Tutorial News Comments FAQ Related Articles

How To Install And Configure CSF On Linux Mint 20.2

To Install And Configure CSF On Linux Mint 20.2

Introduction:

CSF configures the firewall on the server to lock down public access to services and only allow certain connections, including FTP, email, or accessing websites. It is a free and advanced firewall for most linux distributions and linux based vps. in addition to the basic functionality of a firewall – filtering packets – csf includes other security features.

Installation Procedure :

Step 1 : Check the version of the OS

root@linuxhelp:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Linuxmint
Description:	Linux Mint 20.2
Release:	20.2
Codename:	uma

Step 2 : To get into the source directory use the below command

root@linuxhelp:~# cd /usr/src/

Step 3 : Download the CSF package by using the below command

root@linuxhelp:/usr/src# wget http://download.configserver.com/csf.tgz
--2021-12-28 06:56:32--  http://download.configserver.com/csf.tgz
Resolving download.configserver.com (download.configserver.com)... 94.130.90.175
Connecting to download.configserver.com (download.configserver.com)|94.130.90.175|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2282408 (2.2M) [application/x-gzip]
Saving to: ‘csf.tgz’

csf.tgz                        100%[====================================================>]   2.18M  10.4MB/s    in 0.2s    

2021-12-28 06:56:32 (10.4 MB/s) - ‘csf.tgz’ saved [2282408/2282408]

Step 4 : Extract the csf.tgz file by using the below command

root@linuxhelp:/usr/src# tar -xzf csf.tgz

Step 5 : To get into the CSF directory use the below command

root@linuxhelp:/usr/src# cd csf

Step 6 : Install the CSF by using the sh command

root@linuxhelp:/usr/src/csf# sh install.sh

Selecting installer...

Running csf generic installer

Installing generic csf and lfd

Check we're running as root

mkdir: created directory '/etc/csf'
'install.txt' -> '/etc/csf/install.txt'
'messenger/index.php' -> '/etc/csf/./messenger/index.php'
'messenger/index.recaptcha.html' -> '/etc/csf/./messenger/index.recaptcha.html'
'messenger/index.recaptcha.php' -> '/etc/csf/./messenger/index.recaptcha.php'
'messenger/index.text' -> '/etc/csf/./messenger/index.text'
'ui' -> '/etc/csf/./ui'
'/etc/csf/csfwebmin.tgz' -> '/usr/local/csf/csfwebmin.tgz'

Installation Completed

Step 7 : Edit the csf.conf configuration file by using the below command

root@linuxhelp:/usr/src/csf# nano csf.conf
#Testing flag - enables a CRON job that clears iptables incase of
 configuration problems when you start csf. This should be enabled until you
 are sure that the firewall works - i.e. incase you get locked out of your
 server! Then do remember to set it to 0 and restart csf when you're sure
 everything is OK. Stopping csf will remove the line from /etc/crontab

#lfd will not start while this is enabled
TESTING = "0"

#The interval for the crontab in minutes. Since this uses the system clock the
#CRON job will run at the interval past the hour and not from when you issue
#the start command. Therefore an interval of 5 minutes means the firewall
#will be cleared in 0-5 minutes from the firewall start
TESTING_INTERVAL = "5"

Step 8 : Start the CSF service by using the below command

root@linuxhelp:/usr/src/csf# systemctl start csf

Step 9 : Check the status of the CSF sevice by using the below command

root@linuxhelp:/usr/src/csf# systemctl status csf 
● csf.service - ConfigServer Firewall & Security - csf
     Loaded: loaded (/lib/systemd/system/csf.service; enabled; vendor preset: enabled)
     Active: active (exited) since Tue 2021-12-28 06:58:12 IST; 10min ago
    Process: 4587 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)
   Main PID: 4587 (code=exited, status=0/SUCCESS)

Step 10 : Reload the CSF service by using the below command

root@linuxhelp:/usr/src/csf# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
csf: FASTSTART loading DROP no logging (IPv4)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Step 11 : Allow the IP Address in the CSF by using the below command

root@linuxhelp:/usr/src/csf# csf -a 192.168.6.119
Adding 192.168.6.119 to csf.allow and iptables ACCEPT...
ACCEPT  all opt -- in !lo out *  192.168.6.119  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.119

Step 12 : Check the csf.allow file by using the below command

root@linuxhelp:/usr/src/csf# nano /etc/csf/csf.allow

Step 13 : Remove the IP from allowing configuration by using the below command

root@linuxhelp:/usr/src/csf# csf -ar 192.168.6.119
Removing rule...
ACCEPT  all opt -- in !lo out *  192.168.6.119  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.119

Step 14 : Deny the IP on CSF configuration by using the below command

root@linuxhelp:/usr/src/csf# csf -d 192.168.6.125
Adding 192.168.6.125 to csf.deny only while in TESTING mode (not iptables DROP)
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration

Step 15 : check whether the IP is added or not by using the below command

root@linuxhelp:/usr/src/csf# nano /etc/csf/csf.deny

Step 16 : Remove the deny IP configuration in the csf.deny by using the below command

root@linuxhelp:/usr/src/csf# csf -dr 192.168.6.125
Removing rule...
DROP  all opt -- in !lo out *  192.168.6.125 -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.125

Step 17 : Disable the CSF by using the below command

root@linuxhelp:/usr/src/csf# csf -x
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'

Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
LOGDROPIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
csf: FASTSTART loading DNS (IPv4)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  

Dec 28 07:16:28 linuxhelp systemd[1]: Starting ConfigServer Firewall & Security - lfd...
Dec 28 07:16:29 linuxhelp systemd[1]: Started ConfigServer Firewall & Security - lfd.
csf and lfd have been enabled

Step 18 : Enable the CSF by using the below command

root@linuxhelp:/usr/src/csf# csf -e
csf: FASTSTART loading DROP no logging (IPv4)
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* "
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 8 level

Step 19 : Flush the CSF by using the below command

root@linuxhelp:/usr/src/csf# csf -f
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'

Step 20: check the IPv4 configuration by using the below command

root@linuxhelp:/usr/src/csf# csf -l
iptables filter table
=====================
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

==================
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

With this the installation and configuration of CSF on Linux Mint 20.2 Comes to an end.

Tags:

Author:

Comments ( 0 )

No comments available

Add a comment

Frequently asked questions ( 5 )

How do we download CSF?

We can download CSF by using the wget http://download.configserver.com/csf.tgz command.

How can we install the CSF?

We can install the CSF by using the sh install.sh command.

How will you start the CSF service?

We will start the CSF service by using the csf -s command.

How will you delete the IP address from the allowed configuration file ?

The IP address from the allowed configuration file has been deleted by csf -da (IP) command.

How will we check the IPV4 Configuration?

We can check the IPV4 configuration by running the command csf -l command.

Rank

User

Points

Top Contributers

naveelansari

135850

Top Contributers

ayanbhatti

92510

Top Contributers

hamzaahmed

32150

Top Contributers

linuxhelp

31040

Top Contributers

muhammadali

24500

Can you help Sebastian ?

How to change non required to required field in SuiteCRM Custom/Default Modules

How to change not required to the required field in SuiteCRM Custom/Default Modules?