How to Install Config Server Firewall (CSF) on Debian 11

how to install config server firewall on debian 11

Config Server Firewall, also known as CSF, is a free firewall software used on Linux distributions. Except for the basic firewall functionality, it also offers IDS “intrusion detection system” as well as login and flood detection and other security features which help to keep your server secure.

installing config server firewall on debian 11

CSF offers integration with popular web Control Panels such as cPanel, Directadmin, and Webmin. The LFD ( Login Failure Daemon ) also supports the following applications for monitoring login failures: openSSH, vsftpd, proftpd, pure-ftpd, Mod_security failures, and many others. In this tutorial, we will show you how to install Config Server Firewall (CSF) on Debian 11.


  • Debian 11 VPS
  • SSH root access or a regular system user with sudo privileges

Step 1. Installing dependencies

Before starting with the ConfigServer Firewall installation, you should update your system packages

sudo apt-get update

After the packages are updated, you need to install the required dependencies before continuing with the installation.

sudo apt install libio-socket-inet6-perl libsocket6-perl sendmail dnsutils unzip libio-socket-ssl-perl libcrypt-ssleay-perl git perl iptables libnet-libidn-perl

Step 2. Download and install CSF

Now you can proceed with the installation after installing all the necessary prerequisites.
The Config Server Firewall (CSF) package is not present in the Debian 11 repository, that’s why you will need to download it from their official site.


Now go ahead and extract the downloaded package.

sudo tar -xvzf csf.tgz

You can now navigate to the CSF directory and start the ConfigServer Firewall installation.

cd csf

Step 3. Start and enable CSF

Once the installation has finished, you can start CSF with the following command.

sudo systemctl start csf

To check if everything works fine and if all the iptables modules are loaded, you can run the following command.

perl /usr/local/csf/bin/

If the installation and start-up of CSF were successful you should receive similar output.

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

To start CSF on boot, you should run the following command:

sudo systemctl enable csf

You can now check if CSF is active by running the command:

sudo systemctl status csf

When you install CSF, the service is set in Testing mode by default, to disable the Testing mode and enable the CSF service you should change the value TESTING = 1 to TESTING = 0 in the /etc/csf/csf.conf file.

Step 4. Configuration and CSF management

After editing the /etc/csf/csf.conf file you can apply the changes by running

Need a fast and easy fix?
✔ Unlimited Managed Support
✔ Supports Your Software
✔ 2 CPU Cores
✔ 2 GB RAM
✔ 50 GB PCIe4 NVMe Disk
✔ 1854 GeekBench Score
✔ Unmetered Data Transfer

Now just $43 .99

csf -r 

You can edit the csf.conf file to close or open TCP and UDP ports, for example:

TCP_IN: 22,53
TCP_OUT: 22,53,80,113,443
UPD_IN: 53
UPD_OUT: 53,113,123

These are the most common ports used on a web server, but if we want to add MySQL remote database access we can add port 3306 to TCP_IN and TCP_OUT like this:

TCP_IN: 22,53,3306
TCP_OUT: 22,53,80,113,443,3306
UPD_IN: 53
UPD_OUT: 53,113,123

To block certain IP addresses or IP subnets you can add the IPs in the /etc/csf/csf.deny file in one line per IP address or per subnet.

The same goes for allowed IP addresses in /etc/csf/csf.allow, the IP addresses found in this file take priority over the ones in the csf.blok file. You can have the same IP in the csf.block file and csf.allow file and the IP address will be still allowed.

Besides the configuration files, you can use the CSF command along with flags to allow/deny, check IP or track IP addresses, and so on, you can check the whole list of options by running csf –-help.

csf -a # allow IP address
csf -d # deny IP address
csf -g # check whether IP address is blocked or not
csf -l        # list all the iptables rules.

That’s it. You have successfully installed ConfigServer Firewall (CSF) on your Debian 11 VPS. If you are one of our web hosting customers and use our optimized Linux Hosting plans, you don’t have to install ConfigServer Firewall (CSF) on your Debian 11, our expert Linux admins will set up ConfigServer Firewall (CSF) on your VPS, for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post, on how to install ConfigServer Firewall (CSF) on your Debian 11, please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

Leave a Comment