Running a firewall on your operating system is no longer a decision point. It’s a must. Especially on servers where shared organizational resources are hosted. You wouldn’t want a payroll server to be open to anyone on the network, would you?
There are many firewall solutions available. But in this article, we’ll discover an excellent contender—the CSF firewall.
We’ll demonstrate how to install and configure it to secure your Linux server by locking down ports and defining allow and block lists.
Requirements
You’ll need the following items to effectively follow the article’s examples.
- A Linux computer. This article will demo using an Ubuntu 22.04 server.
- A root or sudoer account.
Install the CSF Firewall
The CSF Firewall is provided as a TGZ archive, and the latest version is always available at this link — csf.tgz.
Note. If another firewall is already running on your device, disable them before continuing.
First, login or SSH into your Linux computer, then run this command to download the CSF Firewall package.
wget http://download.configserver.com/csf.tgz
Once downloaded, run this command to extract the package.
tar -xzf csf.tgz ls -l
The files are extracted to a subfolder called csf.
Now, run this command to run the installation script.
cd csf && sudo sh install.sh
Confirm that CSF Firewall is installed by checking the version.
sudo csf -v
In this example, the latest version is v14.17.
If you received an error saying: “WARNING URLGET set to use LWP but perl module is not installed, fallback to using CURL/WGET”, it means you’re missing the libwww-perl package. So let’s install it.
sudo apt install -y libwww-perl
Finally, let’s run the test script to confirm the CSF Firewall is functional.
sudo perl /usr/local/csf/bin/csftest.pl
According to the result below, CSF should function on this server.
Configure the CSF Firewall
The CSF Firewall configuration is stored in a file called /etc/csf/csf.conf. Whenever you need to make changes to the CSF configuration, this file is your master source. By default, CSF is running on test mode to ensure that it does not disrupt anything after the installation.
But before we turn off the test mode, we must first configure the rest. This article will not and cannot cover all CSF configurations. We’ll only focus on the basics and the most essential.
Note. Learn how to manage and disable Windows Defender with PowerShell.
Run this command to open the CSF configuration file in a text editor.
sudo nano /etc/csf/csf.conf
Port Numbers
The default CSF Firewall configuration has a set of allowed incoming and outgoing port numbers (UDP and TCP).
Locate the following directives inside the configuration file.
- TCP_IN and TCP_OUT — The lists of allowed incoming and outgoing TCP ports.
- UDP_IN and UDP_OUT — The lists of allowed incoming and outgoing UDP ports.
As you can see, CSF allows the most commonly used ports by default. You can remove or add ports as needed.
For example, if your server is not an email server, you can remove the messaging-related ports like 25 (SMTP), 110 (POP), 143 (IMAP), 993 (IMAPS), 995 (POP3S), and 465 (SMTPS).
ICMP Traffic
IMCP or PING is commonly used for monitoring server uptime and availability. By default, CSF allows ICMP traffic.
In most cases, ICMP can be left alone unless there’s a specific reason to disable it or if you’re mitigating a PING FLOOD or DDOS attack.
Connection Limit
Another way to mitigate abuse is by enabling connection limit protection. The directive is called CONNLIMIT.
Look for the CONNLIMIT directive, and you’ll see that the default value is empty.
This directive accepts a comma-separated list of port;limit. For example, if you set the CONNLIMIT value to CONNLIMIT = “25;30,80;10”, this means:
- Allow only 30 concurrent connections to port 25 per source IP.
- Allow only 10 concurrent connections to port 80 per source IP.
Port Flood Protection
The port flood protection limits the connections per time interval. The directive for this is PORTFLOOD.
This directive accepts the values in this syntax: port;protocol;hit_count;interval_seconds
For example, PORTFLOOD = “9000;tcp;8;400,4343;tcp;20;5”
- If the connection to TCP port 9000 has 8 hits within 400 seconds, then block the source IP address for at least 400 seconds after the last packet. There must not be a connection attempt within 400 seconds before the connection can be allowed again.
- If the connection to TCP port 4343 has 20 hits within 5 seconds, then block the source IP address for at least 5 seconds after the last packet. There must be a quiet period of 5 seconds before the connection can be allowed again.
Disable Test Mode
You can finally disable the test mode when satisfied with your CSF configuration. To do so, look for the TESTING = “1” directive and replace the value with TESTING = “0”.
Save and exit the csf.conf file. You must restart CSF for the changes to take effect by running the following:
sudo csf -r
IP Address Allow, Deny and Ignore List
The CSF Firewall also allows you to specify IP addresses in three files equivalent to three categories.
/etc/csf/csf.allow — The list of IP and CIDR addresses that will always be allowed through the firewall. This file has to entry by default.
/etc/csf/csf.deny — The list of IP and CIDR addresses that the firewall will permanently block. This file has to entry by default.
/etc/csf/csf.ignore — The list of IP and CIDR addresses that will always be ignored by LFD (login failure daemon). By default, this file contains one entry, which is 127.0.0.1.
The logic is simple. To allow, deny, or ignore IP and CIDR addresses, you must add them to the appropriate file, one item per line.
If you made changes to any of the files above, you must restart CSF for the changes to take effect by running the following:
sudo csf -r
Enable the CSF Firewall Web UI
If you prefer to manage the CSF Firewall through a GUI front end, you can enable the CSF Firewall Web GUI.
First, let’s install the required PERL modules for the CSF GUI to work.
sudo apt-get install -y \ libio-socket-ssl-perl libcrypt-ssleay-perl \ libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl
Next, enable the UI in the CSF configuration. Open the configuration file in the text editor.
sudo nano /etc/csf/csf.conf
Look for the following directives and change the values as needed. Refer to the comments on each directive as follows.
# Enable the UI UI = "1" # Set the Web UI port number. The port must be > 1023. UI_PORT = "8080" # Leave this blank to bind the UI all available IPs on the server. UI_IP = "" # Set the UI username you want. UI_USER = "alpha" # Set the UI password. UI_USER = "N0tS0Complic@t3d!"
Also, add the port number to the end of TCP_IN. Save the file and exit the editor.
Even after enabling the CSF Firewall web UI, no one can connect to it yet. As a security feature, we need to explicitly allow the IP addresses that will connect to the web UI. We’ll need to add the IP address to the /etc/csf/ui/ui.allow file.
sudo nano /etc/csf/ui/ui.allow
Add each IP address that is allowed to connect to the web UI. Save the file and exit the editor.
Finally, restart the CSF and LFD daemons.
sudo systemctl restart csf sudo systemctl restart lfd
Now, open a web browser from the computer whose IP address you allowed and open the CSF Web UI URL – https://<server_name_or_IP>:<port>. Log in using the username and password you specified in the CSF configuration file.
You can now manage the CSF Firewall on the web UI. For example, click the Firewall Configuration button.
And you can edit the CSF configuration file directly from the web interface.
Conclusion
That’s it! You’ve reached the end of this tutorial. We’ve discovered how to install the CSF Firewall, modify part of the CSF configuration, and enable the web UI for convenient management access.
There are more complex and advanced configurations you can do with CSF that were not covered in this post. To learn more about them, refer to the CSF Readme documentation.
