In this short tutorial, we will learn how to install and configure Config Server Firewall (CSF) on Debian 11 operating system.
Introduction
If we are looking for a free firewall software which also provide intrusion detection system (IDS) services, then Config Server Firewall or CSF can be the first choice. CSF also can be integrated with popular web Control Panels such as cPanel, Directadmin, and Webmin. By using Login Failure Daemon (LFD) also supports for monitoring login failures: openSSH, vsftpd, proftpd, pure-ftpd, Mod_security failures, and many others.
CSF is a security tool for Linux operating system to secure the server with stateful packet inspection firewall (SPI), intrusion detection (IDS), a login failure daemon (LFD), DDOS protection, and control panel integration. In this tutorial, we will discuss how to install Config Server Firewall (CSF) on Debian 11.
CSF Installation On Debian 11
The CSF installation will be described on several steps, as mentioned below :
1. Installing CSF Firewall
– update the index of available packages
– download and extract CSF package file to your current directory
– install CSF
2. Configuring CSF
The details of installation will be detail discussed below.
1. Installing CSF Firewall
1.1. Remove UFW firewall
In this stage we will remove UFW firewall, which is a a basic firewall on every Linux machines. To remove UFW, we will use following command.
$ sudo apt remove ufw
Output :
ramansah@otodiginet:~$ sudo apt remove ufw
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
fonts-lato libgmp-dev libgmpxx4ldbl libgnutls-dane0 libjs-jquery libunbound8
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
ufw
0 upgraded, 0 newly installed, 1 to remove and 296 not upgraded.
After this operation, 857 kB disk space will be freed.
Do you want to continue? [Y/n] Y
(Reading database ... 208166 files and directories currently installed.)
Removing ufw (0.36-7.1) ...
Processing triggers for man-db (2.9.4-2) ...
1.2. Update the index of available packages
Update server packages to the latest, this task will be done by submitting command line :
$ sudo apt update
Output :
ramansah@otodiginet:~$ sudo apt update
[sudo] password for ramansah:
Hit:1 http://security.debian.org/debian-security bullseye-security InRelease
Hit:2 http://deb.debian.org/debian bullseye InRelease
Hit:3 http://ftp.debian.org/debian stretch-backports InRelease
Hit:4 http://deb.debian.org/debian bullseye-updates InRelease
Hit:5 http://deb.debian.org/debian bullseye-backports InRelease
Hit:6 https://deb.nodesource.com/node_16.x bullseye InRelease
Get:7 https://dl.yarnpkg.com/debian stable InRelease [17.1 kB]
Ign:8 https://debian.opennms.org stable InRelease
Hit:9 https://packages.grafana.com/oss/deb stable InRelease
Hit:10 https://downloads.apache.org/cassandra/debian 40x InRelease
Hit:11 https://non-gnu.uvt.nl/debian bullseye InRelease
Ign:12 https://dl.packager.io/srv/deb/opf/openproject/stable/12/debian 11 InRelease
Hit:13 https://packages.grafana.com/oss/deb beta InRelease
Get:14 https://debian.opennms.org stable Release [15.2 kB]
Get:15 https://dl.packager.io/srv/deb/opf/openproject/stable/12/debian 11 Release
Get:16 https://debian.opennms.org stable Release.gpg [224 B]
$ sudo apt dist-upgrade -y
ramansah@otodiginet:~$ sudo apt dist-upgrade -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
fonts-lato libgmp-dev libgmpxx4ldbl libgnutls-dane0 libjs-jquery libunbound8
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
bc cups cups-browsed cups-client cups-common cups-core-drivers cups-daemon cups-filters
cups-filters-core-drivers cups-ipp-utils cups-ppdc cups-server-common libcupsfilters1 libfontembed1
liblouisutdml-bin liblouisutdml-data liblouisutdml9 libopengl0 libpoppler-cpp0v5 libqpdf28
linux-image-5.10.0-19-amd64
1.3.Install Dependencies Applications
In this stage, we will install the required dependencies applications that are used by CSF. We will submit the following command line :
$ sudo apt install perl zip unzip libwww-perl liblwp-protocol-https-perl
Outuput :
ramansah@otodiginet:~$ sudo apt install perl zip unzip libwww-perl liblwp-protocol-https-perl
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
liblwp-protocol-https-perl is already the newest version (6.10-1).
liblwp-protocol-https-perl set to manually installed.
libwww-perl is already the newest version (6.52-1).
libwww-perl set to manually installed.
perl is already the newest version (5.32.1-4+deb11u2).
zip is already the newest version (3.0-12).
zip set to manually installed.
The following packages were automatically installed and are no longer required:
fonts-lato libgmp-dev libgmpxx4ldbl libgnutls-dane0 libjs-jquery libunbound8
Use 'sudo apt autoremove' to remove them.
The following packages will be upgraded:
unzip
1 upgraded, 0 newly installed, 0 to remove and 295 not upgraded.
Need to get 172 kB of archives.
After this operation, 1,024 B disk space will be freed.
Do you want to continue? [Y/n] Y
Get:1 http://deb.debian.org/debian bullseye/main amd64 unzip amd64 6.0-26+deb11u1 [172 kB]
Fetched 172 kB in 6s (27.8 kB/s)
Reading changelogs... Done
(Reading database ... 208073 files and directories currently installed.)
Preparing to unpack .../unzip_6.0-26+deb11u1_amd64.deb ...
Unpacking unzip (6.0-26+deb11u1) over (6.0-26) ...
Setting up unzip (6.0-26+deb11u1) ...
Processing triggers for mailcap (3.69) ...
Processing triggers for man-db (2.9.4-2) ...
1.4. Download and Extract CSF Package File
At this stage, we will download and extract CSF package file. We will use wget command line to download and tar to extract the CSF source file. We will use /usr/src directory as base CSF installation directory.
$ cd /usr/src
$ sudo wget https://download.configserver.com/csf.tgz
Output :
ramansah@otodiginet:~$ cd /usr/src
ramansah@otodiginet:/usr/src$ sudo wget https://download.configserver.com/csf.tgz
--2022-10-25 06:27:09-- https://download.configserver.com/csf.tgz
Resolving download.configserver.com (download.configserver.com)... 94.130.90.175
Connecting to download.configserver.com (download.configserver.com)|94.130.90.175|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2283647 (2.2M) [application/x-gzip]
Saving to: ‘csf.tgz’
csf.tgz 100%[==================================>] 2.18M 304KB/s in 15s
2022-10-25 06:27:25 (153 KB/s) - ‘csf.tgz’ saved [2283647/2283647]
Then we will extract the package file by using command line :
$ ls -ltr *.tgz
$ sudo tar -xzvf csf.tgz
Output :
ramansah@otodiginet:/usr/src$ sudo tar -xzvf csf.tgz
csf/
csf/ConfigServer/
csf/ConfigServer/AbuseIP.pm
csf/ConfigServer/CheckIP.pm
csf/ConfigServer/CloudFlare.pm
csf/ConfigServer/Config.pm
csf/ConfigServer/cseUI.pm
csf/ConfigServer/DisplayResellerUI.pm
csf/ConfigServer/DisplayUI.pm
csf/ConfigServer/GetEthDev.pm
. . .
csf/uninstall.generic.sh
csf/uninstall.interworx.sh
csf/uninstall.sh
csf/uninstall.vesta.sh
csf/upgrade.txt
csf/usertracking.txt
csf/version.txt
csf/watchalert.txt
csf/webminalert.txt
csf/x-arf.txt
1.5 Install CSF on CentOS 8
In this stage, we will install CSF security tools by navigating current directory to /usr/src/csf then submitting command line.
$ sudo sh install.sh
Output :
ramansah@otodiginet:/usr/src/csf$ sudo sh install.sh
Selecting installer...
Running csf generic installer
Installing generic csf and lfd
Check we're running as root
mkdir: cannot create directory ‘/etc/csf’: File exists
'install.txt' -> '/etc/csf/install.txt'
Checking Perl modules...
Configuration modified for Debian/Ubuntu/Gentoo settings /etc/csf/csf.conf
Configuration modified for Debian/Ubuntu/Gentoo to use legacy iptables/ip6tables
...Perl modules OK
. . .
mode of 'auto.generic.pl' changed from 0755 (rwxr-xr-x) to 0700 (rwx------)
'/etc/csf/csf.conf' -> '/var/lib/csf/backup/1666693746_pre_v14_17_upgrade'
No such file or directory at ./auto.generic.pl line 245.
'lfd.service' -> '/usr/lib/systemd/system/lfd.service'
'csf.service' -> '/usr/lib/systemd/system/csf.service'
Unit /etc/systemd/system/firewalld.service is masked, ignoring.
'/etc/csf/csfwebmin.tgz' -> '/usr/local/csf/csfwebmin.tgz'
Installation Completed
Until this point, we have reached the end of CSF installation. Then we will verify if the required iptables modules are present, by submitting command :
$ sudo perl /usr/local/csf/bin/csftest.pl
Output :
ramansah@otodiginet:/usr/src/csf$ sudo perl /usr/local/csf/bin/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server
Then we will check the CSF version by submitting following command.
$ sudo csf -v
Output :
ramansah@otodiginet:/usr/src/csf$ sudo csf -v
csf: v14.17 (generic)
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
2. Configuring CSF
By default, when the firewall is installed it is configured to run in TESTING mode. To make firewall runs properly, then we have to disable TESTING mode. For this purpose, we have to modify CSF configuration file which is located at /etc/csf/csf.conf.
###############################################################################
# SECTION:Initial Settings
###############################################################################
# Testing flag - enables a CRON job that clears iptables incase of
# configuration problems when you start csf. This should be enabled until you
# are sure that the firewall works - i.e. incase you get locked out of your
# server! Then do remember to set it to 0 and restart csf when you're sure
# everything is OK. Stopping csf will remove the line from /etc/crontab
#
# lfd will not start while this is enabled
TESTING = "1"
Change the TESTING = “1” to be “0”.
Then we will restrict the syslog_group, by changing the value of RESTRICT_SYSLOG = “0”, the value to “3”. This means only members of the RESTRICT_SYSLOG_GROUP may access.
# 0 = Allow those options listed above to be used and configured
# 1 = Disable all the options listed above and prevent them from being used
# 2 = Disable only alerts about this feature and do nothing else
# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **
RESTRICT_SYSLOG = "0" --> "3"
to make the latest changes, we will reload the CSF by submitting command line :
$ sudo csf -ra
Output :
ramansah@otodiginet:/usr/src/csf$ sudo csf -ra
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Deleting chain `ALLOWIN'
Deleting chain `ALLOWOUT'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'
Deleting chain `INVALID'
Deleting chain `INVDROP'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
csf: FASTSTART loading DROP no logging (IPv4)
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* "
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
REJECT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 reject-with icmp-port-unreachable
DENYOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
DENYIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
ALLOWOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
ALLOWIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
csf: FASTSTART loading Packet Filter (IPv4)
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
INVALID tcp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
LOGDROPIN icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmptype 8
ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
csf: FASTSTART loading TCP_IN (IPv4)
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading UDP_IN (IPv4)
csf: FASTSTART loading UDP_OUT (IPv4)
ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOGDROPIN all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
csf: FASTSTART loading DNS (IPv4)
LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/lib/systemd/system/lfd.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2022-10-25 09:09:31 EDT; 10ms ago
Process: 6777 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
Main PID: 6786 (lfd - starting)
Tasks: 1 (limit: 4623)
Memory: 25.1M
CPU: 259ms
CGroup: /system.slice/lfd.service
└─6786 lfd - starting
Oct 25 09:09:31 otodiginet systemd[1]: Starting ConfigServer Firewall & Security - lfd...
Oct 25 09:09:31 otodiginet systemd[1]: Started ConfigServer Firewall & Security - lfd.
Oct 25 09:09:31 otodiginet groupadd[6792]: group added to /etc/group: name=mysyslog, GID=997
Oct 25 09:09:31 otodiginet groupadd[6792]: group added to /etc/gshadow: name=mysyslog
Oct 25 09:09:31 otodiginet groupadd[6792]: new group: name=mysyslog, GID=997
Oct 25 09:09:31 otodiginet usermod[6798]: add 'mail' to group 'mysyslog'
Oct 25 09:09:31 otodiginet usermod[6798]: add 'mail' to shadow group 'mysyslog'
Oct 25 09:09:31 otodiginet usermod[6805]: add 'daemon' to group 'mysyslog'
Oct 25 09:09:31 otodiginet usermod[6805]: add 'daemon' to shadow group 'mysyslog'
Oct 25 09:09:31 otodiginet usermod[6812]: add 'smmsp' to group 'mysyslog'
Oct 25 09:09:31 otodiginet usermod[6812]: add 'smmsp' to shadow group 'mysyslog'
Oct 25 09:09:31 otodiginet usermod[6819]: add 'messagebus' to group 'mysyslog'
Oct 25 09:09:31 otodiginet usermod[6819]: add 'messagebus' to shadow group 'mysyslog'
Oct 25 09:09:31 otodiginet usermod[6826]: add 'root' to group 'mysyslog'
Oct 25 09:09:31 otodiginet usermod[6826]: add 'root' to shadow group 'mysyslog'
Oct 25 09:09:31 otodiginet sendmail[6840]: My unqualified host name (otodiginet) unknown; sleeping for retry
In this step, we have finished installing the CSF. For other uses of CSF, we can look at the CSF manual that has been provided.
Conclusion
We have learnt how to install CSF Config Server Firewall on Debian 11. I hope this tutorial will be helpful.