Ubuntu with CSF Firewall

Step 1 – Install CSF

By default, CSF is not available in the Ubuntu standard repository, so you will need to download it from their official website.

wget http://download.configserver.com/csf.tgz

Once downloaded, extract the downloaded file with the following command:

tar -xvzf csf.tgz

Disable UFW

ufw disable

Next, change the directory to the extracted directory and install CSF by running the install.sh script:

cd csf
bash install.sh

Once the installation has been completed successfully, you should get the following output:

Installation Completed

Next, verify whether all required Iptables modules are installed with the following command:

perl /usr/local/csf/bin/csftest.pl

If everything is fine, you should get the following output:

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

Step 2 – Configure CSF

Next, you will need to configure CSF as per your security standard. You can configure it by editing the file /etc/csf/csf.conf:

nano /etc/csf/csf.conf

Change the following line per your requirements:

TESTING = "0"
RESTRICT_SYSLOG = "3"
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"

# Allow incoming UDP ports
UDP_IN = "20,21,53,80,443"

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123"

# Allow incoming PING. Disabling PING will likely break external uptime
# monitoring
ICMP_IN = "1"

Save and close the file, then restart the CSF with the following command:

csf -r

Enable CSF

systemctl enable csf