Config Server Firewall, also known as CSF, is a free firewall software used on Linux distributions. Except for the basic firewall functionality, it also offers IDS “intrusion detection system” as well as login and flood detection and other security features which help to keep your server secure.
CSF offers integration with popular web Control Panels such as cPanel, Directadmin, and Webmin. The LFD ( Login Failure Daemon ) also supports the following applications for monitoring login failures: openSSH, vsftpd, proftpd, pure-ftpd, Mod_security failures, and many others. In this tutorial, we will show you how to install Config Server Firewall (CSF) on Debian 11.
Table of Contents
- Debian 11 VPS
- SSH root access or a regular system user with sudo privileges
Step 1. Installing dependencies
Before starting with the ConfigServer Firewall installation, you should update your system packages
sudo apt-get update
After the packages are updated, you need to install the required dependencies before continuing with the installation.
sudo apt install libio-socket-inet6-perl libsocket6-perl sendmail dnsutils unzip libio-socket-ssl-perl libcrypt-ssleay-perl git perl iptables libnet-libidn-perl
Step 2. Download and install CSF
Now you can proceed with the installation after installing all the necessary prerequisites.
The Config Server Firewall (CSF) package is not present in the Debian 11 repository, that’s why you will need to download it from their official site.
Now go ahead and extract the downloaded package.
sudo tar -xvzf csf.tgz
You can now navigate to the CSF directory and start the ConfigServer Firewall installation.
cd csf sh install.sh
Step 3. Start and enable CSF
Once the installation has finished, you can start CSF with the following command.
sudo systemctl start csf
To check if everything works fine and if all the iptables modules are loaded, you can run the following command.
If the installation and start-up of CSF were successful you should receive similar output.
Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server
To start CSF on boot, you should run the following command:
sudo systemctl enable csf
You can now check if CSF is active by running the command:
sudo systemctl status csf
When you install CSF, the service is set in Testing mode by default, to disable the Testing mode and enable the CSF service you should change the value TESTING = 1 to TESTING = 0 in the /etc/csf/csf.conf file.
Step 4. Configuration and CSF management
After editing the /etc/csf/csf.conf file you can apply the changes by running
You can edit the csf.conf file to close or open TCP and UDP ports, for example:
TCP_IN: 22,53 TCP_OUT: 22,53,80,113,443 UPD_IN: 53 UPD_OUT: 53,113,123
These are the most common ports used on a web server, but if we want to add MySQL remote database access we can add port 3306 to TCP_IN and TCP_OUT like this:
TCP_IN: 22,53,3306 TCP_OUT: 22,53,80,113,443,3306 UPD_IN: 53 UPD_OUT: 53,113,123
To block certain IP addresses or IP subnets you can add the IPs in the /etc/csf/csf.deny file in one line per IP address or per subnet.
The same goes for allowed IP addresses in /etc/csf/csf.allow, the IP addresses found in this file take priority over the ones in the csf.blok file. You can have the same IP in the csf.block file and csf.allow file and the IP address will be still allowed.
Besides the configuration files, you can use the CSF command along with flags to allow/deny, check IP or track IP addresses, and so on, you can check the whole list of options by running csf –-help.
csf -a 188.8.131.52 # allow IP address csf -d 184.108.40.206 # deny IP address csf -g 220.127.116.11 # check whether IP address is blocked or not csf -l # list all the iptables rules.
That’s it. You have successfully installed ConfigServer Firewall (CSF) on your Debian 11 VPS. If you are one of our web hosting customers and use our optimized Linux Hosting plans, you don’t have to install ConfigServer Firewall (CSF) on your Debian 11, our expert Linux admins will set up ConfigServer Firewall (CSF) on your VPS, for you. They are available 24×7 and will take care of your request immediately.
PS. If you liked this post, on how to install ConfigServer Firewall (CSF) on your Debian 11, please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.