How To Install And Configure CSF On Linux Mint 20.2

To Install And Configure CSF On Linux Mint 20.2

Introduction:

CSF configures the firewall on the server to lock down public access to services and only allow certain connections, including FTP, email, or accessing websites. It is a free and advanced firewall for most linux distributions and linux based vps. in addition to the basic functionality of a firewall – filtering packets – csf includes other security features.

Installation Procedure :

Step 1 : Check the version of the OS

root@linuxhelp:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Linuxmint
Description:	Linux Mint 20.2
Release:	20.2
Codename:	uma

Step 2 : To get into the source directory use the below command

root@linuxhelp:~# cd /usr/src/

Step 3 : Download the CSF package by using the below command

root@linuxhelp:/usr/src# wget http://download.configserver.com/csf.tgz
--2021-12-28 06:56:32--  http://download.configserver.com/csf.tgz
Resolving download.configserver.com (download.configserver.com)... 94.130.90.175
Connecting to download.configserver.com (download.configserver.com)|94.130.90.175|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2282408 (2.2M) [application/x-gzip]
Saving to: ‘csf.tgz’

csf.tgz                        100%[====================================================>]   2.18M  10.4MB/s    in 0.2s    

2021-12-28 06:56:32 (10.4 MB/s) - ‘csf.tgz’ saved [2282408/2282408]

Step 4 : Extract the csf.tgz file by using the below command

root@linuxhelp:/usr/src# tar -xzf csf.tgz

Step 5 : To get into the CSF directory use the below command

root@linuxhelp:/usr/src# cd csf

Step 6 : Install the CSF by using the sh command

root@linuxhelp:/usr/src/csf# sh install.sh

Selecting installer...

Running csf generic installer

Installing generic csf and lfd

Check we're running as root

mkdir: created directory '/etc/csf'
'install.txt' -> '/etc/csf/install.txt'
'messenger/index.php' -> '/etc/csf/./messenger/index.php'
'messenger/index.recaptcha.html' -> '/etc/csf/./messenger/index.recaptcha.html'
'messenger/index.recaptcha.php' -> '/etc/csf/./messenger/index.recaptcha.php'
'messenger/index.text' -> '/etc/csf/./messenger/index.text'
'ui' -> '/etc/csf/./ui'
'/etc/csf/csfwebmin.tgz' -> '/usr/local/csf/csfwebmin.tgz'

Installation Completed

Step 7 : Edit the csf.conf configuration file by using the below command

root@linuxhelp:/usr/src/csf# nano csf.conf
#Testing flag - enables a CRON job that clears iptables incase of
 configuration problems when you start csf. This should be enabled until you
 are sure that the firewall works - i.e. incase you get locked out of your
 server! Then do remember to set it to 0 and restart csf when you're sure
 everything is OK. Stopping csf will remove the line from /etc/crontab

#lfd will not start while this is enabled
TESTING = "0"

#The interval for the crontab in minutes. Since this uses the system clock the
#CRON job will run at the interval past the hour and not from when you issue
#the start command. Therefore an interval of 5 minutes means the firewall
#will be cleared in 0-5 minutes from the firewall start
TESTING_INTERVAL = "5"

Step 8 : Start the CSF service by using the below command

root@linuxhelp:/usr/src/csf# systemctl start csf

Step 9 : Check the status of the CSF sevice by using the below command

root@linuxhelp:/usr/src/csf# systemctl status csf 
● csf.service - ConfigServer Firewall & Security - csf
     Loaded: loaded (/lib/systemd/system/csf.service; enabled; vendor preset: enabled)
     Active: active (exited) since Tue 2021-12-28 06:58:12 IST; 10min ago
    Process: 4587 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)
   Main PID: 4587 (code=exited, status=0/SUCCESS)

Step 10 : Reload the CSF service by using the below command

root@linuxhelp:/usr/src/csf# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
csf: FASTSTART loading DROP no logging (IPv4)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Step 11 : Allow the IP Address in the CSF by using the below command

root@linuxhelp:/usr/src/csf# csf -a 192.168.6.119
Adding 192.168.6.119 to csf.allow and iptables ACCEPT...
ACCEPT  all opt -- in !lo out *  192.168.6.119  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.119

Step 12 : Check the csf.allow file by using the below command

root@linuxhelp:/usr/src/csf# nano /etc/csf/csf.allow

Step 13 : Remove the IP from allowing configuration by using the below command

root@linuxhelp:/usr/src/csf# csf -ar 192.168.6.119
Removing rule...
ACCEPT  all opt -- in !lo out *  192.168.6.119  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.119

Step 14 : Deny the IP on CSF configuration by using the below command

root@linuxhelp:/usr/src/csf# csf -d 192.168.6.125
Adding 192.168.6.125 to csf.deny only while in TESTING mode (not iptables DROP)
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration

Step 15 : check whether the IP is added or not by using the below command

root@linuxhelp:/usr/src/csf# nano /etc/csf/csf.deny

Step 16 : Remove the deny IP configuration in the csf.deny by using the below command

root@linuxhelp:/usr/src/csf# csf -dr 192.168.6.125
Removing rule...
DROP  all opt -- in !lo out *  192.168.6.125 -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.125

Step 17 : Disable the CSF by using the below command

root@linuxhelp:/usr/src/csf# csf -x
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'

Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
LOGDROPIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
csf: FASTSTART loading DNS (IPv4)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  

Dec 28 07:16:28 linuxhelp systemd[1]: Starting ConfigServer Firewall & Security - lfd...
Dec 28 07:16:29 linuxhelp systemd[1]: Started ConfigServer Firewall & Security - lfd.
csf and lfd have been enabled

Step 18 : Enable the CSF by using the below command

root@linuxhelp:/usr/src/csf# csf -e
csf: FASTSTART loading DROP no logging (IPv4)
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* "
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 8 level

Step 19 : Flush the CSF by using the below command

root@linuxhelp:/usr/src/csf# csf -f
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'

Step 20: check the IPv4 configuration by using the below command

root@linuxhelp:/usr/src/csf# csf -l
iptables filter table
=====================
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

==================
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

With this the installation and configuration of CSF on Linux Mint 20.2 Comes to an end.

Tag : CSF (ConfigServer Security & Firewall) Linux Linux Mint
FAQ
Q
How will we check the IPV4 Configuration?
A
We can check the IPV4 configuration by running the command csf -l command.
Q
How will you delete the IP address from the allowed configuration file ?
A
The IP address from the allowed configuration file has been deleted by csf -da (IP) command.
Q
How will you start the CSF service?
A
We will start the CSF service by using the csf -s command.
Q
How can we install the CSF?
A
We can install the CSF by using the sh install.sh command.
Q
How do we download CSF?
A
We can download CSF by using the wget http://download.configserver.com/csf.tgz command.