How to Install Config Server Firewall (CSF) on Debian 11

CSF is also known as "Config Server Firewall" is a free and advanced firewall for Linux systems. It comes with some advanced security features such as intrusion, flood, and login detections. It is designed to defend against many attacks, such as port scans, SYN floods, and login brute force attacks. It also provides integration for cPanel, DirectAdmin, and Webmin.

Prerrequisites

  • A server running Debian 11.

  • A root password is configured on the server.

Getting Started

Before starting, it is recommended to update your system packages to the updated version. You can do it using the following command:

apt-get update -y

Once all the packages are updated, install other required dependencies using the following command:

apt-get install sendmail dnsutils unzip libio-socket-ssl-perl libcrypt-ssleay-perl git perl iptables libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl -y

Install CSF on Debian 11

By default, the CSF package is not included in the Debian 11 default repository. You will need to download it from its official website.

You can download the latest version of CSF with the following command:

wget http://download.configserver.com/csf.tgz

Once the download is completed, extract the downloaded file with the following command:

tar -xvzf csf.tgz

Next, change the directory to CSF and run the install.sh script to install CSF in your server.

cd csf
bash install.sh

Once the CSF has been installed, you should get the following output:

Don't forget to:
1. Configure the following options in the csf configuration to suite your server: TCP_*, UDP_*
2. Restart csf and lfd
3. Set TESTING to 0 once you're happy with the firewall, lfd will not run until you do so

Adding current SSH session IP address to the csf whitelist in csf.allow:
*WARNING* URLGET set to use LWP but perl module is not installed, fallback to using CURL/WGET
Adding 106.222.22.32 to csf.allow only while in TESTING mode (not iptables ACCEPT)
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
'lfd.service' -> '/usr/lib/systemd/system/lfd.service'
'csf.service' -> '/usr/lib/systemd/system/csf.service'
Created symlink /etc/systemd/system/multi-user.target.wants/csf.service → /lib/systemd/system/csf.service.
Created symlink /etc/systemd/system/multi-user.target.wants/lfd.service → /lib/systemd/system/lfd.service.
Failed to disable unit: Unit file firewalld.service does not exist.
Failed to stop firewalld.service: Unit firewalld.service not loaded.
Unit firewalld.service does not exist, proceeding anyway.
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
'/etc/csf/csfwebmin.tgz' -> '/usr/local/csf/csfwebmin.tgz'

Installation Completed

After the installation, verify the required iptables modules for CSF using the following command:

perl /usr/local/csf/bin/csftest.pl

If everything is fine, you should get the following output:

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

Configure CSF

Next, you will need to configure CSF based on your requirements. You can configure it by editing /etc/csf/csf.conf file.

nano /etc/csf/csf.conf

First, find the line TESTING = "1", and change the value to "0" to enable the CSF:

TESTING = "0"

Next, find the line RESTRICT_SYSLOG = "0", and change the value to 3 to set the access of syslog/rsyslog files for only the members of the RESTRICT_SYSLOG_GROUP:

RESTRICT_SYSLOG = "3"

Add your required incoming TCP open ports in the following line:

TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

Add your required outgoing TCP ports in the following line:

#Permitir puertos TCP salientes 
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"

Add your required incoming UDP open ports in the following line:

#Permitir puertos UDP entrantes 
UDP_IN = "20,21,53,80,443"

Add your required outgoing UDP ports in the following line:

#Permitir puertos UDP salientes 
UDP_OUT = "20,21,53,113,123"

Save and close the file then reload the CSF firewall to apply the changes:

csf -r

Basic CSF commands

To stop the CSF firewall, run the following command:

csf -s

To flush the CSF firewall, run the following command:

csf -f

To list all IPTABLES rules added by CSF, run the following command:

csf -l

To start the CSF and enable it to start at system reboot, run the following command:

systemctl start csf
systemctl enable csf

To check the status of the CSF firewall, run the following command:

systemctl status csf

You should get the following output:

? csf.service - ConfigServer Firewall & Security - csf
     Loaded: loaded (/lib/systemd/system/csf.service; enabled; vendor preset: enabled)
     Active: active (exited) since Sat 2021-09-18 15:42:04 UTC; 11s ago
    Process: 8022 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)
   Main PID: 8022 (code=exited, status=0/SUCCESS)
        CPU: 705ms

Sep 18 15:42:04 debian11 csf[8022]: ACCEPT  all opt    in * out lo  ::/0  -> ::/0
Sep 18 15:42:04 debian11 csf[8022]: LOGDROPOUT  all opt    in * out !lo  ::/0  -> ::/0
Sep 18 15:42:04 debian11 csf[8022]: LOGDROPIN  all opt    in !lo out *  ::/0  -> ::/0
Sep 18 15:42:04 debian11 csf[8022]: csf: FASTSTART loading DNS (IPv4)
Sep 18 15:42:04 debian11 csf[8022]: csf: FASTSTART loading DNS (IPv6)
Sep 18 15:42:04 debian11 csf[8022]: LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
Sep 18 15:42:04 debian11 csf[8022]: LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
Sep 18 15:42:04 debian11 csf[8022]: LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0
Sep 18 15:42:04 debian11 csf[8022]: LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0
Sep 18 15:42:04 debian11 systemd[1]: Finished ConfigServer Firewall & Security - csf.

To allow a specific host by IP address, run the following command:

csf -a 192.168.100.10

To deny a specific host by IP address, run the following command:

csf -d 192.168.100.11

To remove IP from the allow list, run the following command:

csf -ar 192.168.100.10

To remove IP from the deny list, run the following command:

csf -dr 192.168.100.11

You can add trusted IPs by editing /etc/csf/csf.allow file:

nano /etc/csf/csf.allow

Add your trusted IPs:

192.168.100.10

You can add untrusted IPs by editing /etc/csf/csf.deny file:

nano /etc/csf/csf.deny

Add your untrusted IPs:

192.168.100.11

 

Link: https://www.howtoforge.com/how-to-install-config-server-firewall-csf-on-debian-11/