Install and configure CSF (Config Server Firewall) and secure your Debian 11.
CSF is a popular security tool for Linux to secure the server with stateful packet inspection firewall (SPI), intrusion detection, a login failure daemon, DDOS protection, and control panel integration.
In this guide you are going to learn how to install and setup CSF and also the essential commands to use the firewall on Debian 11
Initial Setup
Update server packages to latest.
sudo apt update
sudo apt dist-upgrade -y
If you are already using UFW which is a a basic firewall, remove UFW using the below command.
sudo apt remove ufw
Install Dependencies
Install the required dependencies that are used by CSF.
sudo apt install perl zip unzip libwww-perl liblwp-protocol-https-perl
Install Sendmail which is used by CSF for communication.
You can refer this documentation for detailed setup of Sendmail.
sudo apt install sendmail-bin
Now you have all dependencies to install and configure CSF.
Install CSF
Navigate to /usr/src directory.
Download the latest package using wget.
sudo wget https://download.configserver.com/csf.tgz
Extract the downloaded package.
sudo tar -xzvf csf.tgz
Now install CSF.
cd csf
sudo sh install.sh
Now you will receive an output as below which indicates the successful installation.
Installation Completed
Verify if the required iptables modules are present.
sudo perl /usr/local/csf/bin/csftest.pl
You will receive an output similar to the one below.
Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…OK
Testing xt_connlimit…OK
Testing ipt_owner/xt_owner…OK
Testing iptable_nat/ipt_REDIRECT…OK
Testing iptable_nat/ipt_DNAT…OK
RESULT: csf should function on this server
You can check the CSF version using the following command.
sudo csf -v
csf: v14.15 (generic)
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
Configure CSF
Once the firewall is installed it is configured to run in TESTING mode by default.
To disable TESTING mode you need to make changes to the /etc/csf/csf.conf file.
sudo nano /etc/csf/csf.conf
Locate the line TESTING = “1”, and change the value to “0”.
TESTING = "0"
Locate the line RESTRICT_SYSLOG = “0”, and change the value to “3”. This means only members of the RESTRICT_SYSLOG_GROUP may access syslog/rsyslog files.
RESTRICT_SYSLOG = "3"
Hit CTRL+X followed by Y and ENTER to save and exit the file.
Reload CSF.
csf -ra
Additional Configuration
To allow additional ports connections.
Edit /etc/csf/csf.conf
Locate the TCP_IN directive and add your ports.
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995,3306"
I have added the MYSQL port to connect to a remote server.
Restart CSF after each change.
sudo csf -ra
Essential Commands to Manage CSF
Start CSF
sudo csf -s
Stop CSF
sudo csf -f
Restart CSF
You must restart CSF each time the configuration file changes.
sudo csf -ra
Allow IP address
Use the -a option to allow IP address.
sudo csf -a 10.0.2.12
Deny IP address
Use the -d option to allow IP address.
sudo csf -d 10.0.2.12
Remove IP from allow list
sudo csf -ar 10.0.2.12
Remove IP from deny list
sudo csf -dr 10.0.2.12
Check if IP is blocked
sudo csf -g IP-ADDRESS
Remove IP from block
sudo css -tr IP-ADDRESS
Allow IP lists
Add your IPs listed on a separate line in the allow file /etc/csf/csf.allow.
Deny IP lists
Add your IPs listed on a separate line in the allow file /etc/csf/csf.deny.
Conclusion
Now you have learned how to secure your server by installing and configuring CSF in Debian 11.
Thanks for your time. If you face any problem or any feedback, please leave a comment below.
