There are various security features for a server and system that can be used so that a server can provide secure applications to its users. These actions are generally divided into the user side and the server side or the servers’ management side. In the user side section, there are many things, such as choosing strong passwords, not opening emails suspected of being spam, not installing suspicious modules, and such things, which are usually followed by webmasters.
On the server side, however, the situation is a little different, and many other things can be used for this purpose. One of the most important features that can keep our server safe are firewalls, which must be said to be the best and best attack prevention systems in their own right, and are considered the strictest security elements. Regarding what these firewalls do, it should be said that a firewall at the entrance of a server controls all incoming packets and requests to the server. If each matches the information the firewall had, and the settings on It was applied had a problem, it will remove these packages and requests instead.
For the majority of Linux distributions and Linux-based VPS, Config Server Firewall (or CSF) is a cost-free, cutting-edge firewall. In addition to a firewall’s fundamental function of filtering traffic, CSF has additional security capabilities like login/intrusion/flood detections. cPanel, DirectAdmin, and Webmin have UI interfaces with CSF, however, this guide solely covers command-line usage. Threats like port scans, SYN floods, and login brute force attacks against numerous services are all detectable by CSF. Clients who are discovered as attacking the cloud server will temporarily be blocked.
What is a CSF firewall?
CSF stands for ConfigServer Security and Firewall and it’s free and developed under the ConfigServer group. It is usually installed on Redhat, CentOS, and Ubuntu servers and is very easy to install.
Technically, CSF is not a firewall. As we know, firewalls block unauthorized access to the server and its various parts. But CSF works to set up and create a simple connection between the server user and the core of the Linux firewall, which is iptables. So experts consider CSF as a script to configure iptables.
However, CSF is software for providing security settings and preventing unwanted access to the server, which most people who deal with Linux servers know how to install and work with. Working with CSF is usually done by commands we enter in the Linux command line. For example, suppose we want to block the access of an IP for the server. The command that should be used is the CSF command, along with its accessories.
What are the features of the CSF firewall?
The CSF firewall provides many features to protect the server.
- Login Failure Daemon system (LFD)
The CSF firewall has a service called Login Failure Daemon (LFD) that detects high user login attempts and brute force attacks. If there are too many failed login attempts from the same IP address, the user will be temporarily blocked from all services. Not to mention, this system has a black-and-white list where you can enter your IPs to permanently block or remove users from the block list. The following programs can use this feature:
- Courier IMAP, Dovecot, UW-IMAP, Kerio
- OpenSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password-protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
Also, you can write your own RegExs and use your own new rules to block users.
- Process Tracking
CSF can trace system processes to identify suspicious activity. Using this feature, you can detect open network ports, suspicious operations, etc., and if needed, notify the system administrator by email or other means and prevent attacks on the VPS.
- Directory Watching
In the settings of this service, there is a file that is generally in this path: /etc/csf/csf.dirwatch
In this file, we enter routes from the server we want to check. If a file changes in those paths, the admin will get an email. If we have sensitive directories, we should enter their path in this section.
- Protection from all types of port attacks (Port Flood Protection)
This firewall protects the active ports you use against attacks such as DDoS. With the many features and possibilities of port management, you can find the best way to deal with and prevent these attacks. In addition, you can specify the number of connections allowed on the port in each period.
We recommend enabling this feature; because it has a significant effect on preventing many attacks. You should also pay attention to the set limits; incorrect settings may prevent clients from visiting, or too many connections may cause attacks.
- Port Knocking
Port Knocking allows clients to open ports after multiple requests (three or more). With the first three requests, the port seems to be closed, but with the fourth request, the port is opened, and the server allows clients to connect to the original ports. With this service, you can provide services to your special customers.
- Connection Limit Protection
This feature is used to limit the consumption of specific service resources. Also, the number of simultaneous new connections can be limited. If configured correctly, this section can prevent DDoS attacks.
- IP blocking
Using this feature, you can easily block some IPs so they cannot use your server. If you are unfamiliar with the Linux command line, you can use CSF in the graphical environment and do the necessary configurations.
- Graphical user interface
In addition to the command line interface, CSF provides UI integration for cPanel and Webmin, where you can perform many operations.
- Check Server Security
CSF can check the security of your server by checking factors such as whether the firewall is active and for dangerous PHP functions. The parts that it checks are:
- Check for dangerous PHP functions
- Firewall
- Enable Swap File
- SSH Password
- Mail Check
- Apache Check
- PHP Check
- Check DirectAdmin Settings
Install CSF on Ubuntu
You just need to take 3 simple steps to install CSF.
- Download CSF
CSF must be downloaded from the ConfigServer website because it is not yet included in the Debian or Ubuntu repositories.
wget http://download.configserver.com/csf.tgz
- Decompressing
Before it can be utilized, the downloaded file must be uncompressed and extracted from its compressed tar packaging.
tar -xzf csf.tgz
- Installing
Before continuing, you should disable any additional firewall configuration scripts you may be using, such as UFW. Rules for Iptables are immediately deleted. You may disable UFW by executing the next command:
ufw disable
then you can execute CSF:
cd csf sh install.sh
Configuring CSF on Ubuntu
By editing csf.conf in /etc/csf, you can make the necessary configurations:
nano /etc/csf/csf.conf
Finally, you can save the changes to the csf.conf file with the following command:
csf -r
Configuring ports
The less access to your server, the more secure the server is. To disable access and close ports, you can customize CSF port settings and remove unused ports if needed.
The default open ports of CSF are:
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995" TCP_OUT = "20,21,22,25,53,80,110,113,443" UDP_IN = "20,21,53" UDP_OUT = "20,21,53,113,123"
Description:
- Port 20: FTP data transfer
- Port 21: FTP control
- Port 22: Secure shell (SSH)
- Port 25: Simple mail transfer protocol (SMTP)
- Port 53: Domain name system (DNS)
- Port 80: Hypertext transfer protocol (HTTP)
- Port 110: Post office protocol v3 (POP3)
- Port 113: Authentication service/identification protocol
- Port 123: Network time protocol (NTP)
- Port 143: Internet message access protocol (IMAP)
- Port 443: Hypertext transfer protocol over SSL/TLS (HTTPS)
- Port 465: URL Rendezvous Directory for SSM (Cisco)
- Port 587: Email message submission (SMTP)
- Port 993: Internet message access protocol over SSL (IMAPS)
- Port 995: Post office protocol 3 over TLS/SSL (POP3S)
As we said, you can close any ports you don’t need. You need to remove the port number from the list to close the port. We suggest you close all the ports (empty the list) and open the port you need. Some services require other ports to run correctly.
CSF has many configuration options. Some common settings are as follows:
- ICMP_IN allows pinging your server. If you set it to one, your server will be pinged, and requests will be rejected if you set it to zero. If you are hosting a public service, we recommend allowing ICMP requests; Because users need to know the status of your server.
- ICMP_IN_LIMIT sets the number of ICMP requests (pings) allowed from an IP address in a specified period. It should be mentioned that there is no need to change the default value (1/s).
- DENY_IP_LIMIT saves the number of blocked IP addresses that will be checked in CSF. We recommend limiting the number of blocked IP addresses; Because a large number of blocked IPs may slow down the server performance.
- DENY_TEMP_IP_LIMIT works like DENY_IP_LIMIT above, except that it stores the number of temporarily blocked IP addresses.
- PACKET_FILTER filters invalid, unwanted and illegal packets.
- SYNFLOOD, SUNFLOOD_RATE, and SYNFLOOD_BURST are options to protect against SYN attacks. This system is used when your server is attacked and counters these attacks by slowing down the initial connection speed.
- CONNLIMIT limits the number of simultaneously active connections on the port.
- PORTFLOOD limits the number of connections per time interval that new connections can be made to specific ports.
CSF provides many settings in this file that you can edit. The default values set are usually acceptable and can be used on almost any server, which are configured to prevent Flood Attacks, Port Scans, and Unauthorized Access Attempts.
Applying changes
For the modifications to take effect after making changes to the csf.conf settings, you must save the files and restart CSF.
Press Ctrl + X to close the file once you are through configuring it. When prompted about whether or not to save the changes, hit Y to do so.
After that, you should restart CSF with the following command to apply the changes:
csf -r
If everything goes well and you can access the server, open the configuration file again. To change the configuration file, open this file with a text editor (such as Nano) and apply the desired changes:
nano /etc/csf/csf.conf
After that, change the TESTING setting at the beginning of the configuration file to zero, as shown below:
TESTING = "0"
Save the file and apply the changes with csf -r command.
Blocking and Allowing IP Addresses in CSF
One of the useful features of this firewall is the ability to block IP addresses. You can block (blacklist), allow (whitelist), or ignore specific IP addresses by editing the csf.deny, csf.allow, and csf.ignore configuration files.
Blocking IP addresses
If you want to block a specific IP address or range, you need to enter the desired IP. Open csf.deny and enter the following command:
nano /etc/csf/csf.deny
In this file, each line blocks an IP address or a range. If you want to block IP address 1.2.3.4 and IP range 2.3.*.*, you need to add the following lines to the file:
1.2.3.4 2.3.0.0/16
Allowing IP addresses
If you want an IP address or IP range to be accessed, you should use this feature.To do this, you must add the desired IP to the csf.allow file. Note that if the IP address is placed in both csf.allow and csf.deny simultaneously, it will be allowed access.
Allowing access to IPs is the same as blocking IPs, and you must specify an IP address or range in each line. To do this, open and edit the csf.deny file from /etc/csf/csf.allow:
nano /etc/csf/csf.allow
Ignoring IP addresses
You can specify some IPs or a range of IPs to be hidden from the firewall and its filters and not considered. IP addresses registered in csf.ignore bypass firewall filters and can only be blocked if they are registered in the csf.deny file:
nano /etc/csf/csf.ignore
You must restart CSF to apply the last changes:
csf -r