Config Server Firewall (CSF) is a free and advanced firewall for Linux. It can perform packet filtering, login checks, intrusion and flood detections. It also includes intergration with popular web-based server management panels such as cPanel. It is able to see many attacks such as port scanning, SYN floods, brute force attacks, etc.


Note: Before we begin, it is recommended that we perform these commands as the root user.


# sudo su

 

Installation

We'll need to download CSF first from their website. This will download the archive to our working directory.


# wget http://download.configserver.com/csf.tgz


Now we need to uncompress the archive and extract its contents.


# tar -xzf csf.tgz


This will unpack all files in the archive and create a folder named csf.


Before we begin installing CSF, we should disable any existing firewalls that are in the system such as ufw.


Once all other firewalls are disabled, we can begin installing CSF. Browse to the csf directory that we extracted from the archive earlier and execute the following command:


# sh install.sh

The installation should be quick. Once that's done, we should check if the required modules are available:


# perl /usr/local/csf/bin/csftest.pl


By default, CSF will add your server's IP address to the whitelist as well as opening the port for SSH automatically. Testing mode will also be enabled. This means that rules will be removed and set to the defaults after 5 minutes.


Once you have configured CSF, you should disable testing mode. The command to disable testing mode is shown below under Configuration.

 

Configuration

The configuration file for CSF can be found in the following path:


# nano /etc/csf/csf.conf

 

Port Configuration

As a security measure, you should only open ports that you need. Close all others that aren't needed by your users or the system.


Ports are sorted in the configuration by protocol type and flow:


TCP_IN


TCP_OUT


UDP_IN


UDP_OUT


In the context of the server, IN means data being received by the server, OUT means data being sent by the server.


Similarly, if you have IPV6 enabled, you should configure these as well and they are a separate configuration from IPv4.


TCP6_IN


TCP6_OUT


UDP6_IN


UDP6_OUT


There are a lot of other configuration settings that you should look at. This tutorial will only be covering the basics so you can look up on how to configure the other settings on the Internet. You can also check out the comments in the configuration file itself.


By default, CSF enables testing mode wherein rules are not saved and are reset to the defaults after 5 minutes. Once you've setup your configuration file, you will need to change the following value in the configuration file as well before you save changes.


TESTING = "0"


To save any changes, use the following command:


# csf -r