Install Config Server Firewall CSF on Debian 12

This guide intends to teach you to Install and Use Config Server Firewall (CSF) on Debian 12 Bookworm. CSF is a firewall software that you can use to manage your firewall settings and configuration from a web interface or command line. You can follow the rest of the article to get a complete guide for CSF installation and configuration on Debian 12 Bookworm.

Complete Guide To Install Config Server Firewall CSF on Debian 12

Before you start your CSF configuration, you must have access to your server as a root or non-root user with sudo privileges. For this purpose, you can visit this guide on Initial Server Setup with Debian 12 Bookworm.

Then, follow the steps below to complete this guide.

Important Note: To install the CSF firewall, you must remove UFW if you have it on your server. You can use the command below:

sudo apt remove ufw

Step 1 – Required Packages for CSF Firewall on Debian 12

First, you must install some required packages and dependencies for the CSF installation. You need to run the system update and use the command below to install them:

# sudo apt update
# sudo apt install iptables perl zip unzip libwww-perl libcrypt-ssleay-perl libnet-http-perl libio-socket-ssl-perl ca-certificates

Step 2 – Download ConfigServer Security and Firewall Package on Debian 12

The CSF packages are not available in the default Debian 12 repository. You can download the package from the official site. To do this, use the following wget command:

# cd /usr/src
# sudo wget https://download.configserver.com/csf.tgz

When your download is completed, extract it with the command below:

sudo tar -xvzf csf.tgz

Step 3 – Run CSF Installer Script on Debian 12

Now you must navigate to the CSF directory and run the installer script to install your CSF firewall on Debian 12. To do this, run the following commands:

# cd csf
# sudo sh install.sh
Output
Installation Completed

Then, you need to verify the required iptables modules for CSF are available with the command below:

sudo perl /usr/local/csf/bin/csftest.pl

In your output you will see:

Output
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

You can verify your CSF installation by checking its version:

csf -v 
Output
csf: v14.20 (generic)

Step 4 – CSF Firewall Configuration on Debian 12

The CSF is running in a test mode. So you must disable it. To do this, open the CSF configuration file by using your desired text editor like vi editor or nano editor:

sudo vi /etc/csf/csf.conf

At the file, look for the Testing line and change its value to 0:

TESTING = "0"

When you are done, save and close the file.

To apply the changes, stop and reload the CSF firewall with the command below:

csf -ra

Step 5 – How To Use Config Server Firewall?

At this point, we want to show you how to manage and use the CSF firewall from the Debian 12 Command line. To do this, follow the steps below.

Start CSF Service from Terminal

You can start the CSF service on your server by:

csf -s 

Enable CSF Service from Terminal

You can enable the CSF from the command line by using the command below:

csf -e

Stop CSF Service from Terminal

To stop the CSF service on Debian 12, use the command below:

csf -f

Restart CSF Service from Terminal

To restart the CSF, you can use the command below:

csf -ra 

Note: Remember to restart the CSF firewall every time you make changes to the CSF configuration file.

Allow and Deny an IP address with CSF from Terminal

Also, you can allow or deny an IP address from the CLI with a CSF firewall on Debian 12.

Use the –d option to deny an IP address. For example:

csf -d 192.0.2.123

And use the -a option to allow an IP. For example:

csf -a 192.0.2.123

Remove an IP address with CSF from Terminal

To remove IP from the allow list, you can use the following command:

csf -ar 192.0.2.123

Also, to remove IP from the deny list, you can run the command below:

csf -dr 192.0.2.123

Allow Incoming and Outgoing Port with CSF from Terminal

To allow an incoming or outgoing port, you can edit the CSF configuration file on Debian 12.

sudo vi /etc/csf/csf.conf

Locate the lines below and add or remove your desired ports:

# Allow incoming TCP ports
TCP_IN = 20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077”

# Allow outgoing TCP ports
TCP_OUT = 20,21,22,25,26,37,43,53,80,110,113,443,465,873,2087”

When you are done, save and close the file.

Restart CSF for the changes to take effect.

csf -ra

Step 6 – Most Useful CSF Firewall Commands

At this point, we provide a list for you that includes the most useful and common CSF commands you can use from the command-line interface.

CSF CommandsUsage
csf -e enable CSF service
csf -xdisable CSF service
csf -sstart CSF firewall rules
csf -fflush or stop CSF service
csf -rrestart firewall rules
csf -a [ip] [Optional comment]Allow an IP and add to /etc/csf/csf.allow
csf -td [ip] [Optional comment]Place an IP on the temporary deny list in /var/lib/csf/csf.tempban
csf -tr [ip]Remove an IP from the temporary IP ban or allow list.
csf -tfFlush all IPs from the temporary IP entries
csf -d [ip] [Optional comment]Deny an IP and add to /etc/csf/csf.deny
csf -dr [ip]Unblock an IP and remove from /etc/csf/csf.deny
csf -dfRemove and unblock all entries in /etc/csf/csf.deny
csf -g [ip]Search the iptables and ip6tables rules for a match
csf -t Displays the current list of temporary allow and deny IP entries with their TTL and comments

Step 7 – Where is the CSF firewall located?

The CSF Firewall is installed in the /etc/csf directory. You can make the changes through the configuration file /etc/csf/csf.conf.

Step 8 – How do I check my CSF firewall?

You can check your CSF firewall status by using the command below:

sudo systemctl status csf
Output
● csf.service - ConfigServer Firewall & Security - csf
     Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)
     Active: active (exited) since Mon 2023-10-16 04:47:19 EDT; 33min ago
   Main PID: 1876 (code=exited, status=0/SUCCESS)
        CPU: 902ms
...

Conclusion

At this point, you have learned to Install the CSF firewall on Debian 12 Bookowrm and Configure it on your server. Also, you have learned to use it from the command line interface and get familiar with the most useful CSF commands.

Hope you enjoy using it. You may be interested in these articles:

Allow a Specific Port for a Particular IP in CSF

Enable and Configure CSF Firewall on CWP

Install and Configure CSF firewall on DirectAdmin

Install and Configure CSF Firewall on cPanel

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Leave a Reply

Stay informed and not overwhelmed, subscribe now!