How to install and use CSF on Ubuntu 18.04
To install and use CSF on Ubuntu 18.04
Config Server Firewall is abbreviated as CSF. CSF is the most commonly using firewall application to secure Linux servers. CSF has a wide range of options to manage Linux firewall via command-line and from the control panel. The CSF installation includes preconfigured configurations and control panel UI’ s for cPanel, DirectAdmin, and Webmin. This article covers the method to install and basic functionality about the CSF on Ubuntu 18.04.
Installing CSF
Before you begin with the process, you need to move to the directory where you want to download the package.
root@linuxhelp1:~# cd /usr/src/
Next, download CSF using wget command in the following manner.
root@linuxhelp1:/usr/src# wget https://download.configserver.com/csf.tgz
--2018-06-13 02:12:15-- https://download.configserver.com/csf.tgz
Resolving download.configserver.com (download.configserver.com)... 85.10.199.177
Connecting to download.configserver.com (download.configserver.com)|85.10.199.177|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1633248 (1.6M) [application/x-gzip]
Saving to: ‘ csf.tgz’
csf.tgz 100%[==========================================================> ] 1.56M 624KB/s in 2.6s
2018-06-13 02:12:19 (624 KB/s) - ‘ csf.tgz’ saved [1633248/1633248]
After that, you need to extract the package by running the following command.
root@linuxhelp1:/usr/src# cd csf
Install CSF by executing the below-mentioned command.
root@linuxhelp1:/usr/src# tar -zxvf csf.tgz
csf/
csf/csf.deny
csf/reselleralert.txt
csf/csf.directadmin.pignore
csf/csf.service
csf/permblock.txt
csf/csf.1.txt
.
.
csf/csf.dyndns
csf/uialert.txt
csf/install.generic.sh
csf/sanity.txt
csf/csf.syslogusers
csf/csftest.pl
csf/uninstall.generic.sh
csf/install.directadmin.sh
root@linuxhelp1:/usr/src/csf# sh install.sh
Selecting installer...
Running csf generic installer
Installing generic csf and lfd
Check we' re running as root
Checking Perl modules...
Configuration modified for Debian/Ubuntu/Gentoo settings /etc/csf/csf.conf
...Perl modules OK
.
.
' csf/configserver.css' -> ' webmin/csf/images/configserver.css'
' csf/csf-loader.gif' -> ' webmin/csf/images/csf-loader.gif'
' csf/csf.svg' -> ' webmin/csf/images/csf.svg'
' csf/csf_small.png' -> ' webmin/csf/images/csf_small.png'
' csf/jquery.min.js' -> ' webmin/csf/images/jquery.min.js'
' csf/loader.gif' -> ' webmin/csf/images/loader.gif'
' /etc/csf/csfwebmin.tgz' -> ' /usr/local/csf/csfwebmin.tgz'
After the installation, check if you have the required iptables modules. And for that, you need to run the following command.
root@linuxhelp1:/usr/src/csf# perl /usr/local/csf/bin/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
CSF Configuration
We installed the CSF in testing mode so it does not provide full protection of your server from attacks. For disabling the testing mode you should configure the CSF according to your requirement. So, open the configuration file.
root@linuxhelp1:/usr/src/csf# vim /etc/csf/csf.conf
change the testing mode by simply changing the variable of testing from TESTING = “ 1” to “ TESTING=0” .
# Allow incoming TCP ports TCP_IN = " 20,21,22,25,53,80,110,143,443,465,587,993,995" # Allow outgoing TCP ports TCP_OUT = " 20,21,22,25,53,80,110,113,443,587,993,995" # Allow incoming UDP ports UDP_IN = " 20,21,53" # Allow outgoing UDP ports # To allow outgoing traceroute add 33434:33523 to this list UDP_OUT = " 20,21,53,113,123"
Later, start your csf service and check its status.
root@linuxhelp1:/usr/src/csf# systemctl start csf
root@linuxhelp1:/usr/src/csf# systemctl status csf
● csf.service - ConfigServer Firewall & Security - csf
Loaded: loaded (/usr/lib/systemd/system/csf.service enabled vendor preset: enabled)
Active: active (exited) since Wed 2018-06-13 02:18:59 IST 13s ago
Process: 22065 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)
Main PID: 22065 (code=exited, status=0/SUCCESS)
.
.
Jun 13 02:18:59 www.linuxhelp1.com csf[22065]: csf: FASTSTART loading DNS (IPv4)
Jun 13 02:18:59 www.linuxhelp1.com csf[22065]: LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
Jun 13 02:18:59 www.linuxhelp1.com csf[22065]: LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
Jun 13 02:18:59 www.linuxhelp1.com systemd[1]: Started ConfigServer Firewall & Security - csf.
If you started the csf, please run the command as follows
root@linuxhelp1:/usr/src/csf# csf -s
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
.
.
csf: FASTSTART loading UDP_OUT (IPv4)
ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
csf: FASTSTART loading DNS (IPv4)
LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
If you want to reload the CSF, please run the command as follows
root@linuxhelp1:/usr/src/csf# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
.
.
ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
csf: FASTSTART loading DNS (IPv4)
LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
Then you see the option for handling the CSF functionalities as follows
root@linuxhelp1:/usr/src/csf# csf
csf: v12.04 (generic)
csf(1) csf(1)
NAME
csf - ConfigServer & Security Firewall
SYNOPSIS
csf [OPTIONS]
DESCRIPTION
This manual documents the csf command line options for the ConfigServer
& Security Firewall. See /etc/csf/csf.conf and /etc/csf/readme.txt for
more detailed information on how to use and configure this application.
OPTIONS
.
.
FILES
/etc/csf/csf.conf
The system wide configuration file
/etc/csf/readme.txt
Detailed information about csf and lfd
BUGS
Report bugs on the forums at http://forum.configserver.com
AUTHOR
(c)2006-2018, Way to the Web Limited (http://www.configserver.com)
csf(1)
Options in CSF
If you want to allow an IP, you shall run the -a option followed by the IP.
root@linuxhelp1:/usr/src/csf# csf -a 192.168.7.235
Adding 192.168.7.235 to csf.allow and iptables ACCEPT...
ACCEPT all opt -- in !lo out * 192.168.7.235 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.235
Next, open your csf.allow file
root@linuxhelp1:/usr/src/csf# vim /etc/csf/csf.allow
You' ll see the IP that was added.
Remove that IP from your allow list by using the -ar option along with the IP.
root@linuxhelp1:/usr/src/csf# csf -ar 192.168.7.235
Removing rule...
ACCEPT all opt -- in !lo out * 192.168.7.235 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.235
Also, check if it is removed.
root@linuxhelp1:/usr/src/csf# vim /etc/csf/csf.allow
You shall also check if it is removed.
If you want to deny the IP address, you shall simply use the -d option in the following manner.
root@linuxhelp1:/usr/src/csf# csf -d 192.168.7.235
Adding 192.168.7.235 to csf.deny and iptables DROP...
DROP all opt -- in !lo out * 192.168.7.235 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.235
You can check if the denied IP is added in the csf.deny file.
root@linuxhelp1:/usr/src/csf# vim /etc/csf/csf.deny
You can remove the denied IP from the csf.deny file by running the dr option.
root@linuxhelp1:/usr/src/csf# csf -dr 192.168.7.235
Removing rule...
DROP all opt -- in !lo out * 192.168.7.235 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.7.235
You can check and see the csf.deny file.
root@linuxhelp1:/usr/src/csf# vim /etc/csf/csf.deny
You can grep the IP address by running the -g option.
root@linuxhelp1:/usr/src/csf# csf -g 192.168.7.235
Table Chain num pkts bytes target prot opt in out source destination
filter DENYIN 1 0 0 DROP all -- !lo * 192.168.7.235 0.0.0.0/0
filter DENYOUT 1 0 0 LOGDROPOUT all -- * !lo 0.0.0.0/0 192.168.7.235
csf.deny: 192.168.7.235 # Manually denied: 192.168.7.235 (-) - Wed Jun 13 02:32:42 2018
You can also completly disable csf by using the x option.
root@linuxhelp1:/usr/src/csf# csf -x
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
.
.
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
csf and lfd have been disabled
You can enable the disabled CSF by using the -e option.
root@linuxhelp1:/usr/src/csf# csf -e
csf: FASTSTART loading DROP no logging (IPv4)
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix " Firewall: *TCP_IN Blocked* "
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix " Firewall: *TCP_OUT Blocked* "
.
.
Main PID: 22653 (lfd - starting)
Tasks: 1 (limit: 3504)
CGroup: /system.slice/lfd.service
└─22653 lfd - starting
Jun 13 02:37:34 www.linuxhelp1.com systemd[1]: Starting ConfigServer Firewall & Security - lfd...
Jun 13 02:37:35 www.linuxhelp1.com systemd[1]: Started ConfigServer Firewall & Security - lfd.
csf and lfd have been enabled
You can enable the flush CSF by using the -f option.
root@linuxhelp1:/usr/src/csf# csf -f
csf and lfd have been disabled, use ' csf -e' to enable
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
If you want to check the IPv4 iptables configuration run the -l option.
root@linuxhelp1:/usr/src/csf# csf -l
iptables filter table
=====================
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 281 1697K LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0
2 4 348 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 253 1692K INVALID tcp -- !lo * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 i
.
.
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 277 bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 4 packets, 277 bytes)
num pkts bytes target prot opt in out source destination
You can start the csf service with the -s command.
root@linuxhelp1:/usr/src/csf# csf -s
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
.
.
ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
csf: FASTSTART loading DNS (IPv4)
LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
You shall restart the csf service by running the command with the -r option.
root@linuxhelp1:/usr/src/csf# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
.
.
ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
csf: FASTSTART loading DNS (IPv4)
LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
with this, the method to install and use CSF on Ubuntu 18.04 comes to an end.
Q
What is the Config Server Firewall?
A
Config Server Firewall is abbreviated as CSF. CSF is the most commonly using firewall application to secure Linux servers. CSF has a wide range of options to manage Linux firewall via command-line and from the control panel.
Q
How to set alert email report from the server on CSF?
A
Do you get an alert report email from the server lfd will send the relevant alert template to configured email
# vi /etc/csf/csf.conf
LF_ALERT_TO = "alert@mydomain.com"
# vi /etc/csf/csf.conf
LF_ALERT_TO = "alert@mydomain.com"
Q
How can I define network range? As a web server, the server is going to be accessed from all over the world. So, I think it would be impossible for me to define any random IP ranges?
A
Please add the ports that you want to access from public to the below line.
# Allow incoming TCP ports
TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995”
# Allow incoming TCP ports
TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995”
Q
How to start, stop and restart the CSF?
A
To start the CSF, run the below mentioned commands.
/etc/init.d/csf start (or) csf -e for enabling it
To stop the CSF (if it is already functioning), then use the below-placed command.
/etc/init.d/csf stop (or) csf -X
To restart(or) reload
csf -r
/etc/init.d/csf start (or) csf -e for enabling it
To stop the CSF (if it is already functioning), then use the below-placed command.
/etc/init.d/csf stop (or) csf -X
To restart(or) reload
csf -r
Q
How to unblock an IP address on CSF?
A
In CSF to block IP address,
# csf -dr 123.123.123.123
Removing rule...
DROP all opt -- in !lo out * 123.123.123.123 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 123.123.123.123
# csf -dr 123.123.123.123
Removing rule...
DROP all opt -- in !lo out * 123.123.123.123 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 123.123.123.123