How to Install and Configure the CSF on Linux Mint 20

To Install & Configure the CSF on Linux Mint 20

Introduction:

Config Server Firewall or CSF is an open-source high-level firewall for most Linux distributions and Linux-based VPS. In addition to the basic functionality of a firewall, filtering packets, CSF combines other security features including login/intrusion/flood detections. This tutorial will cover the installation of CSF on Linux Mint 20.

Installation Procedure:

root@LinuxHelp:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Linuxmint
Description:	Linux Mint 20
Release:	20
Codename:	ulyana

First of all enter in to src directory for install the CSF

root@LinuxHelp:~# cd /usr/src

Download the CSF package

root@LinuxHelp:/usr/src# wget https://download.configserver.com/csf.tgz
--2021-01-02 12:07:08--  https://download.configserver.com/csf.tgz
Resolving download.configserver.com (download.configserver.com)... 94.130.90.175
Connecting to download.configserver.com (download.configserver.com)|94.130.90.175|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2295164 (2.2M) [application/x-gzip]
Saving to: ‘csf.tgz’

csf.tgz                       100%[=================================================>]   2.19M   910KB/s    in 2.5s    

2021-01-02 12:07:11 (910 KB/s) - ‘csf.tgz’ saved [2295164/2295164]

Now extract the package

root@LinuxHelp:/usr/src# tar -zxvf csf.tgz 
csf/
csf/restricted.txt
csf/litespeed.https.txt
csf/csf.c
csf/csfajaxtail.js
.
.
.
csf/csf.generic.pignore
csf/install.cyberpanel.sh
csf/csf.vesta.conf
csf/csf.directadmin.pignore
csf/install.interworx.sh
csf/lfd.pl

once the extract is completed the enter into the CSF directory

root@LinuxHelp:/usr/src# cd csf

now install the CSF by using the following command

root@LinuxHelp:/usr/src/csf# sh install.sh
Selecting installer...
Running csf generic installer
Installing generic csf and lfd
Check we're running as root
.
.
Created symlink /etc/systemd/system/multi-user.target.wants/lfd.service → /usr/lib/systemd/system/lfd.service.
Failed to disable unit: Unit file firewalld.service does not exist.
Failed to stop firewalld.service: Unit firewalld.service not loaded.
Unit firewalld.service does not exist, proceeding anyway.
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
'/etc/csf/csfwebmin.tgz' -> '/usr/local/csf/csfwebmin.tgz'
Installation Completed

once the installation is completed then confirm the CSF is installed or not

root@LinuxHelp:/usr/src/csf# perl /usr/local/csf/bin/csftest.pl 
Testing ip_tables/iptable_filter...open3: exec of /sbin/iptables -I OUTPUT -p tcp --dport 9999 -j ACCEPT failed: No such file or directory at /usr/local/csf/bin/csftest.pl line 144.

before start the csf now i am configure the csf.conf file

root@LinuxHelp:/usr/src/csf# vim /etc/csf/csf.conf

When I am trying to start the csf & lfd service I faced this error

root@LinuxHelp:/usr/src/csf# systemctl start csf lfd
Job for csf.service failed because the control process exited with error code.
See "systemctl status csf.service" and "journalctl -xe" for details.
Job for lfd.service failed because the control process exited with error code.
See "systemctl status lfd.service" and "journalctl -xe" for details.

root@LinuxHelp:/usr/src/csf# journalctl -xe
-- Subject: A start job for unit lfd.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- A start job for unit lfd.service has finished with a failure.
-- 
-- The job identifier is 2639 and the job result is failed.

The issue is path of the iptable is miss matched I will show you how to fix this issue, for that now I am enter into csf.conf file and configure the iptables details

root@LinuxHelp:/usr/src/csf# vim /etc/csf/csf.conf

once the configuration is completed then I start the csf and lfd service

root@LinuxHelp:/usr/src/csf# systemctl start csf lfd

Once the service is started then check the status of the csf and lfd

root@LinuxHelp:/usr/src/csf# systemctl status csf lfd
● csf.service - ConfigServer Firewall & Security - csf
     Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; vendor preset: enabled)
     Active: active (exited) since Sat 2021-01-02 12:12:42 IST; 27s ago
    Process: 4325 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)
   Main PID: 4325 (code=exited, status=0/SUCCESS)

● lfd.service - ConfigServer Firewall & Security - lfd
     Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2021-01-02 12:12:59 IST; 11s ago
    Process: 4449 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
   Main PID: 4470 (lfd - sleeping)
.
.
Jan 02 12:12:58 LinuxHelp systemd[1]: Starting ConfigServer Firewall & Security - lfd...

if you want to start the csf service to execute the following command

root@LinuxHelp:/usr/src/csf# csf -s
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
.
.
.
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality
*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

If you want to reload the csf service to execute the following command

root@LinuxHelp:/usr/src/csf# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
.
.
.
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOGDROPIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
csf: FASTSTART loading DNS (IPv4)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality
*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

if you want to allow ip to csf to execute the following command

root@LinuxHelp:/usr/src/csf# csf -a 192.168.7.237
Adding 192.168.7.237 to csf.allow and iptables ACCEPT...
ACCEPT  all opt -- in !lo out *  192.168.7.237  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.7.237

now check the ip is added or not to the following location

root@LinuxHelp:/usr/src/csf# vim /etc/csf/csf.allow

now remove the ip from the csf

root@LinuxHelp:/usr/src/csf# csf -ar 192.168.7.237
Removing rule...
ACCEPT  all opt -- in !lo out *  192.168.7.237  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.7.237

now check the ip is removed or not to the following location

root@LinuxHelp:/usr/src/csf# vim /etc/csf/csf.allow

if you want deny the ip to csf by executing the following command

root@LinuxHelp:/usr/src/csf# csf -d 192.168.7.105
Adding 192.168.7.105 to csf.deny and iptables DROP...
DROP  all opt -- in !lo out *  192.168.7.105  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.7.105

now check the ip is denied or not to the following location

root@LinuxHelp:/usr/src/csf# vim /etc/csf/csf.deny

now remove the deny ip from the csf

root@LinuxHelp:/usr/src/csf# csf -dr 192.168.7.105
Removing rule...
DROP  all opt -- in !lo out *  192.168.7.105  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.7.105

now check the denied ip is removed or not to the following location

root@LinuxHelp:/usr/src/csf# vim /etc/csf/csf.deny

if you want to disable the csf service completely

root@LinuxHelp:/usr/src/csf# csf -x
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
.
.
.
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
csf and lfd have been disabled

if you want to enable the csf service run the following command

root@LinuxHelp:/usr/src/csf# csf -e
csf: FASTSTART loading DROP no logging (IPv4)
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
.
.
● lfd.service - ConfigServer Firewall & Security - lfd
     Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2021-01-02 12:18:38 IST; 13ms ago
    Process: 4938 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
   Main PID: 4960 (lfd - starting)
      Tasks: 1 (limit: 4583)
     Memory: 26.4M
     CGroup: /system.slice/lfd.service
             └─4960 lfd - starting

Jan 02 12:18:37 LinuxHelp systemd[1]: Starting ConfigServer Firewall & Security - lfd...
Jan 02 12:18:38 LinuxHelp systemd[1]: Started ConfigServer Firewall & Security - lfd.
csf and lfd have been enabled

if you want flush the csf

root@LinuxHelp:/usr/src/csf# csf -f
Flushing chain `INPUT'
Flushing chain `FORWARD'
.
.
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'

If you want to check the IPv4 iptables configuration run the -l option.

root@LinuxHelp:/usr/src/csf# csf -l
iptables filter table
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

With this method the installation of CSF is comes to an end.

Tag : CSF (ConfigServer Security & Firewall) Linux Mint
FAQ
Q
How do I start, reload, disable and enable the CSF service?
A
If you want to start the CSF service
csf -s
Q
From where do I change the ip tables locations?
A
The location is # vim /etc/csf/csf.conf
Q
How do you install the CSF package?
A
To install the CSF package to execute the following command
# sh install.sh
Q
Where do you download the CFS package?
A
The URL is https://download.configserver.com/csf.tgz I download the CSF package to this URL using wget command.
Q
What is CFS(Config Server Firewall)?
A
Config Server Firewall (or CSF) is a free and advanced firewall for most Linux distributions and Linux-based VPS. In addition
to the basic functionality of a firewall – filtering packets – CSF includes other security features, such as login/intrusion/flood detections.