How to Install Config Server Firewall (CSF) on Debian 11

Config Server Firewall (or CSF) is an advanced firewall and proxy server for Linux. Its primary purpose is to allow a system administrator to control access between the local host and connected computers. The software can also be configured to monitor network traffic for malicious activity.

It offers a number of features like ‘Firewall Policies,’ which allow for filtering of all kinds in addition to Network Address Translation (NAT) services, proxying services, caching DNS resolver queries on your own DNS servers, or not caching them at all. It also supports authenticated users with different levels of privileges for specific tasks like managing firewalls policies or extending the NAT service. It also has a nice ‘System Logger’ which allows for logging all kinds of events that happen on the system, for example, logins, logouts, file modifications, additions, or any other kind of event.

The software is available in several languages, including English, Portuguese and French.

The source code of the software is freely available under the terms of a GNU General Public License.

Nowadays, the most common attack vector for most security products are vulnerabilities in applications and configuration files. CSF makes it hard to exploit such flaws. If you are planning to run an open-source business or use a Linux system as a backend for your web application, then you should consider installing Config Server Firewall (CSF).

In this article, we will show how you can install and configure a CSF server in Debian Linux. This guide works for Debian versions 10 and 11. After you’re done reading this guide, you will be able to turn on the basic CSF firewall and proxy server.

Prerequisites

  • This article assumes that you have a Debian 10 or Debian 11 Linux system with root privileges.
  • This guide assumes that you have a working Internet connection on the server.
  • This guide assumes that you have a basic knowledge of Linux and the command line.

Updating Your System

Before installing any package, it’s always a good practice to update your system. Let’s run the following command to update the system.

sudo apt update && sudo apt upgrade -y

These commands will verify if there are any available updates in the repositories and install them. Then you need to run the following commands to install the required dependencies. The dependencies that you install here are not installed by default. You have to install them manually. The reason for this is that they provide additional functionality to a specific program and are not always needed.

sudo apt install wget libio-socket-ssl-perl git perl iptables -y
sudo apt install libnet-libidn-perl libcrypt-ssleay-perl -y
sudo apt install libio-socket-inet6-perl libsocket6-perl sendmail dnsutils unzip - y

Sample output:

Installing CSF Firewall on Debian 11

Now that you have all the required dependencies installed, you can install CSF in Debian Linux. The installation process is quite straightforward, but let’s walk through it step by step.

The Debian repositories do not include the CSF package by default. For CSF to work, you have to download and install the CSF package manually.

Once the CSF archive has been extracted, you will have a new folder named csf. The csf directory has all the files and the installation that you need to install CSF in the Debian server.

Run the ls -l command to verify if the new directory has been created.

ls -l

1. Run the wget http://download.configserver.com/csf.tgz command to download the CSF package to your current working directory.

wget http://download.configserver.com/csf.tgz

Download CSF Firewall

2. Once you have the downloaded package, run the tar -xvzf csf.tgz command to extract the package in your current working directory. tar stands for tape archive and is a method to create an archive of files. x means to extract and v is for verbose operation. z is for gzip compression, which means the file is compressed. f stands for an archive file name, and in this case, it’s csf.tgz.

tar -xvzf csf.tgz

Extract CSF files

Once the CSF archive has been extracted, you will have a new folder named csf. The csf directory has all the files and the installation that you need to install CSF in Debian server.

3. Run the ls -l command to verify if the new directory has been created.

ls -l

csf directory

4. Move into the csf directory and run the sudo bash install.sh command to install CSF on your system.

install.sh is an installation script that automatically downloads the latest CSF package and installs it on your system. This script does all the hard work related to downloading, extracting, and installing the required dependencies, etc. for you.

An installation script is an executable text file that automates the installation process of a program or package on your system. The script usually checks what it needs to install and then downloads and installs it on your system. This greatly reduces the amount of time you will spend installing and configuring things as well as reduces errors related to configuring things manually.

cd csf && sudo bash install.sh

The installation process takes a few minutes, so let’s just wait for it to finish. Once the installation is complete, you will get the following output.

Install CSF

At this point, you have correctly installed CSF on your Debian 10 Linux server. But you should check if the iptables modules are available in your system. iptables are used in the creation of CSF rules and firewalls.

5. Run the sudo perl /usr/local/csf/bin/csftest.pl command to verify if the iptables modules are available.

sudo perl /usr/local/csf/bin/csftest.pl

If you get an output like below, then you are all good to go.

Run csftest script

Configuring CSF Firewall Policies

Now that you have installed CSF on your Debian Linux server, it’s time to configure it. In this section, we’ll go over how to configure some basic CSF firewall policies.

The csf.conf configuration file is located in the /etc/csf directory and is used to define the CSF firewall policies and rules.

1. Running the sudo nano /etc/csf.conf command will open up the csf.conf configuration file. This will allow you to edit and view the contents of this file

sudo nano /etc/csf/csf.conf

The first thing you will need to do is configure your open ports. Open ports is how you define what ports your users can use to reach your backends.

Scroll down to the section ‘Allow incoming’ and ‘Allow outgoing’ to see all the open ports. The most common-used ports are opened by default. You can open additional ports by adding the port number manually to the list of open ports if you want to allow connections through them.

But remember, the more open ports you have, the more risk you will be running. You don’t want your server to be a sitting duck for the bad guys. So always keep these open ports under control and not too many of them open at once.

Configure CSF

2. By default, TESTING is set to 1. You should change this to 0 once you’ve finished your testing,

Before

Enable test mode

After

Disable test mode

3. ConnLimit directive CSF can also limit the number of incoming connections to a specific port to a given value. This is useful if you want to restrict the number of simultaneous connections to one port at a time.

For example, 22;1;443;10 would set up your firewall to allow only specific connections to port 22 and 443 at a given time. This value limits the number of simultaneous incoming connections to port 22 to only one at a time and sets a limit of ten simultaneous incoming connections to port 443 at a time.

Configure connection limits

3. PORTFLOOD directive is used to specify the number of consecutive connection attempts from a single IP address which should be blocked per time interval. For example, 22;tcp;3;3600 would set the firewall to block connections for 60 minutes(3600 seconds) if more than 3 consecutive connection attempts on port 22 are detected from a single IP. The blocked IP will be unblocked automatically once the 3600 seconds has passed.

Configure flooding protection

4. Save and close the csf.conf configuration file once you are done. Now you can reload your SF firewall to apply the changes.

sudo csf -r

Reload CSF to apply changes

Run the sudo csf -l command to verify if any of your changes have been synced to the firewall.

sudo csf -l

List csf rules

Conclusion

In this article, we’ve learned how to install and configure CSF on a Debian Linux server. CSF is a relatively new firewall tool that allows you to easily configure firewall policies and rules. CSF might not be the best firewall solution out there, but it’s a good starting point for a new Linux firewall administrator. Leave a comment if you have any questions or feedback.