How to Configure Firewall CSF on Debian 10

Configure Firewall CSF on Debian 10

In this article, we will have explained the necessary steps to configure Firewall CSF on Debian 10. Before continuing with this tutorial, make sure you are logged in as a user with sudo privileges. All the commands in this tutorial should be run as a non-root user.

Config Server Firewall (CSF) is an open source firewall that can be used in most Linux based operating system to protect servers against unauthenticated users. CSF continuously monitor server’s log file and notify SSH, SMTP, HTTP, IMAP, POP3 and FTP login authentication failures and many protocols. Thhis firewall allows you to manually block and unblock specific IP addresses temporary or permanently.

Configure Firewall CSF on Debian 10

Step 1. The first command will update the package lists to ensure you get the latest version and dependencies.

sudo apt update
sudo apt upgrade

Step 2. Install CSF Firewall.

First, download the latest version of CSF source from their official website. You can download it with the following command:

cd /tmp
wget http://download.configserver.com/csf.tgz
tar xzf csf.tgz

Run the CSF Installation Script:

cd /opt/csf
sh install.sh

Step 3. Test iptables modules.

Run the csftest.pl perl script to verify if all the required iptables modules are installed on your system:

perl /usr/local/csf/bin/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

Step 4. Configuration CSF.

The default CSF configuration file is located at /etc/csf directory. You can configure the required parameters for CSF with the following command:

nano /etc/csf/csf.conf
#For testing environment the value should be TESTING = "1" and for production environment, the value should be TESTING = "0".
TESTING = "0"
 
#To enable log 
RESTRICT_SYSLOG = "3"
 
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
 
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"
 
# Allow incoming UDP ports
UDP_IN = "20,21,53"
 
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list 
UDP_OUT = "20,21,53,113,123"

Save and close the file, when you are finished. Then, start the CSF firewall with the following command:

sudo systemctl restart csf
sudo systemctl enable csf

Step 5. Configure CSF Web Interface.

In this step, we will show you how to enable the CSF Web User Interface. This step is optional and it should be used only if you don’t use a control panel that supports the CSF UI (e.g. WHM/cPanel, DirectAdmin, Webmin, etc.)

apt install libio-socket-ssl-perl libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libcrypt-ssleay-perl

After installing all the modules, you will need to enable CSF web UI:

nano /etc/csf/csf.conf
RESTRICT_UI = "1"
UI = "1"
UI_PORT = "8080"
UI_IP = ""
UI_USER = "ngadimin"
UI_PASS = "[email protected]
# For security reasons, you should always keep this option low (i.e 0-10)
UI_RETRY = "5"
#This option will add the connecting IP address to the file /etc/csf/ui/ui.ban after UI_RETRY login failures.
UI_BAN = "1"
#Only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will be allowed to login to the UI."

Then, allow access to your IP address with the following command:

nano /etc/csf/ui/ui.allow

Add following line:

192.168.0.10

Save and close the file. Then, restart LFD service to apply these changes:

service lfd restart

Step 6. Access CSF UI.

Now, open your web browser and type the URL http://192.168.0.10:8080.

Congratulation, you have learned how to install and configure Firewall CSF on Debian 10 Buster. If you have any question, please leave a comment below.