How to Install ConfigServer Security & Firewall on Ubuntu

This brief tutorial shows students and new users how to install ConfigServer Security & Firwall (CSF) on Ubuntu 20.04 | 18.04.

CSF a free, open source Stateful Packet Inspection (SPI) firewall software based on iptables that provides high level of security for Linux servers. It also provides login and intrusion detection that can help protect Linux systems from threats and other attacks.

If you’re looking for an easy way to manage iptables firewall on Linux including via a intuitive web interface, then CSF should be a great place to start.

For more about CFS, please visit its web page.

To get started with installing CSF on Ubuntu, follow the steps below:

Install CSF on Ubuntu

Be default CSF packages are not available in Ubuntu repositories. To install, you’ll have to download it and run its install scripts.

To do that run the commands below:

sudo apt update

Once downloaded, run the commands below to extract the downloaded file and install.

tar -xvzf csf.tgz
cd csf
sudo bash

After installing, you’ll get a success message.

To validate CSF is installed and functioning, run the commands below:

sudo perl /usr/local/csf/bin/

That will output similar lines as shown below:

Testing ip_tables/iptable_filter.OK
Testing ipt_LOG.OK
Testing ipt_multiport/xt_multiport.OK
Testing ipt_REJECT.OK
Testing ipt_state/xt_state.OK
Testing ipt_limit/xt_limit.OK
Testing ipt_recent.OK
Testing xt_connlimit.OK
Testing ipt_owner/xt_owner.OK
Testing iptable_nat/ipt_REDIRECT.OK
Testing iptable_nat/ipt_DNAT.OK

RESULT: csf should function on this server

CSF comes with multiple configuration files, all which are stored in the /etc/cfs directory.

Following file are the main configuration files of CSF and their details:

  • /etc/csf/csf.conf : The main configuration file.
  • /etc/csf/csf.allow : The list of allowed IP’s and CIDR addresses on the firewall.
  • /etc/csf/csf.deny : The list of denied IP’s and CIDR addresses on the firewall.
  • /etc/csf/csf.ignore : The list of ignored IP’s and CIDR addresses on the firewall.

Configure CSF

The first thing to do after installing CSF on a production is to disable its testing mode. By default, CSF is installed with testing mode enabled.

Open its main configuration file and edit the highlighted line shown below:

sudo nano /etc/csf/csf.conf

Then edit the line below and change its value to 0.

There are many more settings that you can turn on and enable in the configuration file. You can restrict and monitor services like SSH, FTP and SMTP and others.

# lfd will not start while this is enabled

After that save your changes and reload CSF using the commands below:

sudo csf -r
sudo service lfd restart

To see a lists of default firewall rules, run the commands below:

sudo csf -l

That should load the default rules in the tables.

ptables filter table
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     9072   21M LOCALINPUT  all  --  !lo    *             
2     3024 2709K ACCEPT     all  --  lo     *             
3     8786   21M INVALID    tcp  --  !lo    *             
4        0     0 ACCEPT     icmp --  !lo    *     

To add allow IP through the firewall, simply run the commands below:

sudo csf -a

To deny IP address, run the commands below:

sudo csf -d

To remove blocked IP, run the commands below:

sudo csf -dr

To remove IP from allowed list, run the commands below:

sudo csf -ar

To flush and restart CSF, run the commands below:

sudo csf -f
sudo csf -r

To disable CFS, run the commands below:

sudo csf -x

To enable, run the commands below:

sudo cfs -e

Access Web Interface

CSF Web comes with a web interface based on perl. This allows you to manage CSF easily from any web browser. To install, run the commands below:

sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl

After installing, open CSF configuration file and edit the web UI login, password and port.

sudo nano /etc/csf/csf.conf

Then change the highlighted lines

This options restricts the ability to modify settings within this file from
 the csf UI. Should the parent control panel be compromised, these restricted
 options could be used to further compromise the server. For this reason we
 recommend leaving this option set to at least "1" and if any of the
 restricted items need to be changed, they are done so from the root shell
 0 = Unrestricted UI
 1 = Restricted UI
 2 = Disabled UI
# 1 to enable, 0 to disable
UI = "1"

# Set this to the port that want to bind this service to. You should configure
# this port to be >1023 and different from any other port already being used
# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's
# to the port using Advanced Allow Filters (see readme.txt)
UI_PORT = "8080"

# Optionally set the IP address to bind to. Normally this should be left blank
# to bind to all IP addresses on the server.
# If the server is configured for IPv6 but the IP to bind to is IPv4, then the
# IP address MUST use the IPv6 representation. For example must use
# ::ffff:
# Leave blank to bind to all IP addresses on the server
UI_IP = ""

# This should be a secure, hard to guess username
# This must be changed from the default
UI_USER = "admin"

# This should be a secure, hard to guess password. That is, at least 8
# characters long with a mixture of upper and lowercase characters plus 
# numbers and non-alphanumeric characters
# This must be changed from the default
UI_PASS = "strong_password_here"

# This is the login session timeout. If there is no activity for a logged in
# session within this number of seconds, the session will timeout and a new

Save the file and exit.

Next, add the IPs that are allowed to login via the web interface.

sudo nano /etc/csf/ui/ui.allow


sudo service lfd restart

Now go to the server IP address followed by port 8080 and login with the account defined in the configuration file.

That’s it!


This post showed you how to install CSF on Ubuntu 20.04 | 18.04. If you find any error above, please use the form below to report.