:
# wget https://download.configserver.com/csf.tgz
Once the download has been completed, extract the downloaded file with the following command:
# tar -zxvf csf.tgz
Next, change the directory to the csf and install it with the following command:
# cd csf
# sh install.sh
Once the installation has been completed successfully, you should see the following output:
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
'csf/LICENSE.txt' -> 'webmin/csf/images/LICENSE.txt'
'csf/bootstrap/js/bootstrap.min.js' -> 'webmin/csf/images/bootstrap/js/bootstrap.min.js'
'csf/bootstrap/css/bootstrap.min.css.map' -> 'webmin/csf/images/bootstrap/css/bootstrap.min.css.map'
'csf/bootstrap/css/bootstrap.min.css' -> 'webmin/csf/images/bootstrap/css/bootstrap.min.css'
'csf/bootstrap/fonts/glyphicons-halflings-regular.eot' -> 'webmin/csf/images/bootstrap/fonts/glyphicons-halflings-regular.eot'
'csf/bootstrap/fonts/glyphicons-halflings-regular.woff2' -> 'webmin/csf/images/bootstrap/fonts/glyphicons-halflings-regular.woff2'
'csf/bootstrap/fonts/glyphicons-halflings-regular.svg' -> 'webmin/csf/images/bootstrap/fonts/glyphicons-halflings-regular.svg'
'csf/bootstrap/fonts/glyphicons-halflings-regular.ttf' -> 'webmin/csf/images/bootstrap/fonts/glyphicons-halflings-regular.ttf'
'csf/bootstrap/fonts/glyphicons-halflings-regular.woff' -> 'webmin/csf/images/bootstrap/fonts/glyphicons-halflings-regular.woff'
'csf/bootstrap-chosen.css' -> 'webmin/csf/images/bootstrap-chosen.css'
'csf/chosen-sprite.png' -> 'webmin/csf/images/chosen-sprite.png'
'csf/chosen-sprite@2x.png' -> 'webmin/csf/images/chosen-sprite@2x.png'
'csf/chosen.min.css' -> 'webmin/csf/images/chosen.min.css'
'csf/chosen.min.js' -> 'webmin/csf/images/chosen.min.js'
'csf/configserver.css' -> 'webmin/csf/images/configserver.css'
'csf/csf-loader.gif' -> 'webmin/csf/images/csf-loader.gif'
'csf/csf.svg' -> 'webmin/csf/images/csf.svg'
'csf/csf_small.png' -> 'webmin/csf/images/csf_small.png'
'csf/jquery.min.js' -> 'webmin/csf/images/jquery.min.js'
'csf/loader.gif' -> 'webmin/csf/images/loader.gif'
'/etc/csf/csfwebmin.tgz' -> '/usr/local/csf/csfwebmin.tgz'
Installation Completed
Next, you will need to check the required Iptables modules on your system. You can check it with the following command:
# perl /usr/local/csf/bin/csftest.pl
You should see the following output:
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server
Configure CSF
The default CSF configuration file is located at /etc/csf directory. You can configure the required parameters for CSF with the following command:
# nano /etc/csf/csf.conf
Make the following changes:
#For testing environment the value should be TESTING = "1" and for production environment, the value should be TESTING = "0".
TESTING = "0"
#To enable log
RESTRICT_SYSLOG = "3"
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"
# Allow incoming UDP ports
UDP_IN = "20,21,53"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123"
Save and close the file, when you are finished. Then, start the CSF firewall with the following command:
# systemctl start csf
You can also check the status of CSF with the following command:
# systemctl status csf
You should see the following output:
● csf.service - ConfigServer Firewall & Security - csf
Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; vendor preset: enabled)
Active: active (exited) since Wed 2019-07-03 06:22:01 UTC; 3s ago
Process: 2618 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)
Main PID: 2618 (code=exited, status=0/SUCCESS)
Jul 03 06:22:01 ubuntu1804 csf[2618]: ACCEPT all opt in * out lo ::/0 -> ::/0
Jul 03 06:22:01 ubuntu1804 csf[2618]: LOGDROPOUT all opt in * out !lo ::/0 -> ::/0
Jul 03 06:22:01 ubuntu1804 csf[2618]: LOGDROPIN all opt in !lo out * ::/0 -> ::/0
Jul 03 06:22:01 ubuntu1804 csf[2618]: csf: FASTSTART loading DNS (IPv4)
Jul 03 06:22:01 ubuntu1804 csf[2618]: csf: FASTSTART loading DNS (IPv6)
Jul 03 06:22:01 ubuntu1804 csf[2618]: LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
Jul 03 06:22:01 ubuntu1804 csf[2618]: LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
Jul 03 06:22:01 ubuntu1804 csf[2618]: LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0
Jul 03 06:22:01 ubuntu1804 csf[2618]: LOCALINPUT all opt in !lo out * ::/0 -> ::/0
Jul 03 06:22:01 ubuntu1804 systemd[1]: Started ConfigServer Firewall & Security - csf.
You can also start and reload the firewall rules with the following command:
# csf -s
# csf -r
Configure CSF Web Interface
CSF also provides web-based interface for managing the firewall from the web interface. In order to enable CSF Web Interface, you will need to install some Perl modules to your system. You can install all the required modules with the following command:
# apt-get install libio-socket-ssl-perl libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libcrypt-ssleay-perl -y
After installing all the modules, you will need to enable CSF web UI by editing csf.conf file.
You can do it with the following command:
# nano /etc/csf/csf.conf
Make the following changes:
RESTRICT_UI = "1"
UI = "1"
UI_PORT = "8080"
UI_IP = ""
UI_USER = "admin"
UI_PASS = "admin@123456
# For security reasons, you should always keep this option low (i.e 0-10)
UI_RETRY = "5"
#This option will add the connecting IP address to the file /etc/csf/ui/ui.ban after UI_RETRY login failures.
Save and close the file, when you are finished. Then, allow access to your IP address with the following command:
# nano /etc/csf/ui/ui.allow
Add the following line:
192.168.0.4
Save and close the file. Then, restart LFD service to apply these changes:
# service lfd restart
You can now check the status of LFD with the following command:
# service lfd status
You should see the following output:
● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2019-07-03 06:26:13 UTC; 3s ago
Process: 3291 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
Main PID: 3318 (lfd - sleeping)
Tasks: 4 (limit: 1114)
CGroup: /system.slice/lfd.service
├─3318 lfd - sleeping
├─3329 lfd - checking system integrity
├─3331 sh -c /usr/bin/md5sum /usr/bin/* /usr/sbin/* /bin/* /sbin/* /usr/local/bin/* /usr/local/sbin/* /etc/init.d/* /etc/xinetd.d/*
└─3332 /usr/bin/md5sum /usr/bin/NF /usr/bin/VGAuthService /usr/bin/[ /usr/bin/aa-enabled /usr/bin/aa-exec /usr/bin/acpi_listen /usr/
Jul 03 06:26:12 ubuntu1804 systemd[1]: Starting ConfigServer Firewall & Security - lfd...
Jul 03 06:26:13 ubuntu1804 systemd[1]: Started ConfigServer Firewall & Security - lfd.
Access CSF UI
Now, open your web browser and type the URL http://192.168.0.4:8080. You will be redirected to the following page:
Provide your admin username and password which you have specified in the configuration file and click on the Enter button. You should see the CSF default dashboard in the following page:
From here, you can allow, deny and unblock specific IP addresses quickly. You can also Search IPs, Allow IPs, Deny IPs, Restart Firewall, Enable Firewall and Temporary allow/deny IPs.
Now, click on the csf menu. You should see the following page:
From here, you can allow, deny and unblock specific IP addresses quickly. You can also Search IPs, Allow IPs, Deny IPs, Restart Firewall, Enable Firewall and Temporary allow/deny IPs.
Congratulations! You have now Config Server Firewall setup on you cloud server!
Any questions? Don´t hesitate to contact us.