How to Install Config Server Firewall (CSF) on Debian 11
CSF is also known as "Config Server Firewall" is a free and advanced firewall for Linux systems. It comes with some advanced security features such as intrusion, flood, and login detections. It is designed to defend against many attacks, such as port scans, SYN floods, and login brute force attacks. It also provides integration for cPanel, DirectAdmin, and Webmin.
This tutorial will explain CSF installation, basic configuration, and essential commands for CSF on Debian 11.
- A server running Debian 11.
- A root password is configured on the server.
Before starting, it is recommended to update your system packages to the updated version. You can do it using the following command:
apt-get update -y
Once all the packages are updated, install other required dependencies using the following command:
apt-get install sendmail dnsutils unzip libio-socket-ssl-perl libcrypt-ssleay-perl git perl iptables libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl -y
Install CSF on Debian 11
By default, the CSF package is not included in the Debian 11 default repository. You will need to download it from its official website.
You can download the latest version of CSF with the following command:
Once the download is completed, extract the downloaded file with the following command:
tar -xvzf csf.tgz
Next, change the directory to CSF and run the install.sh script to install CSF in your server.
Once the CSF has been installed, you should get the following output:
Don't forget to: 1. Configure the following options in the csf configuration to suite your server: TCP_*, UDP_* 2. Restart csf and lfd 3. Set TESTING to 0 once you're happy with the firewall, lfd will not run until you do so Adding current SSH session IP address to the csf whitelist in csf.allow: *WARNING* URLGET set to use LWP but perl module is not installed, fallback to using CURL/WGET Adding 188.8.131.52 to csf.allow only while in TESTING mode (not iptables ACCEPT) *WARNING* TESTING mode is enabled - do not forget to disable it in the configuration 'lfd.service' -> '/usr/lib/systemd/system/lfd.service' 'csf.service' -> '/usr/lib/systemd/system/csf.service' Created symlink /etc/systemd/system/multi-user.target.wants/csf.service → /lib/systemd/system/csf.service. Created symlink /etc/systemd/system/multi-user.target.wants/lfd.service → /lib/systemd/system/lfd.service. Failed to disable unit: Unit file firewalld.service does not exist. Failed to stop firewalld.service: Unit firewalld.service not loaded. Unit firewalld.service does not exist, proceeding anyway. Created symlink /etc/systemd/system/firewalld.service → /dev/null. '/etc/csf/csfwebmin.tgz' -> '/usr/local/csf/csfwebmin.tgz' Installation Completed
After the installation, verify the required iptables modules for CSF using the following command:
If everything is fine, you should get the following output:
Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server
Next, you will need to configure CSF based on your requirements. You can configure it by editing /etc/csf/csf.conf file.
First, find the line TESTING = "1", and change the value to "0" to enable the CSF:
TESTING = "0"
Next, find the line RESTRICT_SYSLOG = "0", and change the value to 3 to set the access of syslog/rsyslog files for only the members of the RESTRICT_SYSLOG_GROUP:
RESTRICT_SYSLOG = "3"
Add your required incoming TCP open ports in the following line:
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
Add your required outgoing TCP ports in the following line:
# Allow outgoing TCP ports TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"
Add your required incoming UDP open ports in the following line:
# Allow incoming UDP ports UDP_IN = "20,21,53,80,443"
Add your required outgoing UDP ports in the following line:
# Allow outgoing UDP ports UDP_OUT = "20,21,53,113,123"
Save and close the file then reload the CSF firewall to apply the changes:
Basic CSF Commands
To stop the CSF firewall, run the following command:
To flush the CSF firewall, run the following command:
To list all IPTABLES rules added by CSF, run the following command:
To start the CSF and enable it to start at system reboot, run the following command:
systemctl start csf
systemctl enable csf
To check the status of the CSF firewall, run the following command:
systemctl status csf
You should get the following output:
? csf.service - ConfigServer Firewall & Security - csf Loaded: loaded (/lib/systemd/system/csf.service; enabled; vendor preset: enabled) Active: active (exited) since Sat 2021-09-18 15:42:04 UTC; 11s ago Process: 8022 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS) Main PID: 8022 (code=exited, status=0/SUCCESS) CPU: 705ms Sep 18 15:42:04 debian11 csf: ACCEPT all opt in * out lo ::/0 -> ::/0 Sep 18 15:42:04 debian11 csf: LOGDROPOUT all opt in * out !lo ::/0 -> ::/0 Sep 18 15:42:04 debian11 csf: LOGDROPIN all opt in !lo out * ::/0 -> ::/0 Sep 18 15:42:04 debian11 csf: csf: FASTSTART loading DNS (IPv4) Sep 18 15:42:04 debian11 csf: csf: FASTSTART loading DNS (IPv6) Sep 18 15:42:04 debian11 csf: LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 Sep 18 15:42:04 debian11 csf: LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 Sep 18 15:42:04 debian11 csf: LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0 Sep 18 15:42:04 debian11 csf: LOCALINPUT all opt in !lo out * ::/0 -> ::/0 Sep 18 15:42:04 debian11 systemd: Finished ConfigServer Firewall & Security - csf.
To allow a specific host by IP address, run the following command:
csf -a 192.168.100.10
To deny a specific host by IP address, run the following command:
csf -d 192.168.100.11
To remove IP from the allow list, run the following command:
csf -ar 192.168.100.10
To remove IP from the deny list, run the following command:
csf -dr 192.168.100.11
You can add trusted IPs by editing /etc/csf/csf.allow file:
Add your trusted IPs:
You can add untrusted IPs by editing /etc/csf/csf.deny file:
Add your untrusted IPs:
In the above guide, we explained how to install the CSF firewall on Debian 11. We also show you some basic CSF commands to manage your traffic. For more information, visit the CSF documentation.