Install and Configure CSF Firewall on Debian 11

In this article, we want to teach you to Install and Configure CSF Firewall on Debian 11.

CSF stands for Configserver security and firewall. CSF is a configuration script built to provide better security to servers, at the same time providing a large number of configuration options and features to configure and secure with extra checks to ensure smooth operation. It helps in locking down public access and to restrict what can be accessed like only e-mails or only websites, etc.

To add more power to this, it comes with a Login Failure Daemon (LFD) script that runs all the time to scan for failed attempts to log in to the server to detect brute-force attacks. There are an array of extensive checks that LFD can perform to help alert the server administrator of changes to the server, potential problems, and possible compromises.

Install and Configure CSF Firewall on Debian 11

To install the CSF firewall on Debian 11, you need to log in to your server as a non-root user with sudo privileges. To do this, you can follow our article the Initial Server Setup with Debian 11.

Now you can follow the steps below to complete this guide.

Install CSF Firewall on Debian 11

First, you need to update your local package index with the command below:

sudo apt update

Note: If you have a UFW firewall installed on your server, you need to remove it with the command below:

sudo apt remove ufw

Then, install the CSF dependencies on Debian 11:

# sudo apt install wget libio-socket-ssl-perl git perl iptables -y
# sudo apt install libnet-libidn-perl libcrypt-ssleay-perl -y
# sudo apt install libio-socket-inet6-perl libsocket6-perl sendmail dnsutils unzip -y

At this point, switch to your /usr/src directory and download the CSF package with the wget command:

cd /usr/src
sudo wget https://download.configserver.com/csf.tgz

When your download is completed, extract your downloaded file:

sudo tar -xzvf csf.tgz

Then, switch to your CSF directory:

cd csf

And run the CSF installer to install it on Debian 11:

sudo sh install.sh

When your installation is completed, you will get the following output:

Output
Installation Completed

At this point, you can verify if the required iptables modules are present:

sudo perl /usr/local/csf/bin/csftest.pl

You should get the following output:

Output
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

Also, you can verify your CSF installation on Debian 11 by checking its version:

sudo csf -v
Output
csf: v14.16 (generic)
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration

Configure CSF Firewall on Debian 11

At this point, that you have CSF installed on your server, you need to configure it.

CSF is configured to run in TESTING mode by default. To disable it, you need to edit the CSF configuration file on Debian 11.

Open the file with your favorite text editor, here we use vi:

sudo vi /etc/csf/csf.conf

Find the line below and change its value to “0” as shown below:

TESTING = "0"

When you are done, save and close the file.

Stop and reload the CSF firewall with the following command:

csf -ra

Manage CSF Firewall

You can start the CSF service on your server by:

csf -s 

To stop the CSF service on Debian 11, use the command below:

csf -f

And to restart the CSF, you can use the command below:

csf -ra 

Note: Remember to restart the CSF firewall every time you make changes to the CSF configuration file.

Also, you can allow or deny an IP address from the CLI.

Use the –d option to deny an IP address. For example:

csf -d 192.0.2.123

And use the -a option to allow an IP. For example:

csf -a 192.0.2.123

To remove IP from the allow list, you can use the following command:

csf -ar 192.0.2.123

Also, to remove IP from the deny list, you can run the command below:

csf -dr 192.0.2.123

To allow an incoming or outgoing port, you can edit the CSF configuration file on Debian 11.

sudo vi /etc/csf/csf.conf

Locate the lines below and add or remove your desired ports:

# Allow incoming TCP ports
TCP_IN = 20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077”

# Allow outgoing TCP ports
TCP_OUT = 20,21,22,25,26,37,43,53,80,110,113,443,465,873,2087”

When you are done, save and close the file.

Restart CSF for the changes to take effect.

# csf -ra

Conclusion

At this point, you learn to Install and Configure CSF Firewall on Debian 11.

Hope you enjoy it.

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Leave a Reply

Stay informed and not overwhelmed, subscribe now!