ConfigServer and Security Firewall, abbreviated as CSF, is an open-source and advanced firewall designed for Linux systems. It not only provides the basic functionality of a firewall but also offers a wide array of add-on features such as login/intrusion detection, exploit checks, ping of death protection and so much more.

Additionally, it also provides UI integration for widely-used control panels such as cPanel, Webmin, Vesta CP, CyberPanel, and DirectAdmin. You can find a full list of supported features and operating systems on ConfigServer’s official website.

In this guide, we will walk you through the installation and configuration of the ConfigServer Security & Firewall (CSF) on Debian and Ubuntu.

Step 1: Install CSF Firewall on Debian and Ubuntu

First off, you need to install some dependencies before you get started with installing the CSF firewall. On your terminal, update the package index:

$ sudo apt update

Next, install the dependencies as shown:

$ sudo apt install wget libio-socket-ssl-perl git perl iptables libnet-libidn-perl libcrypt-ssleay-perl libio-socket-inet6-perl libsocket6-perl sendmail dnsutils unzip

With that out of the way, you can now proceed to the next step.

Since CSF is not included in the default Debian and Ubuntu repositories, you need to manually install it. To proceed, download the CSF tarball file which contains all the installation files using the following wget command.

$ wget http://download.configserver.com/csf.tgz

This downloads a compressed file called csf.tgz.

Next, extract the compressed file.

$ tar -xvzf csf.tgz

This creates a folder called csf.

$ ls -l

Next, navigate into the csf folder.

$ cd csf

Then install CSF Firewall by running the installation script shown.

$ sudo bash install.sh

At this point, CSF is installed. However, you need to verify that the required iptables are loaded. To achieve this, run the command:

$ sudo perl /usr/local/csf/bin/csftest.pl

Step 2: Configure CSF Firewall on Debian and Ubuntu

Some additional configuration is needed Next up, we need to modify a few settings to enable CSF. So, head over to the csf.conf configuration file.

$ sudo vi /etc/csf/csf.conf

Edit the TESTING directive from “1” to “0” as indicated below.

TESTING = “0”

Next, you can open TCP and UDP ports by locating the TCP_IN, TCP_OUT, UDP_IN, and UDP_OUT directives.

By default, the following ports are opened.

TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995”

TCP_OUT = “20,21,22,25,53,80,110,113,443,587,993,995”

UDP_IN = “20,21,53,80,443”

UDP_OUT = “20,21,53,113,123”

Chances are that you don’t need all those ports opened, and best server practices demand that you only open the ports you are using. We recommend that you remove all unnecessary ports and leave the ones which are used by the services running on your system.

Once you are done specifying the ports you need, reload CSF as shown.

$ sudo csf -r

To list all the IP table rules defined on the server, run the command:

$ sudo csf -l

You can start and enable the CSF firewall on startup as follows:

$ sudo systemctl start csf

$ sudo systemctl enable csf

Then confirm that indeed the firewall is running:

$ sudo systemctl status csf