Share your love
Install and Configure CSF Firewall on Debian 11
In this article, we want to teach you to Install and Configure CSF Firewall on Debian 11.
CSF stands for Configserver security and firewall. CSF is a configuration script built to provide better security to servers, at the same time providing a large number of configuration options and features to configure and secure with extra checks to ensure smooth operation. It helps in locking down public access and to restrict what can be accessed like only e-mails or only websites, etc.
To add more power to this, it comes with a Login Failure Daemon (LFD) script that runs all the time to scan for failed attempts to log in to the server to detect brute-force attacks. There are an array of extensive checks that LFD can perform to help alert the server administrator of changes to the server, potential problems, and possible compromises.
Install and Configure CSF Firewall on Debian 11
To install the CSF firewall on Debian 11, you need to log in to your server as a non-root user with sudo privileges. To do this, you can follow our article the Initial Server Setup with Debian 11.
Now you can follow the steps below to complete this guide.
Install CSF Firewall on Debian 11
First, you need to update your local package index with the command below:
sudo apt update
Note: If you have a UFW firewall installed on your server, you need to remove it with the command below:
sudo apt remove ufw
Then, install the CSF dependencies on Debian 11:
# sudo apt install wget libio-socket-ssl-perl git perl iptables -y # sudo apt install libnet-libidn-perl libcrypt-ssleay-perl -y # sudo apt install libio-socket-inet6-perl libsocket6-perl sendmail dnsutils unzip -y
At this point, switch to your /usr/src directory and download the CSF package with the wget command:
cd /usr/src
sudo wget https://download.configserver.com/csf.tgz
When your download is completed, extract your downloaded file:
sudo tar -xzvf csf.tgz
Then, switch to your CSF directory:
cd csf
And run the CSF installer to install it on Debian 11:
sudo sh install.sh
When your installation is completed, you will get the following output:
Output
Installation Completed
At this point, you can verify if the required iptables modules are present:
sudo perl /usr/local/csf/bin/csftest.pl
You should get the following output:
Output
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server
Also, you can verify your CSF installation on Debian 11 by checking its version:
sudo csf -v
Output
csf: v14.16 (generic)
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
Configure CSF Firewall on Debian 11
At this point, that you have CSF installed on your server, you need to configure it.
CSF is configured to run in TESTING mode by default. To disable it, you need to edit the CSF configuration file on Debian 11.
Open the file with your favorite text editor, here we use vi:
sudo vi /etc/csf/csf.conf
Find the line below and change its value to “0” as shown below:
TESTING = "0"
When you are done, save and close the file.
Stop and reload the CSF firewall with the following command:
csf -ra
Manage CSF Firewall
You can start the CSF service on your server by:
csf -s
To stop the CSF service on Debian 11, use the command below:
csf -f
And to restart the CSF, you can use the command below:
csf -ra
Note: Remember to restart the CSF firewall every time you make changes to the CSF configuration file.
Also, you can allow or deny an IP address from the CLI.
Use the –d option to deny an IP address. For example:
csf -d 192.0.2.123
And use the -a option to allow an IP. For example:
csf -a 192.0.2.123
To remove IP from the allow list, you can use the following command:
csf -ar 192.0.2.123
Also, to remove IP from the deny list, you can run the command below:
csf -dr 192.0.2.123
To allow an incoming or outgoing port, you can edit the CSF configuration file on Debian 11.
sudo vi /etc/csf/csf.conf
Locate the lines below and add or remove your desired ports:
# Allow incoming TCP ports
TCP_IN = 20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077”
# Allow outgoing TCP ports
TCP_OUT = 20,21,22,25,26,37,43,53,80,110,113,443,465,873,2087”
When you are done, save and close the file.
Restart CSF for the changes to take effect.
# csf -ra
Conclusion
At this point, you learn to Install and Configure CSF Firewall on Debian 11.
Hope you enjoy it.