How to install CSF in Ubuntu 18.04 / 20.04 / 22.04
The ConfigServer Security & Firewall (CSF) is a firewall tool that provides an easy way to configure your server’s security settings. This guide will walk you through the installation and configuration of the CSF firewall on Ubuntu. Properly securing your server with a tool like How to install CSF in Ubuntu 18.04 / 20.04 / 22.04 is critical for protecting against unauthorized access and malicious attacks.
CSF offers various features to protect your VPS. These include:
- Stateful Packet Inspection (SPI)
- Login Failure Detection
- Brute-Force Attack Prevention
- Port Flood Protection
- Exploit Detection
Step 1: Update your system
Before installing any new software, it is always a good idea to update your system packages. Run the following command to update your Ubuntu system:
$ sudo apt update
$ sudo apt upgradeStep 2: Install CSF Firewall
Once the system is up-to-date, we can proceed with the installation of CSF Firewall. The following steps will guide you through the process:
$ wget https://download.configserver.com/csf.tgzTo download the latest version of CSF Firewall
$ tar -xzf csf.tgz$ cd csf$ sudo sh install.sh$ sudo csf -vWith these steps, you have successfully installed CSF Firewall on your Ubuntu system.
Step 3: Configuring Additional Settings
CSF provides a wide range of configuration options that can be used to fine-tune the firewall according to your specific requirements. Here are some of the most commonly used settings that you can configure. Understanding these settings is key to effectively utilize How to install CSF in Ubuntu 18.04 / 20.04 / 22.04.
ICMP_IN
Setting ICMP_IN to 1 allows incoming ICMP requests, such as ping, to your server. If you are hosting public services, it is recommended to allow ICMP requests as they can be used to verify the availability of your services. Setting ICMP_IN to 0 blocks all incoming ICMP requests.
ICMP_IN_LIMIT
ICMP_IN_LIMIT sets the number of incoming ICMP requests that are allowed from a single IP address within a specified amount of time. The default value of 1/s is usually sufficient, but you can adjust it if necessary.
DENY_IP_LIMIT
DENY_IP_LIMIT sets the maximum number of blocked IP addresses that CSF keeps track of. It is recommended to limit the number of blocked IP addresses as having too many blocks can affect server performance.
DENY_TEMP_IP_LIMIT
DENY_TEMP_IP_LIMIT is similar to DENY_IP_LIMIT, but applies to temporary IP address blocks. It is recommended to keep this value lower than DENY_IP_LIMIT.
PACKET_FILTER
PACKET_FILTER is a powerful feature that filters out invalid, unwanted, and illegal packets before they can reach your server. Enabling this feature can improve server security by reducing the number of potential attacks.
SYNFLOOD, SYN_FLOOD_RATE and SYN_FLOOD_BURST
These settings offer protection against SYN flood attacks, which can slow down or even crash your server. Enabling these settings will slow down the initialization of every connection, so you should only enable them if you know your server is under attack.
CONNLIMIT
CONNLIMIT sets limits on the number of concurrent active connections on specific ports. For example, the value:
22;5;443;20would allow up to 5 concurrent connections on port 22 and up to 20 concurrent connections on port 443. You can add more ports by separating them with commas.
PORTFLOOD
PORTFLOOD limits the number of connections per time interval that new connections can be made to specific ports. For example, the value:
22;tcp;5;250Would block an IP address if more than 5 connections are established on port 22 using the TCP protocol within 250 seconds. The block is removed once 250 seconds have passed after the last packet sent by the client to this port. You can add more ports by separating them with commas, like this:
port1;protocol1;connection_count1;time1,port2;protocol2;connection_count2;time2Step 4: Configuring ports
To enhance the security of your VPS, it is recommended to limit the number of open ports. However, some ports must remain open to allow clients to access your services. By default, the following ports are open:
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
TCP_OUT = "20,21,22,25,53,80,110,113,443"
UDP_IN = "20,21,53"
UDP_OUT = "20,21,53,113,123"These ports are used by various services such as FTP, SSH, SMTP, DNS, HTTP, and more. You may not be using all these services, so it is recommended to close any ports that are not in use. It is best to remove all port numbers from the list and then only add the ones you need.
Below are the recommended port sets to open for specific services:
For any server:
TCP_IN: 22,53
TCP_OUT: 22,53,80,113,443
UPD_IN: 53
UPD_OUT: 53,113,123Apache:
TCP_IN: 80,443An FTP server:
TCP_IN: 20,21
TCP_OUT: 20,21
UPD_IN: 20,21
UPD_OUT: 20,21A mail server:
TCP_IN: 25,110,143,587,993,995
TCP_OUT: 25,110For a MySQL server (if remote access is required):
TCP_IN: 3306
TCP_OUT: 3306Step 5: Blocking and Allowing IP Addresses
Blocking and allowing IP addresses is one of the most basic features of a firewall. To block or allow IP addresses in CSF firewall, you can edit the configuration files csf.deny and csf.allow respectively. Additionally, you can also exclude IP addresses from firewall filters by editing csf.ignore file.
Blocking IP addresses
To block an IP address or range, open the csf.deny file using a text editor such as nano:
$ sudo nano /etc/csf/csf.denyEach IP address or range that you want to block should be added on a new line in the file. For example, to block IP address 1.2.3.4 and IP range 2.3.0.0/16, you should add the following lines:
1.2.3.4
2.3.0.0/16IP ranges are represented using the CIDR notation.
Allowing IP addresses
To allow an IP address or range to bypass all blocks and filters, you can add it to the csf.allow file. Please note that allowed IP addresses will be allowed even if they are explicitly blocked in the csf.deny file.
To allow an IP address or range, open the csf.allow file using a text editor:
$ sudo nano /etc/csf/csf.allowEach IP address or range that you want to allow should be added on a new line in the file. For example, to allow IP address 1.2.3.4 and IP range 2.3.0.0/16, you should add the following lines:
1.2.3.4
2.3.0.0/16Ignoring IP addresses
You can exclude IP addresses from the firewall filters by adding them to the csf.ignore file. IP addresses listed in csf.ignore will bypass the firewall filters and can only be blocked if listed in the csf.deny file.
To ignore an IP address or range, open the csf.ignore file using a text editor:
$ sudo nano /etc/csf/csf.ignoreEach IP address or range that you want to ignore should be added on a new line in the file. For example, to ignore IP address 1.2.3.4 and IP range 2.3.0.0/16, you should add the following lines:
1.2.3.4
2.3.0.0/16Restarting CSF
After editing any of the above files, you need to restart CSF for the changes to take effect. You can restart CSF using the following command:
$ sudo csf -rThis will reload the firewall rules and apply any changes made to the configuration files.
Testing Mode
By default, CSF is in testing mode, which means it will not block any IP address permanently. Once you have verified that your settings are correct, you should change the TESTING setting to 0:
TESTING = "0"Testing Configuration
Once you have made changes to the csf.conf file, you can test the configuration by running the following command:
$ sudo csf --checkIf there are any errors in your configuration, CSF will report them and suggest how to fix them.
Restarting CSF Firewall
Once you have made changes to the configuration, you can restart the CSF firewall by running the following command:
$ sudo csf -rConclusion
In this guide, we have walked through the installation and configuration of the CSF firewall on Ubuntu. By configuring the CSF firewall, you can secure your Ubuntu system and ensure that only authorized traffic is allowed through. This ensures your server is following the best practices for How to install CSF in Ubuntu 18.04 / 20.04 / 22.04.
Alternative Solutions for Server Security on Ubuntu
While CSF is a popular and effective firewall solution, alternative approaches exist for securing your Ubuntu server. Here are two different methods, along with explanations and code examples:
1. Using iptables Directly
iptables is the command-line firewall utility that underlies many higher-level firewall management tools, including CSF. Instead of relying on a separate application, you can configure iptables rules directly. This provides the most granular control over your firewall but requires a deeper understanding of networking concepts. The basic setup for How to install CSF in Ubuntu 18.04 / 20.04 / 22.04
Explanation:
iptables works by examining network traffic and comparing it against a set of rules. Each rule specifies a condition and an action to take if the condition is met. Common actions include ACCEPT (allow the traffic), DROP (silently discard the traffic), and REJECT (send an error message back to the sender). Rules are organized into tables and chains. The most commonly used table is filter, which contains chains for INPUT (incoming traffic), OUTPUT (outgoing traffic), and FORWARD (traffic being routed through the server).
Code Example:
First, clear any existing rules:
sudo iptables -F
sudo iptables -X
sudo iptables -ZAllow established and related connections:
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTAllow SSH (port 22):
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPTAllow HTTP (port 80) and HTTPS (port 443):
sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPTAllow ping:
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPTDrop all other incoming traffic:
sudo iptables -A INPUT -j DROPAllow all outgoing traffic (you can restrict this further if needed):
sudo iptables -A OUTPUT -j ACCEPTImportant: These rules are not persistent across reboots. To make them permanent, you need to save them. The method for saving iptables rules varies depending on your Ubuntu version. For example, on some systems, you can use:
sudo apt-get install iptables-persistent
sudo netfilter-persistent saveHowever, using iptables directly involves manually crafting these rules which is a tedious process.
2. Using ufw (Uncomplicated Firewall)
ufw is a user-friendly front-end for iptables designed to simplify firewall configuration. It provides a more intuitive command-line interface and makes it easier to define common firewall rules. How to install CSF in Ubuntu 18.04 / 20.04 / 22.04 provides an alternative that’s more advanced.
Explanation:
ufw uses a profile-based approach, allowing you to enable or disable rules based on service names (e.g., "OpenSSH", "Apache Full"). It also supports specifying port numbers and IP addresses. It simplifies managing your firewall rules without needing to understand the complexities of iptables syntax.
Code Example:
First, enable ufw:
sudo ufw enableAllow SSH:
sudo ufw allow OpenSSHAllow HTTP:
sudo ufw allow httpAllow HTTPS:
sudo ufw allow httpsAllow ping:
sudo ufw allow icmpDeny all other incoming traffic by default:
sudo ufw default deny incomingAllow all outgoing traffic by default:
sudo ufw default allow outgoingCheck the status of ufw:
sudo ufw statusThis will show you the enabled rules. ufw rules are persistent across reboots.
Advantages of ufw over iptables:
- Simplified syntax
- Profile-based rules
- Automatic persistence
Disadvantages of ufw compared to CSF:
- Less granular control than
iptablesor CSF. - Fewer advanced features like login failure detection and exploit detection.
- Not specifically designed for shared hosting environments.
While ufw is easier to use than directly managing iptables, CSF provides a richer set of features, especially useful for shared hosting environments where security is paramount. Understanding the alternatives and their tradeoffs is crucial for choosing the best solution for your specific needs. In many cases, How to install CSF in Ubuntu 18.04 / 20.04 / 22.04 is the best approach.