Step 1 – Install CSF
By default, CSF is not available in the Ubuntu standard repository, so I will need to download it from their official website.
wget http://download.configserver.com/csf.tgz
Once downloaded, extract the downloaded file with the following command:
tar -xvzf csf.tgz
Disable UFW
ufw disable
Next, change the directory to the extracted directory and install CSF by running the install.sh script:
cd csf
bash install.sh
Once the installation has been completed successfully, I should get the following output:
Installation Completed
Next, verify whether all required Iptables modules are installed with the following command:
perl /usr/local/csf/bin/csftest.pl
If everything is fine, I should get the following output:
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server
Step 2 – Configure CSF
Next, I will need to configure CSF as per my security standard. I can configure it by editing the file /etc/csf/csf.conf:
nano /etc/csf/csf.conf
Change the following line per your requirements:
TESTING = "0"
RESTRICT_SYSLOG = "3"
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"
# Allow incoming UDP ports
UDP_IN = "20,21,53,80,443"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123"
# Allow incoming PING. Disabling PING will likely break external uptime
# monitoring
ICMP_IN = "1"
Save and close the file, then restart the CSF with the following command:
csf -r
Enable CSF
systemctl enable csf