Config Server Firewall or CSF is a free firewall available for most Linux distributions. It provides a basic functionality of a firewall, filtering packets. This firewall also includes other security abilities such as login/intrusion/flood detections. CSF automatically recognizes most attacks such as port scans, syn floods, ping of death protection, and port flooding. A full list can be found on Config Servers Website. CSF is configured to temporarily block clients who are attacking your server.
Note: This guide will only cover IPv4 security. If your server has a IPv6 address, you will need find a guide for that. One may soon come.
Step 1: Downloading Config Server Firewall.
We can go ahead and start by downloading CSF from their website and unpacking it.
cd ~ # Change to our home directory. wget -O configserver.tgz http://download.configserver.com/csf.tgz # Download our script and rename our file. tar -xzf csf.tgz # Unpackage the file.
Step 2: Installing CSF.
If you’re already using UFW or another firewall configuration script, you should disable it before proceeding.
If you are using iptables, your rules will be nuked by this install script!
cd ~/csf # Change to our script folder. cat ./install.sh # Check the contents of the script for mischievous code. None? Okay continue. sh ./install.sh # Start the install script.
CSF is now installed, you should check to see if the required IPTables modules are available.
If no fatal errors are reported, your good!
Step 3: Basic Configuration
CSF’s configuration file can be found at
/etc/csf/csf.conf and can be editable by this command:
And all changes can be applied with
Step 3.1: Configure those ports.
Configure your server to use the most minimum amount of ports as possible. The less, the more secure.
By default, these ports are open by default:
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995" TCP_OUT = "20,21,22,25,53,80,110,113,443" UDP_IN = "20,21,53" UDP_OUT = "20,21,53,113,123"
Common Services running on these ports:
- FTP Transfer
- FTP Control
- SMTP (Mail Out)
- POP3 (Mail import)
- Authentication Protocols
- Network Time Protocol
- IMAP (Mail Import)
- SMTP Outbound
- IMAPS over SSL
- POP3S of TLS/SSL
It is possible that you are not using all of these services, so you can close the ports that are not used. I would recommend closing all ports (removing port number form the list), and then adding the ports you need.
Recommended Configurations For Specific Situations:
On Basic Servers
TCP_IN: 22,53 TCP_OUT: 22,53,80,113,443 UPD_IN: 53 UPD_OUT: 53,113,123
Apache2 / NGINX Web Servers
TCP_IN: 20,21 TCP_OUT: 20,21 UPD_IN: 20,21 UPD_OUT:20,21
TCP_IN: 25,110,143,587,993,995 TCP_OUT: 25,110
MYSQL For Remote
TCP_IN: 3306 TCP_OUT: 3306
Of course these configs can be merged to suit your needs.
You can find a comprehensive list of TCP and UDP ports on Wikipedia.
Note: If you are using IPv6 for your services, you should also configure TCP6_IN, TCP6_OUT, UPD6_IN, and UPD6_OUT similarly to how IPv4 ports were configured.
Step 3.2 Additional Settings
Config Server Firewall offers a vast number of different options in its configuration files. The most commonly used settings are shown below.
ICMP_IN Setting this value to 1 sets your server to respond to ping requests. Likewise, setting this to 0 will refuse such requests. It is recommended to keep this enabled, as refusing pings would likely break services that check the up time of your services.
ICMP_IN_LIMIT This value defaults to 1 a second. This sets the number of ICMP (ping) requests allowed from one IP address within a specified amount of time.
DENY_IP_LIMIT Sets the number of blocked IP addresses CSF keeps track of. It is recommended to limit the number of denied IP addresses as having too many blocks may slow down the server performance.
PACKET_FILTER Filter invalid, unwanted and illegal packets.
SYNFLOOD, SUNFLOOD_RATE and SYNFLOOD_BURST This offers protection against SYN flood attacks. This slows down the initialization of every connection, so you should enable this only if you know that your server is under attack.
CONNLIMIT Limits the number of concurrent active connections on port.
This configuration would allow 5 concurrent connections on port 22 and 20 conncurent connections on port 443.
PORTFLOOD Limits the number of connections per time interval that new connections can be made to specific ports.
This would limit block the IP address if more than 5 connections are established on port 22 using TCP protocol within 250 seconds. The block is removed once 250 seconds have passed after the last packet sent by the client to this port. You may add more ports by separating them by commas like described below.
Step 3.3: More settings
CSF offers a wide range of settings which are not covered in this tutorial. The default values are generally good, and can be used on almost any server. The default settings are configured to prevent most flood attacks, port scans and unauthorized access attempts.
If you would, however, like to adjust the configuration in more detail, please read the comments in /etc/csf/csf.conf and edit them as you like.
Step 4: Apply Your Changes
Once you are ready with the configuration, close the file by pressing Ctrl + X. When you are asked whether to save the changes or not, press Y to save the changes.
After this, you should apply the changes by restarting CSF with command:
If everything is okay, you can disable testing mode by changing TESTING at the beginning of the configuration to 0 as shown below:
TESTING = "0"
csf -r # Reload the file
Step 4.?: Blocking and Allowing IP Addresses
Blocking IP addresses
If you would like to block an IP address or range, open csf.deny.
Blocked IP addresses or ranges all reserve one line in csf.deny file. IP ranges are represented using the CIDR notation If you would like to block IP address 18.104.22.168 as well as IP range 2.3.., you should add the following lines to the file:
Allowing IP addresses
If you would like an IP address or range to be excluded from all blocks and filters, you may add them to csf.allow file. Please note that allowed IP addresses are allowed even if they are explicitly blocked in csf.deny file.
Allowing IP addresses works similarly to blocking them. The only difference is that you should edit /etc/csf/csf.allow instead of csf.deny.
Ignoring IP addresses
CSF also offers ability to exclude IP addresses from the firewall filters. IP addresses in csf.ignore will bypass the firewall filters, and can only be blocked if listed in csf.deny file.
In order to changes take effect, you should restart CSF after editing any of the files described above with command: