Install and set up CSF (Config Server Firewall) in Ubuntu

Whilst one option for a firewall, and in-fact the default one on Ubuntu, is UFW there are others. One very good alternative to UFW is CSF or Config Server Firewall.

CSF is an stateful packet inspection firewall that also includes a login / intrusion detection and security application.

Here is how I install it

Installing prerequsites

First, remove UFW if installed, with sudo apt remove ufw.

Now install necessary packages with sudo apt install perl iptables zip unzip libwww-perl liblwp-protocol-https-perl sendmail-bin ipset ipset-persistent iptables-persistent(sendmail-bin can be left out if it is already installed or you are using something else).

Download and install the Config Server Firewall

cd /usr/src
sudo wget https://download.configserver.com/csf.tgz
sudo tar -xzf csf.tgz
cd csf
sudo sh install.sh
sudo /bin/sed -i "s/RESTRICT_SYSLOG\s*=.*$/RESTRICT_SYSLOG = \"3\"/g" /etc/csf/csf.conf
sudo /bin/sed -i "s/SYSLOG_CHECK\s*=.*$/SYSLOG_CHECK = \"3600\"/g" /etc/csf/csf.conf
sudo /bin/sed -i "s/SMTP_BLOCK\s*=.*/SMTP_BLOCK = \"1\"/g" /etc/csf/csf.conf
sudo /bin/sed -i "s/LF_GLOBAL\s*=.*$/LF_GLOBAL = \"1800\"/g" /etc/csf/csf.conf
sudo /bin/sed -i "s/LF_SCRIPT_ALERT\s*=.*$/LF_SCRIPT_ALERT = \"1\"/g" /etc/csf/csf.conf
sudo /bin/sed -i "s/PT_ALL_USERS\s*=.*$/PT_ALL_USERS = \"1\"/g" /etc/csf/csf.conf
sudo /bin/sed -i "s/TESTING = \"1\"/TESTING = \"0\"/g" /etc/csf/csf.conf

This downloads and installs CSF then makes a few changes to the configuration file.

There are still a few changes we need to make though. Open the configuration file withsudo nano /etc/csf/csf.conf, find all the references to an iptables command in the /sbin directory and change this so that these now point to /usr/sbin instead.

Now make changes to the test perl script by running sudo nano /etc/csf/csftest.pl and change all references to /sbin/iptables to /usr/sbin/iptables. Once done run this script by typing sudo perl /etc/csf/csftest.pl.

If you have got the okay move on to configuring CSF. If not go back and alter the configuration based on what the error message you received stated.

Configure CSF

You will need to change the UseDNS line in your SSH configuration to read UseDNS no. This can be done by running sudo nano /etc/ssh/sshd_config. Once done restart the SSH daemon with sudo systemctl restart sshd.

Make sure to edit the CSF configuration file again and find the lines that begin with TCP_IN, TCP_OUT, UDP_IN, UDP_OUT (and their IPv6 equivalents) and make sure to add any ports you wish to be opened up (and remove any that you do not wish to have open.

Once done restart CSF and LFD by typing sudo csf -ra.

Fixing all of those emails

Presuming that your email is set up correctly you will now be getting lots of emails about excessive resource usage etc.

To fix this we need to tell CSF to ignore these commands. When doing this make sure that the commands you add are genuine system commands and functions. If you are unsure then check first. Do not ignore any commands that look odd without researching them first.

In order to tell CSF and LFD to ignore certain commands open the csf.pignore file by running sudo nano /etc/csf/csf.pignore. Using the existing entries as a guide add the commands listed in the emails to the bottom of this file.

Once finished make sure to run sudo csf -ra again and you will not be emailed about any of those processes again.

Common commands

Now that you have installed and set up the config server firewall you may want to know how to perform common tasks.

To whitelist an IP address

sudo csf -a ip_address

To remove an address from the whitelist

sudo csf -ar ip_address

To blacklist an IP address

sudo csf -d ip_address

To remove an address from the blacklist

sudo csf -dr ip_address

Conclusion

The above commands are only the very basics and I have only just scratched the surface it would be worth reading up on the options open to you when using this firewall.

Whilst the config server firewall is a bit more involved to set up and configure hopefully this post helps you to get it set up and running effectively to help you protect your server.