How to install and use CSF on Ubuntu 18.04

To install and use CSF on Ubuntu 18.04

Config Server Firewall is abbreviated as CSF. CSF is the most commonly using firewall application to secure Linux servers. CSF has a wide range of options to manage Linux firewall via command-line and from the control panel. The CSF installation includes preconfigured configurations and control panel UI’ s for cPanel, DirectAdmin, and Webmin. This article covers the method to install and basic functionality about the CSF on Ubuntu 18.04.

Installing CSF

Before you begin with the process, you need to move to the directory where you want to download the package.

root@linuxhelp1:~# cd /usr/src/

Next, download CSF using wget command in the following manner.

root@linuxhelp1:/usr/src# wget https://download.configserver.com/csf.tgz
--2018-06-13 02:12:15--  https://download.configserver.com/csf.tgz
Resolving download.configserver.com (download.configserver.com)... 85.10.199.177
Connecting to download.configserver.com (download.configserver.com)|85.10.199.177|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1633248 (1.6M) [application/x-gzip]
Saving to: ‘ csf.tgz’ 

csf.tgz                          100%[==========================================================> ]   1.56M   624KB/s    in 2.6s   

2018-06-13 02:12:19 (624 KB/s) - ‘ csf.tgz’  saved [1633248/1633248]

After that, you need to extract the package by running the following command.

root@linuxhelp1:/usr/src# cd csf

Install CSF by executing the below-mentioned command.

root@linuxhelp1:/usr/src# tar -zxvf csf.tgz
csf/
csf/csf.deny
csf/reselleralert.txt
csf/csf.directadmin.pignore
csf/csf.service
csf/permblock.txt
csf/csf.1.txt
.
.
csf/csf.dyndns
csf/uialert.txt
csf/install.generic.sh
csf/sanity.txt
csf/csf.syslogusers
csf/csftest.pl
csf/uninstall.generic.sh
csf/install.directadmin.sh

root@linuxhelp1:/usr/src/csf# sh install.sh
Selecting installer...
Running csf generic installer
Installing generic csf and lfd
Check we' re running as root
Checking Perl modules...
Configuration modified for Debian/Ubuntu/Gentoo settings /etc/csf/csf.conf
...Perl modules OK
.
.
' csf/configserver.css'  ->  ' webmin/csf/images/configserver.css' 
' csf/csf-loader.gif'  ->  ' webmin/csf/images/csf-loader.gif' 
' csf/csf.svg'  ->  ' webmin/csf/images/csf.svg' 
' csf/csf_small.png'  ->  ' webmin/csf/images/csf_small.png' 
' csf/jquery.min.js'  ->  ' webmin/csf/images/jquery.min.js' 
' csf/loader.gif'  ->  ' webmin/csf/images/loader.gif' 
' /etc/csf/csfwebmin.tgz'  ->  ' /usr/local/csf/csfwebmin.tgz' 

After the installation, check if you have the required iptables modules. And for that, you need to run the following command.

root@linuxhelp1:/usr/src/csf# perl /usr/local/csf/bin/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

CSF Configuration

We installed the CSF in testing mode so it does not provide full protection of your server from attacks. For disabling the testing mode you should configure the CSF according to your requirement. So, open the configuration file.

root@linuxhelp1:/usr/src/csf# vim /etc/csf/csf.conf

change the testing mode by simply changing the variable of testing from TESTING = “ 1” to “ TESTING=0” .

# Allow incoming TCP ports
TCP_IN = " 20,21,22,25,53,80,110,143,443,465,587,993,995" 

# Allow outgoing TCP ports
TCP_OUT = " 20,21,22,25,53,80,110,113,443,587,993,995" 

# Allow incoming UDP ports
UDP_IN = " 20,21,53" 

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = " 20,21,53,113,123" 

Later, start your csf service and check its status.

root@linuxhelp1:/usr/src/csf# systemctl start csf
root@linuxhelp1:/usr/src/csf# systemctl status csf
● csf.service - ConfigServer Firewall &  Security - csf
   Loaded: loaded (/usr/lib/systemd/system/csf.service  enabled  vendor preset: enabled)
   Active: active (exited) since Wed 2018-06-13 02:18:59 IST  13s ago
  Process: 22065 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)
 Main PID: 22065 (code=exited, status=0/SUCCESS)
.
.
Jun 13 02:18:59 www.linuxhelp1.com csf[22065]: csf: FASTSTART loading DNS (IPv4)
Jun 13 02:18:59 www.linuxhelp1.com csf[22065]: LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  ->  0.0.0.0/0
Jun 13 02:18:59 www.linuxhelp1.com csf[22065]: LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  ->  0.0.0.0/0
Jun 13 02:18:59 www.linuxhelp1.com systemd[1]: Started ConfigServer Firewall &  Security - csf.

If you started the csf, please run the command as follows

root@linuxhelp1:/usr/src/csf# csf -s
Flushing chain `INPUT' 
Flushing chain `FORWARD' 
Flushing chain `OUTPUT' 
Flushing chain `ALLOWIN' 
Flushing chain `ALLOWOUT' 
Flushing chain `DENYIN' 
Flushing chain `DENYOUT' 
.
.
csf: FASTSTART loading UDP_OUT (IPv4)
ACCEPT  all opt -- in lo out *  0.0.0.0/0  ->  0.0.0.0/0 
ACCEPT  all opt -- in * out lo  0.0.0.0/0  ->  0.0.0.0/0 
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  ->  0.0.0.0/0 
LOGDROPIN  all opt -- in !lo out *  0.0.0.0/0  ->  0.0.0.0/0
csf: FASTSTART loading DNS (IPv4)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  ->  0.0.0.0/0 
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  ->  0.0.0.0/0 

If you want to reload the CSF, please run the command as follows

root@linuxhelp1:/usr/src/csf# csf -r
Flushing chain `INPUT' 
Flushing chain `FORWARD' 
Flushing chain `OUTPUT' 
Flushing chain `ALLOWIN' 
Flushing chain `ALLOWOUT' 
Flushing chain `DENYIN' 
.
.
ACCEPT  all opt -- in lo out *  0.0.0.0/0  ->  0.0.0.0/0 
ACCEPT  all opt -- in * out lo  0.0.0.0/0  ->  0.0.0.0/0 
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  ->  0.0.0.0/0 
LOGDROPIN  all opt -- in !lo out *  0.0.0.0/0  ->  0.0.0.0/0 
csf: FASTSTART loading DNS (IPv4)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  ->  0.0.0.0/0 
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  ->  0.0.0.0/0

Then you see the option for handling the CSF functionalities as follows

root@linuxhelp1:/usr/src/csf# csf
csf: v12.04 (generic)
csf(1)                                                                                                   csf(1)



NAME
       csf - ConfigServer &  Security Firewall

SYNOPSIS
       csf [OPTIONS]

DESCRIPTION
       This manual documents the csf command line options for the ConfigServer
       &  Security Firewall. See /etc/csf/csf.conf and /etc/csf/readme.txt  for
       more detailed information on how to use and configure this application.

OPTIONS
.
.
FILES
       /etc/csf/csf.conf
                  The system wide configuration file
       /etc/csf/readme.txt
                  Detailed information about csf and lfd

BUGS
       Report bugs on the forums at http://forum.configserver.com

AUTHOR
       (c)2006-2018, Way to the Web Limited (http://www.configserver.com)



                                                                                                            csf(1)

Options in CSF

If you want to allow an IP, you shall run the -a option followed by the IP.

root@linuxhelp1:/usr/src/csf# csf -a 192.168.7.235
Adding 192.168.7.235 to csf.allow and iptables ACCEPT...
ACCEPT  all opt -- in !lo out *  192.168.7.235  ->  0.0.0.0/0 
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  ->  192.168.7.235

Next, open your csf.allow file

root@linuxhelp1:/usr/src/csf# vim /etc/csf/csf.allow

You' ll see the IP that was added.

Remove that IP from your allow list by using the -ar option along with the IP.

root@linuxhelp1:/usr/src/csf# csf -ar 192.168.7.235
Removing rule...
ACCEPT  all opt -- in !lo out *  192.168.7.235  ->  0.0.0.0/0 
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  ->  192.168.7.235

Also, check if it is removed.

root@linuxhelp1:/usr/src/csf# vim /etc/csf/csf.allow

You shall also check if it is removed.

If you want to deny the IP address, you shall simply use the -d option in the following manner.

root@linuxhelp1:/usr/src/csf# csf -d 192.168.7.235
Adding 192.168.7.235 to csf.deny and iptables DROP...
DROP  all opt -- in !lo out *  192.168.7.235  ->  0.0.0.0/0 
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  ->  192.168.7.235

You can check if the denied IP is added in the csf.deny file.

root@linuxhelp1:/usr/src/csf# vim /etc/csf/csf.deny

You can remove the denied IP from the csf.deny file by running the dr option.

root@linuxhelp1:/usr/src/csf# csf -dr 192.168.7.235
Removing rule...
DROP  all opt -- in !lo out *  192.168.7.235  ->  0.0.0.0/0 
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  ->  192.168.7.235

You can check and see the csf.deny file.

root@linuxhelp1:/usr/src/csf# vim /etc/csf/csf.deny

You can grep the IP address by running the -g option.

root@linuxhelp1:/usr/src/csf# csf -g 192.168.7.235

Table  Chain            num   pkts bytes target     prot opt in     out     source               destination         

filter DENYIN           1        0     0 DROP       all  --  !lo    *       192.168.7.235        0.0.0.0/0

filter DENYOUT          1        0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            192.168.7.235

csf.deny: 192.168.7.235 # Manually denied: 192.168.7.235 (-) - Wed Jun 13 02:32:42 2018

You can also completly disable csf by using the x option.

root@linuxhelp1:/usr/src/csf# csf -x
Flushing chain `INPUT' 
Flushing chain `FORWARD' 
Flushing chain `OUTPUT' 
Flushing chain `ALLOWIN' 
Flushing chain `ALLOWOUT' 
.
.
Flushing chain `PREROUTING' 
Flushing chain `INPUT' 
Flushing chain `FORWARD' 
Flushing chain `OUTPUT' 
Flushing chain `POSTROUTING' 
csf and lfd have been disabled

You can enable the disabled CSF by using the -e option.

root@linuxhelp1:/usr/src/csf# csf -e
csf: FASTSTART loading DROP no logging (IPv4)
LOG  tcp opt -- in * out *  0.0.0.0/0  ->  0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix " Firewall: *TCP_IN Blocked* " 
LOG  tcp opt -- in * out *  0.0.0.0/0  ->  0.0.0.0/0   tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix " Firewall: *TCP_OUT Blocked* " 
.
.
Main PID: 22653 (lfd - starting)
    Tasks: 1 (limit: 3504)
   CGroup: /system.slice/lfd.service
           └─22653 lfd - starting

Jun 13 02:37:34 www.linuxhelp1.com systemd[1]: Starting ConfigServer Firewall &  Security - lfd...
Jun 13 02:37:35 www.linuxhelp1.com systemd[1]: Started ConfigServer Firewall &  Security - lfd.
csf and lfd have been enabled

You can enable the flush CSF by using the -f option.

root@linuxhelp1:/usr/src/csf# csf -f
csf and lfd have been disabled, use ' csf -e'  to enable
Flushing chain `INPUT' 
Flushing chain `FORWARD' 
Flushing chain `OUTPUT' 
Flushing chain `PREROUTING' 
Flushing chain `INPUT' 
Flushing chain `OUTPUT' 
Flushing chain `POSTROUTING' 
Flushing chain `PREROUTING' 
Flushing chain `OUTPUT' 
Flushing chain `PREROUTING' 
Flushing chain `INPUT' 
Flushing chain `FORWARD' 
Flushing chain `OUTPUT' 
Flushing chain `POSTROUTING' 

If you want to check the IPv4 iptables configuration run the -l option.

root@linuxhelp1:/usr/src/csf# csf -l
iptables filter table
=====================
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1      281 1697K LOCALINPUT  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0          
2        4   348 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          
3      253 1692K INVALID    tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0          
4        0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            i
.
.

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 277 bytes)
num   pkts bytes target     prot opt in     out     source               destination        

Chain POSTROUTING (policy ACCEPT 4 packets, 277 bytes)
num   pkts bytes target     prot opt in     out     source               destination 

You can start the csf service with the -s command.

root@linuxhelp1:/usr/src/csf# csf -s
Flushing chain `INPUT' 
Flushing chain `FORWARD' 
Flushing chain `OUTPUT' 
Flushing chain `ALLOWIN' 
Flushing chain `ALLOWOUT' 
Flushing chain `DENYIN' 
.
.
ACCEPT  all opt -- in lo out *  0.0.0.0/0  ->  0.0.0.0/0 
ACCEPT  all opt -- in * out lo  0.0.0.0/0  ->  0.0.0.0/0 
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  ->  0.0.0.0/0 
LOGDROPIN  all opt -- in !lo out *  0.0.0.0/0  ->  0.0.0.0/0 
csf: FASTSTART loading DNS (IPv4)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  ->  0.0.0.0/0 
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  ->  0.0.0.0/0

You shall restart the csf service by running the command with the -r option.

root@linuxhelp1:/usr/src/csf# csf -r
Flushing chain `INPUT' 
Flushing chain `FORWARD' 
Flushing chain `OUTPUT' 
Flushing chain `ALLOWIN' 
Flushing chain `ALLOWOUT' 
.
.
ACCEPT  all opt -- in * out lo  0.0.0.0/0  ->  0.0.0.0/0 
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  ->  0.0.0.0/0 
LOGDROPIN  all opt -- in !lo out *  0.0.0.0/0  ->  0.0.0.0/0 
csf: FASTSTART loading DNS (IPv4)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  ->  0.0.0.0/0 
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  ->  0.0.0.0/0 

with this, the method to install and use CSF on Ubuntu 18.04 comes to an end.