Ubuntu & CSF Install

Full Details here on Vultr (canonical)

Article Recap:

1. Deploy Ubuntu Server

• Deploy a new Ubuntu 20.04 Vultr VPS instance.
• Connect to the server via SSH as root.
• Follow our best practices guides to update the Ubuntu server.

2. Prepare for CSF Installation

Ubuntu 20.04 comes with UFW firewall by default, which must be removed before installing CSF.

# apt remove ufw

Install the CSF dependencies.

# apt install perl zip unzip libwww-perl liblwp-protocol-https-perl

3. Install CSF

1. Change to /usr/src

   # cd /usr/src
   

2. Download the CSF distribution.

   # wget https://download.configserver.com/csf.tgz
   

3. Extract CSF.

   # tar -xzf csf.tgz
   

4. Change to /usr/src/csf

   # cd csf
   

5. Run the install script.

   # sh install.sh
   

6. Verify the required iptables modules for CSF are available.

   # perl /usr/local/csf/bin/csftest.pl
   

   Confirm that all tests report OK, and you see the following result.

   RESULT: csf should function on this server
   

7. Verify CSF status after installation.

   # csf -v 
   

   You should see a result similar to:

   csf: v14.02 (generic)
   
   *WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
   

4. Configure CSF

1. CSF runs in TESTING mode by default. Edit /etc/csf/csf.conf to disable TESTING mode.

   # nano /etc/csf/csf.conf
   

2. Locate the line TESTING = “1”, and change the value to “0”.

   TESTING = "0"
   

3. Locate the line RESTRICT_SYSLOG = “0”, and change the value to “3”. This means only members of the RESTRICT_SYSLOG_GROUP may access syslog/rsyslog files.

   RESTRICT_SYSLOG = "3"
   

4. Save the configuration file.
5. Stop and reload CSF with the -ra option.

   # csf -ra
   

Common CSF Commands & Configuration

Start CSF

# csf -s 

Stop CSF

# csf -f 

Restart CSF

You must restart CSF each time the configuration file changes.

# csf -ra 

Allow IP traffic by port

1. Edit /etc/csf/csf.conf

   # nano /etc/csf/csf.conf
   

2. Locate the following lines and add the required ports.

   # Allow incoming TCP ports
   
   TCP_IN = 20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077”
   
   
   
   # Allow outgoing TCP ports
   
   TCP_OUT = 20,21,22,25,26,37,43,53,80,110,113,443,465,873,2087”
   

3. Restart CSF for the changes to take effect.

   # csf -ra
   

Allow or deny by IP address

Use the -d option to deny by IP, for example, 192.0.2.123.

# csf -d 192.0.2.123

Use the -a option to allow by IP, for example, 192.0.2.123.

# csf -a 192.0.2.123

Remove IP from the allow list.

# csf -ar 192.0.2.123

Remove IP from the deny list.

# csf -dr 192.0.2.123

Deny file

Block IPs by adding a entry to /etc/csf/csf.deny.

192.0.2.123     # deny this IP

192.0.2.0/24    # deny this network 

Allow file

Add trusted IPs to /etc/csf/csf.allow.

192.0.2.123     # trust this IP

Check all listening ports with the -p option.

# csf -p