How to Install ConfigServer Security & Firewall (CSF) on Ubuntu

ConfigServer Security & Firewall (CSF) is a stateful packet inspection (SPI) firewall and front-end manager for iptables. CSF is a more advanced alternative to APF and has integrations for Vesta Control Panel, Webmin, and more.

Below we cover how to install CSF on Ubuntu and complete basic tasks such as manage ports, configure Login Failure Daemon (lfd), and whitelist IPs.

If you need help at any time, contact our Managed Hosting team.

Install CSF

  1. Download the latest CSF file: wget http://download.configserver.com/csf.tgz
  2. Extract the archive: tar -xzf csf.tgz
  3. Navigate to the new directory: cd csf
  4. Start the installation script: sh install.sh
  5. Test the status of required iptables modules: perl /usr/local/csf/bin/csftest.pl

Basic CSF Tasks

Below are some common tasks to consider post-installation.

Open and Close Ports

  1. Edit your CSF configuration file: nano +137 /etc/csf/csf.conf takes you directly to the port settings
  2. Add or remove ports from TCP_IN (incoming TCP – most commonly used), TCP_OUT (outgoing TCP), UDP_IN (incoming UDP), and UDP_OUT (outgoing UDP) as needed

If installing CSF on a cPanel server, you’ll want to whitelist the following in TCP_IN: “20,21,25,53,80,110,143,443,465,587,993,995,2082,2083,2086,2087,2095,2096,3306,30000:35000”.

lfd for Brute-force Protection

Login Failure Daemon (lfd) scans log files every X seconds to protect against brute-force login attacks. You can use DENY_IP_LIMIT to set how many blocked IP addresses are tracked at once.

  1. Edit your CSF configuration file: nano +1880 /etc/csf/csf.conf
  2. Make your changes (We recommend 15000 for dedicated servers and 1000 for VPSs containers)
  3. Save changes
  4. Apply changes: csf -r

Whitelist IPs

This whitelists IPs through iptables:

nano /etc/csf/csf.allow

The format is tcp/udp | in/out | s[ource]/d[estination]=port | u[ID]/g[ID]. For example, to allow inbound connections to MySQL on port 3306 from 1.2.3.4:

tcp|in|d=3306|s=1.2.3.4

TCP and IN are used as default if protocol (TCP/UDP) and connection direction (in or out) is excluded from a rule.

IPs listed here can still be blocked by lfd. To protect an IP from being blocked, edit the ignore list:

nano /etc/csf/csf.ignore

To allow outbound TCP connections to port 22 on IP 1.2.3.4:

out|d=22|d=1.2.3.4

Pay only for what you need on your preferred Linux OS with our scalable Cloud Servers.

Was this article helpful? Let us know!