How to Install and Configure CSF Firewall on Debian 11

Disclosure: This post may contain affiliate links, which means we may receive a commission if you click a link and purchase something that we recommended.

Pinterest LinkedIn Tumblr

Install and configure CSF (Config Server Firewall) and secure your Debian 11.

CSF is a popular security tool for Linux to secure the server with stateful packet inspection firewall (SPI), intrusion detection, a login failure daemon, DDOS protection, and control panel integration.

In this guide you are going to learn how to install and setup CSF and also the essential commands to use the firewall on Debian 11

Initial Setup

Update server packages to latest.

sudo apt update
sudo apt dist-upgrade -y

If you are already using UFW which is a a basic firewall, remove UFW using the below command.

sudo apt remove ufw

Install Dependencies

Install the required dependencies that are used by CSF.

sudo apt install perl zip unzip libwww-perl liblwp-protocol-https-perl

Install Sendmail which is used by CSF for communication.

You can refer this documentation for detailed setup of Sendmail.

sudo apt install sendmail-bin

Now you have all dependencies to install and configure CSF.

Install CSF

Navigate to /usr/src directory.

Download the latest package using wget.

sudo wget

Extract the downloaded package.

sudo tar -xzvf csf.tgz

Now install CSF.

cd csf
sudo sh

Now you will receive an output as below which indicates the successful installation.

Installation Completed

Verify if the required iptables modules are present.

sudo perl /usr/local/csf/bin/

You will receive an output similar to the one below.

Testing ip_tables/iptable_filter…OK
Testing ipt_LOG…OK
Testing ipt_multiport/xt_multiport…OK
Testing ipt_REJECT…OK
Testing ipt_state/xt_state…OK
Testing ipt_limit/xt_limit…OK
Testing ipt_recent…OK
Testing xt_connlimit…OK
Testing ipt_owner/xt_owner…OK
Testing iptable_nat/ipt_REDIRECT…OK
Testing iptable_nat/ipt_DNAT…OK
RESULT: csf should function on this server

You can check the CSF version using the following command.

sudo csf -v

csf: v14.15 (generic)
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration

Configure CSF

Once the firewall is installed it is configured to run in TESTING mode by default.

To disable TESTING mode you need to make changes to the /etc/csf/csf.conf file.

sudo nano /etc/csf/csf.conf

Locate the line TESTING = “1”, and change the value to “0”.


Locate the line RESTRICT_SYSLOG = “0”, and change the value to “3”. This means only members of the RESTRICT_SYSLOG_GROUP may access syslog/rsyslog files.


Hit CTRL+X followed by Y and ENTER to save and exit the file.

Reload CSF.

csf -ra

Additional Configuration

To allow additional ports connections.

Edit /etc/csf/csf.conf

Locate the TCP_IN directive and add your ports.

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995,3306"

I have added the MYSQL port to connect to a remote server.

Restart CSF after each change.

sudo csf -ra

Essential Commands to Manage CSF

Start CSF

sudo csf -s

Stop CSF

sudo csf -f

Restart CSF

You must restart CSF each time the configuration file changes.

sudo csf -ra

Allow IP address

Use the -a option to allow IP address.

sudo csf -a

Deny IP address

Use the -d option to allow IP address.

sudo csf -d

Remove IP from allow list

sudo csf -ar

Remove IP from deny list

sudo csf -dr

Check if IP is blocked

sudo csf -g IP-ADDRESS

Remove IP from block

sudo css -tr IP-ADDRESS

Allow IP lists

Add your IPs listed on a separate line in the allow file /etc/csf/csf.allow.

Deny IP lists

Add your IPs listed on a separate line in the allow file /etc/csf/csf.deny.


Now you have learned how to secure your server by installing and configuring CSF in Debian 11.

Thanks for your time. If you face any problem or any feedback, please leave a comment below.

Write A Comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.