Secure Your Server: A Step-by-Step Guide to Installing CSF Firewall on Debian 12
Protecting your server from unauthorized access and malicious threats is not just a recommendation; it’s a necessity. While Debian 12 is a secure operating system out of the box, a properly configured firewall provides an essential layer of defense. For those seeking advanced control and robust features beyond standard tools like UFW, ConfigServer Security & Firewall (CSF) is an outstanding choice.
CSF is a Stateful Packet Inspection (SPI) firewall, login/intrusion detection, and security application for Linux servers. It offers a more comprehensive feature set than many default firewalls, including protection against brute-force attacks, port scanning detection, and an easy-to-use command-line interface.
This guide will walk you through the complete process of installing and configuring CSF on a fresh Debian 12 server, empowering you to lock down your system effectively.
Step 1: Preparing Your System and Installing Dependencies
Before we begin, it’s crucial to prepare your server. First, ensure your system is up-to-date with the latest security patches and software versions.
sudo apt update && sudo apt upgrade -y
Next, if you have any other firewalls like UFW (Uncomplicated Firewall) or firewalld active, you must disable and remove them to prevent conflicts with CSF.
# To disable and remove UFW
sudo ufw disable
sudo apt purge ufw -y
# To disable and remove firewalld
sudo systemctl stop firewalld
sudo systemctl disable firewalld
sudo apt purge firewalld -y
CSF requires several Perl packages to function correctly. Install these dependencies with the following command:
sudo apt install wget libwww-perl unzip -y
Step 2: Downloading and Installing CSF
With the prerequisites in place, we can now download and install the CSF firewall.
Navigate to the
/usr/srcdirectory, which is the standard location for source code.cd /usr/srcDownload the latest CSF tarball using
wget.sudo wget https://download.configserver.com/csf.tgzExtract the downloaded archive.
sudo tar -xzf csf.tgzChange into the newly created CSF directory and run the installation script.
bash
cd csf
sudo sh install.sh
The script will handle the installation process, placing the necessary files in their respective directories.
Step 3: Verifying the Installation and Server Requirements
After the installation completes, it’s important to verify that your server has all the required kernel modules for CSF to function optimally. CSF includes a handy test script for this purpose.
Run the following command:
sudo perl /usr/local/csf/bin/csftest.pl
You should see a RESULT: csf should function on this server message. If any tests fail, the output will provide guidance on which Perl modules are missing. You can typically install them using apt.
Step 4: The Essential CSF Configuration
By default, CSF installs in a “testing mode,” which automatically flushes all firewall rules after five minutes. This is a safety feature to prevent you from locking yourself out of your server. Before enabling the firewall, you must configure it properly.
The main configuration file is located at /etc/csf/csf.conf. Open it with your preferred text editor, such as nano:
sudo nano /etc/csf/csf.conf
Here are the most critical initial settings to review and change:
Disable Testing Mode: This is the most important step. Find the line
TESTING = "1"and change it toTESTING = "0".# Set to 0 to disable testing mode TESTING = "0"Warning: Do not perform this step until you have confirmed your SSH port is open in the firewall configuration below. Otherwise, you could be locked out of your server.
Define Allowed Ports: Configure which TCP and UDP ports should be open for incoming and outgoing connections. A standard configuration for a web server might look like this:
# Allow incoming TCP ports TCP_IN = "22,80,443" # Allow outgoing TCP ports TCP_OUT = "22,80,443,53" # Allow incoming UDP ports UDP_IN = "53" # Allow outgoing UDP ports UDP_OUT = "53,123"- 22: SSH (Ensure this is included so you can access your server!)
- 80: HTTP
- 443: HTTPS
- 53: DNS (Needed for domain lookups)
- 123: NTP (For time synchronization)
Enable Brute-Force Protection: CSF excels at mitigating login failure attacks. You can enable detection for various services. For example, to enable login failure detection for SSH:
# Set the following to the number of failures before blocking the IP
LF_SSHD = "5"
LF_SSHD_PERM = "1"
This configuration will permanently block an IP address after 5 failed SSH login attempts.
Once you have made your changes, save the file and exit the editor.
Step 5: Starting and Enabling the Firewall
Now that CSF is configured, it’s time to apply the new rules and enable the service.
First, restart CSF to load your new configuration:
sudo csf -r
Next, start and enable the CSF service so it runs automatically on boot:
sudo systemctl start csf
sudo systemctl start lfd
sudo systemctl enable csf
sudo systemctl enable lfd
- csf: The core firewall service.
- lfd (Login Failure Daemon): The process that actively monitors for failed login attempts and other suspicious activity.
Your Debian 12 server is now protected by the CSF firewall.
Basic CSF Management Commands
Here are a few essential commands for managing CSF from the command line:
- Allow an IP address:
sudo csf -a 192.168.1.100 - Deny an IP address:
sudo csf -d 192.168.1.101 - Remove an IP from the allow/deny lists:
sudo csf -tr 192.168.1.100(to remove from temporary blocks)
sudo csf -dr 192.168.1.101(to remove from permanent deny list) - Restart the firewall:
sudo csf -r - Temporarily disable the firewall:
sudo csf -f - Re-enable the firewall after disabling:
sudo csf -s
By following these steps, you have successfully replaced the default firewall with a more powerful and configurable security solution. Taking the time to properly install and configure CSF is a significant step toward hardening your Debian 12 server against a wide range of common threats.
Source: https://www.howtoforge.com/how-to-install-csf-config-server-firewall-on-debian-12/
