Tutorial News Comments FAQ Related Articles

How to Install And Configure CSF Firewall On Debian 11.4

{{postValue.id}}

To Install And Configure CSF Firewall On Debian 11.4.

Introduction:

CSF is a popular Linux security tool that includes a stateful packet inspection firewall (SPI), intrusion detection, a login failure daemon, and DDOS protection.

Installation Steps:

Step 1: Check the Version of Debian Linux by using the below command

root@debian:~# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye

Step 2: Update server packages to latest by using the below command

root@debian:~# apt-get update
Hit:1 http://security.debian.org/debian-security bullseye-security InRelease
Hit:2 http://deb.debian.org/debian bullseye-updates InRelease
Hit:3 http://deb.debian.org/debian bullseye InRelease
Reading package lists... Done

Step 3: Remove the firewall by using the below command

root@debian:~# apt remove ufw
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Package 'ufw' is not installed, so not removed
The following packages were automatically installed and are no longer required:
  dbconfig-common dbconfig-mysql default-mysql-client galera-4 icc-profiles-free
  libaio1 libcgi-fast-perl libcgi-pm-perl libconfig-inifiles-perl libdbd-mariadb-perl
  libdbi-perl libfcgi-bin libfcgi-perl libfcgi0ldbl libhtml-template-perl
  libjs-bootstrap4 libjs-codemirror libjs-jquery libjs-jquery-mousewheel
  libjs-jquery-timepicker libjs-jquery-ui libjs-openlayers libjs-popper.js
  libjs-sizzle libjs-sphinxdoc libjs-underscore libmariadb3 libonig5 libopengl0
  libterm-readkey-perl libzip4 mariadb-client-10.5 mariadb-client-core-10.5
  mariadb-common mariadb-server-10.5 mariadb-server-core-10.5 mysql-common node-jquery
  rsync socat
Use 'apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 26 not upgraded.

Step 4: Install Dependencies CSF by using the below command

root@debian:~# apt install perl zip unzip libwww-perl liblwp-protocol-https-perl
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
unzip is already the newest version (6.0-26+deb11u1).
unzip set to manually installed.
liblwp-protocol-https-perl is already the newest version (6.10-1).
liblwp-protocol-https-perl set to manually installed.
libwww-perl is already the newest version (6.52-1).
Use 'apt autoremove' to remove them.
The following NEW packages will be installed:
  zip
0 upgraded, 1 newly installed, 0 to remove and 26 not upgraded.
Need to get 232 kB of archives.
After this operation, 638 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://deb.debian.org/debian bullseye/main amd64 zip amd64 3.0-12 [232 kB]
Fetched 232 kB in 0s (810 kB/s)
Selecting previously unselected package zip.
(Reading database ... 146878 files and directories currently installed.)
Preparing to unpack .../archives/zip_3.0-12_amd64.deb ...
Unpacking zip (3.0-12) ...
Setting up zip (3.0-12) ...
Processing triggers for man-db (2.9.4-2) ...

Step 5: Install wget by using the below command

root@debian:~# apt install wget
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
wget is already the newest version (1.21-1+deb11u1).
The following packages were automatically installed and are no longer required:
  dbconfig-common dbconfig-mysql default-mysql-client galera-4 icc-profiles-free
  libaio1 libcgi-fast-perl libcgi-pm-perl libconfig-inifiles-perl libdbd-mariadb-perl
  libdbi-perl libfcgi-bin libfcgi-perl libfcgi0ldbl libhtml-template-perl
  libjs-bootstrap4 libjs-codemirror libjs-jquery libjs-jquery-mousewheel
  libjs-jquery-timepicker libjs-jquery-ui libjs-openlayers libjs-popper.js
  libjs-sizzle libjs-sphinxdoc libjs-underscore libmariadb3 libonig5 libopengl0
  libterm-readkey-perl libzip4 mariadb-client-10.5 mariadb-client-core-10.5
  mariadb-common mariadb-server-10.5 mariadb-server-core-10.5 mysql-common node-jquery
  rsync socat
Use 'apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 26 not upgraded.

Step 6: Download the latest CSF Packages by using the below command

root@debian:~# wget https://download.configserver.com/csf.tgz
--2023-07-10 08:24:55--  https://download.configserver.com/csf.tgz
Resolving download.configserver.com (download.configserver.com)... 94.130.90.175
Connecting to download.configserver.com (download.configserver.com)|94.130.90.175|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2288477 (2.2M) [application/x-gzip]
Saving to: ‘csf.tgz’

csf.tgz               100%[=========================>]   2.18M  1.93MB/s    in 1.1s

2023-07-10 08:24:57 (1.93 MB/s) - ‘csf.tgz’ saved [2288477/2288477]

Step7: Extract and Download CSF Packages by using the below command

root@debian:~# tar -xzvf csf.tgz
csf/
csf/csf.uidignore
csf/csf.vesta.conf
csf/csf.vesta.ignore
csf/csfajaxtail.js
csf/csftest.pl
csf/csget.pl
csf/exploitalert.txt
csf/filealert.txt
csf/install.cpanel.sh
csf/install.cwp.sh
csf/install.directadmin.sh
csf/ConfigServer/RegexMain.pm
csf/ConfigServer/Sanity.pm
csf/ConfigServer/Sendmail.pm
csf/ConfigServer/ServerCheck.pm
csf/ConfigServer/ServerStats.pm
csf/ConfigServer/Service.pm
csf/ConfigServer/Slurp.pm
csf/csf/bootstrap/fonts/glyphicons-halflings-regular.woff2
csf/cyberpanel/configservercsf/
csf/cyberpanel/configservercsf/admin.py
csf/cyberpanel/configservercsf/apps.py
csf/cyberpanel/configservercsf/config
csf/cyberpanel/configservercsf/meta.xml
csf/cyberpanel/configservercsf/migrations/
csf/cyberpanel/configservercsf/migrations/__init__.py
csf/cyberpanel/configservercsf/models.py
csf/cyberpanel/configservercsf/signals.py
csf/cyberpanel/configservercsf/static/
csf/cyberpanel/configservercsf/static/configservercsf/
csf/cyberpanel/configservercsf/templates/
csf/cyberpanel/configservercsf/templates/configservercsf/
csf/cyberpanel/configservercsf/templates/configservercsf/index.html
csf/cyberpanel/configservercsf/templates/configservercsf/menu.html
csf/cyberpanel/configservercsf/tests.py
csf/cyberpanel/configservercsf/urls.py
csf/cyberpanel/configservercsf/views.py
csf/cyberpanel/configservercsf/__init__.py
csf/cyberpanel/cyberpanel.pl
csf/da/

Step 8: List the Downloaded CSF Packages by using the below command

root@debian:~/csf# ls
accounttracking.txt      csf.interworx.allow     litespeed.https.txt
alert.txt                csf.interworx.conf      litespeed.http.txt
apache.https.txt         csf.interworx.ignore    litespeed.main.txt
apache.http.txt          csf.interworx.pignore   loadalert.txt
apache.main.txt          csf.logfiles            logalert.txt
apf_stub.pl              csf.logignore           logfloodalert.txt
auto.cwp.pl              csf.mignore             messenger
auto.cyberpanel.pl       csf.pignore             migratedata.sh
csf.cyberpanel.allow     install.cpanel.sh       ui
csf.cyberpanel.conf      install.cwp.sh          uialert.txt
csf.cyberpanel.ignore    install.cyberpanel.sh   uidscan.txt
csf.cyberpanel.pignore   install.directadmin.sh  uninstall.cwp.sh
csf.deny                 install.generic.sh      uninstall.cyberpanel.sh
csf.directadmin.allow    install.interworx.sh    uninstall.directadmin.sh
csf.directadmin.conf     install.sh              uninstall.generic.sh
csf.directadmin.ignore   install.txt             uninstall.interworx.sh
csf.directadmin.pignore  install.vesta.sh        uninstall.sh
csf.dirwatch             integrityalert.txt      uninstall.vesta.sh
csf.div                  interworx               upgrade.txt
csf.dyndns               JSON                    usertracking.txt
csf.fignore              lfdcron.directadmin.sh  version
csf.generic.allow        lfdcron.sh              version.txt
csf.generic.conf         lfd.logrotate           vestacp
csf.generic.ignore       lfd.pl                  watchalert.txt
csf.generic.pignore      lfd.service             webmin
csf.help                 lfd.sh                  webminalert.txt
csf.ignore               license.txt             x-arf.txt

Step 9: Now install the CSF by using the below command

root@debian:~/csf# sh install.sh

Selecting installer...

Running csf generic installer

Installing generic csf and lfd

Check we're running as root

mkdir: created directory '/etc/csf'
'install.txt' -> '/etc/csf/install.txt'
Checking Perl modules...
Configuration modified for Debian/Ubuntu/Gentoo settings /etc/csf/csf.conf
Configuration modified for Debian/Ubuntu/Gentoo to use legacy iptables/ip6tables
...Perl modules OK

mkdir: cannot create directory ‘/etc/csf’: File exists
mkdir: created directory '/var/lib/csf'
mkdir: created directory '/var/lib/csf/backup'
mkdir: created directory '/var/lib/csf/Geo'
mkdir: created directory '/var/lib/csf/ui'
mkdir: created directory '/var/lib/csf/stats'
mkdir: created directory '/var/lib/csf/lock'
mkdir: created directory '/var/lib/csf/webmin'
mkdir: created directory '/var/lib/csf/zone'
mkdir: created directory '/usr/local/csf'
mkdir: created directory '/usr/local/csf/bin'
'csf.suignore' -> '/etc/csf/./csf.suignore'
'csf.uidignore' -> '/etc/csf/./csf.uidignore'
'csf.mignore' -> '/etc/csf/./csf.mignore'
'csf.sips' -> '/etc/csf/./csf.sips'
'csf.dyndns' -> '/etc/csf/./csf.dyndns'
'csf.syslogusers' -> '/etc/csf/./csf.syslogusers'
'csf.smtpauth' -> '/etc/csf/./csf.smtpauth'
'csf.rblconf' -> '/etc/csf/./csf.rblconf'
'csf.cloudflare' -> '/etc/csf/./csf.cloudflare'

Step 10: Verify the required iptables modules are present by using the below command

root@debian:~/csf# perl /usr/local/csf/bin/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

Step11: check the CSF version by using the below command.

root@debian:~/csf# sudo csf -v
csf: v14.18 (generic)
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration

Step12: Configure the CSF version by using the below command.

root@debian:~/csf# vim /etc/csf/csf.conf
###############################################################################
# SECTION:Initial Settings
###############################################################################
# Testing flag - enables a CRON job that clears iptables incase of
# configuration problems when you start csf. This should be enabled until you
# are sure that the firewall works - i.e. incase you get locked out of your
# server! Then do remember to set it to 0 and restart csf when you're sure
# everything is OK. Stopping csf will remove the line from /etc/crontab
#
# lfd will not start while this is enabled
TESTING = "0"

# The interval for the crontab in minutes. Since this uses the system clock the
# CRON job will run at the interval past the hour and not from when you issue
# the start command. Therefore an interval of 5 minutes means the firewall
# will be cleared in 0-5 minutes from the firewall start
TESTING_INTERVAL = "5"

Step13: Reload the CSF version by using the below command.

root@debian:~/csf# csf -ra
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
DROP  all opt    in * out *  ::/0  -> ::/0
REJECT  all opt    in * out *  ::/0  -> ::/0   reject-with icmp6-port-unreachable
DENYOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
DENYIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
ALLOWOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
ALLOWIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
DENYOUT  all opt    in * out !lo  ::/0  -> ::/0
DENYIN  all opt    in !lo out *  ::/0  -> ::/0
ALLOWOUT  all opt    in * out !lo  ::/0  -> ::/0
ALLOWIN  all opt    in !lo out *  ::/0  -> ::/0
csf: FASTSTART loading Packet Filter (IPv4)
csf: FASTSTART loading Packet Filter (IPv6)

Step14: Start the CSF version by using the below command

root@debian:~/csf# systemctl start csf

Step15: Allow IP address by using the below command

root@debian:~/csf# csf -a 192.168.6.130
Adding 192.168.6.130 to csf.allow and iptables ACCEPT...
ACCEPT  all opt -- in !lo out *  192.168.6.130  -> 0.0.0.0/0
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.130

root@debian:~/csf# vim /etc/csf/csf.allow
###############################################################################
# Copyright 2006-2018, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following IP addresses will be allowed through iptables.
# One IP address per line.
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24).
# Only list IP addresses, not domain names (they will be ignored)
#
# Advanced port+ip filtering allowed with the following format
# tcp/udp|in/out|s/d=port|s/d=ip
# See readme.txt for more information
#
# Note: IP addressess listed in this file will NOT be ignored by lfd, so they
# can still be blocked. If you do not want lfd to block an IP address you must
# add it to csf.ignore
192.168.6.102 # csf SSH installation/upgrade IP address - Mon Jul 10 08:28:24 2023
192.168.6.130 # Manually allowed: 192.168.6.130 (-) - Mon Jul 10 08:37:08 2023

Step16: Remove CSF IP by using the below command

root@debian:~/csf# csf -ar 192.168.6.130
Removing rule...
ACCEPT  all opt -- in !lo out *  192.168.6.130  -> 0.0.0.0/0
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.130

root@debian:~/csf# vim /etc/csf/csf.allow
###############################################################################
# Copyright 2006-2018, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following IP addresses will be allowed through iptables.
# One IP address per line.
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24).
# Only list IP addresses, not domain names (they will be ignored)
#
# Advanced port+ip filtering allowed with the following format
# tcp/udp|in/out|s/d=port|s/d=ip
# See readme.txt for more information
#
# Note: IP addressess listed in this file will NOT be ignored by lfd, so they
# can still be blocked. If you do not want lfd to block an IP address you must
# add it to csf.ignore
192.168.6.102 # csf SSH installation/upgrade IP address - Mon Jul 10 08:28:24 2023

Step17: Deny the IP address by using the below command

root@debian:~/csf# csf -d 192.168.6.130
Adding 192.168.6.130 to csf.deny and iptables DROP...
DROP  all opt -- in !lo out *  192.168.6.130  -> 0.0.0.0/0
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.130

root@debian:~/csf# vim /etc/csf/csf.deny
###############################################################################
# Copyright 2006-2018, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following IP addresses will be blocked in iptables
# One IP address per line
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24)
# Only list IP addresses, not domain names (they will be ignored)
#
# Note: If you add the text "do not delete" to the comments of an entry then
# DENY_IP_LIMIT will ignore those entries and not remove them
#
# Advanced port+ip filtering allowed with the following format
# tcp/udp|in/out|s/d=port,port,...|s/d=ip
#
# See readme.txt for more information regarding advanced port filtering
#
192.168.6.130 # Manually denied: 192.168.6.130 (-) - Mon Jul 10 08:44:44 2023

Step18: Remove the denied IP by using the below command

root@debian:~/csf# csf -dr 192.168.6.130
Removing rule...
DROP  all opt -- in !lo out *  192.168.6.130  -> 0.0.0.0/0
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.130

Step19: Deny the IP address by using the below command

root@debian:~/csf# csf -ra
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Deleting chain `ALLOWIN'
Deleting chain `ALLOWOUT'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'
Deleting chain `INVALID'
Deleting chain `INVDROP'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `INPUT'

Conclusion:

We have reached the end of this article. In this guide, we have walked you through the steps required to Install and Configure CSF Firewall on Debian 11.4. Your feedback is much welcome.

Tags:
Author: 

Comments ( 0 )

No comments available

Frequently asked questions ( 5 )

Q

How should start CSF Services on boot time?

A

By using the systemctl enable the CSF command

Q

What are iptables rules?

A

iptables is a command-line interface used to set up and maintain tables for the Netfilter firewall for IPv4.

Q

Where Firewalld services are stored?

A

It is stored in various XML files in /usr/lib/firewalld/ and /etc/firewalld.

Q

How do you install the CSF package?

A

To install the CSF package, execute the following command # sh install.sh

Q

How do you restart the CSF?

A

Restart the CSF by csf -r

Back To Top!