In this article, we will have explained the necessary steps to configure Firewall CSF on Debian 10. Before continuing with this tutorial, make sure you are logged in as a user with sudo privileges. All the commands in this tutorial should be run as a non-root user.
Config Server Firewall (CSF) is an open-source firewall that can be used in most Linux-based operating systems to protect servers against unauthenticated users. CSF continuously monitors the server’s log file and notifies SSH, SMTP, HTTP, IMAP, POP3, and FTP login authentication failures and many protocols. This firewall allows you to manually block and unblock specific IP addresses temporarily or permanently.
Configure Firewall CSF on Debian 10
Step 1. The first command will update the package lists to ensure you get the latest version and dependencies.
sudo apt update sudo apt upgrade
Step 2. Install CSF Firewall.
First, download the latest version of the CSF source from their official website. You can download it with the following command:
cd /tmp wget http://download.configserver.com/csf.tgz tar xzf csf.tgz
Run the CSF Installation Script:
cd /opt/csf sh install.sh
Step 3. Test iptables modules.
Run the csftest.pl perl script to verify if all the required iptables modules are installed on your system:
perl /usr/local/csf/bin/csftest.pl
Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server
Step 4. Configuration CSF.
The default CSF configuration file is located in /etc/csf a directory. You can configure the required parameters for CSF with the following command:
nano /etc/csf/csf.conf
#For testing environment the value should be TESTING = "1" and for production environment, the value should be TESTING = "0". TESTING = "0" #To enable log RESTRICT_SYSLOG = "3" # Allow incoming TCP ports TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995" # Allow incoming UDP ports UDP_IN = "20,21,53" # Allow outgoing UDP ports # To allow outgoing traceroute add 33434:33523 to this list UDP_OUT = "20,21,53,113,123"
Save and close the file, when you are finished. Then, start the CSF firewall with the following command:
sudo systemctl restart csf sudo systemctl enable csf
Step 5. Configure CSF Web Interface.
In this step, we will show you how to enable the CSF Web User Interface. This step is optional and it should be used only if you don’t use a control panel that supports the CSF UI (e.g. WHM/cPanel, DirectAdmin, Webmin, etc.)
apt install libio-socket-ssl-perl libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libcrypt-ssleay-perl
After installing all the modules, you will need to enable CSF web UI:
nano /etc/csf/csf.conf
RESTRICT_UI = "1" UI = "1" UI_PORT = "8080" UI_IP = "" UI_USER = "ngadimin" UI_PASS = "[email protected]" # For security reasons, you should always keep this option low (i.e 0-10) UI_RETRY = "5" #This option will add the connecting IP address to the file /etc/csf/ui/ui.ban after UI_RETRY login failures. UI_BAN = "1" #Only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will be allowed to login to the UI."
Then, allow access to your IP address with the following command:
nano /etc/csf/ui/ui.allow
Add the following line:
192.168.0.10
Save and close the file. Then, restart the LFD service to apply these changes:
service lfd restart
Step 6. Access CSF UI.
Now, open your web browser and type the URL http://192.168.0.10:8080.
Congratulation, you have learned how to install and configure Firewall CSF on Debian 10 Buster. If you have any questions, please leave a comment below.