Install and Configure ConfigServer Firewall (CSF) on Ubuntu 16.04

Config Server Firewall (CSF) is a free, open-source, and powerful software firewall application based on iptables that provides a high level of security to the Linux server. CSF is a Stateful Packet Inspection that can protect your server against different types of attacks, such as brute force, SYN flood, port scan, DOS, and improve server security. CSF comes with an easy-to-use, advanced interface for managing your firewall settings. CSF allows you to configure your server's firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking your email, or loading your websites. CSF continues to watch your user activity for login failures. If a large amount of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. You can manually add and remove whitelist or blacklist IPs in your firewall through ConfigServer interface.

In this tutorial. I am going to explain how to install and configure Config Server Firewall (CSF) on Alibaba Cloud Elastic Compute Service (ECS) instance with Ubuntu 16.04.

Requirements

• A fresh Alibaba Cloud Ubuntu 16.04 instance with minimum 2GB of RAM.
• A static IP address is configured.
• A Root password is set up on the server.

Launch Alibaba Cloud ECS Instance

First, log in to your Alibaba Cloud ECS Console. Create a new ECS instance, choosing Ubuntu 16.04 as the operating system with at least 2GB RAM. Connect to your ECS instance and log in as the root user.

Once you are logged into your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.

apt-get update -y

Install CSF

By default, CSF is not available in the Ubuntu 16.04 default repository. So, you will need to download and install CSF from their source. You can download the CSF source with the following command:

wget http://download.configserver.com/csf.tgz

Once the download is completed, extract the downloaded file with the following command:

tar -xvzf csf.tgz

Next, change the directory to csf and install CSF by running the following script:

cd csf
bash csf.sh

Once the installation has been completed, you should see the following output:

Created symlink from /etc/systemd/system/firewalld.service to /dev/null.
'csf/LICENSE.txt' -> 'webmin/csf/images/LICENSE.txt'
'csf/bootstrap/js/bootstrap.min.js' -> 'webmin/csf/images/bootstrap/js/bootstrap.min.js'
'csf/bootstrap/css/bootstrap.min.css.map' -> 'webmin/csf/images/bootstrap/css/bootstrap.min.css.map'
'csf/bootstrap/css/bootstrap.min.css' -> 'webmin/csf/images/bootstrap/css/bootstrap.min.css'
'csf/bootstrap/fonts/glyphicons-halflings-regular.eot' -> 'webmin/csf/images/bootstrap/fonts/glyphicons-halflings-regular.eot'
'csf/bootstrap/fonts/glyphicons-halflings-regular.woff2' -> 'webmin/csf/images/bootstrap/fonts/glyphicons-halflings-regular.woff2'
'csf/bootstrap/fonts/glyphicons-halflings-regular.svg' -> 'webmin/csf/images/bootstrap/fonts/glyphicons-halflings-regular.svg'
'csf/bootstrap/fonts/glyphicons-halflings-regular.ttf' -> 'webmin/csf/images/bootstrap/fonts/glyphicons-halflings-regular.ttf'
'csf/bootstrap/fonts/glyphicons-halflings-regular.woff' -> 'webmin/csf/images/bootstrap/fonts/glyphicons-halflings-regular.woff'
'csf/bootstrap-chosen.css' -> 'webmin/csf/images/bootstrap-chosen.css'
'csf/chosen-sprite.png' -> 'webmin/csf/images/chosen-sprite.png'
'csf/chosen-sprite@2x.png' -> 'webmin/csf/images/chosen-sprite@2x.png'
'csf/chosen.min.css' -> 'webmin/csf/images/chosen.min.css'
'csf/chosen.min.js' -> 'webmin/csf/images/chosen.min.js'
'csf/configserver.css' -> 'webmin/csf/images/configserver.css'
'csf/csf-loader.gif' -> 'webmin/csf/images/csf-loader.gif'
'csf/csf.svg' -> 'webmin/csf/images/csf.svg'
'csf/csf_small.png' -> 'webmin/csf/images/csf_small.png'
'csf/jquery.min.js' -> 'webmin/csf/images/jquery.min.js'
'csf/loader.gif' -> 'webmin/csf/images/loader.gif'
'/etc/csf/csfwebmin.tgz' -> '/usr/local/csf/csfwebmin.tgz'

Installation Completed

Next, you will need to verify whether all of the required firewall modules are available in the server. You can test it with the following command:

perl /usr/local/csf/bin/csftest.pl

Output:

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

All the configuration files of csf are located under the /etc/csf directory. The following files are the main configuration file of CSF:

• csf.conf: The main configuration file

• csf.allow: The list of allowed IP’s and CIDR addresses on the firewall

• csf.deny: The list of denied IP’s and CIDR addresses on the firewall

• csf.ignore: The list of ignored IP’s and CIDR addresses on the firewall

Configure CSF Firewall

The default CSF configuration file is located at /etc/csf directory. First, enable the CSF and add basic incoming and outgoing ports with the following command:

nano /etc/csf/csf.conf

Make the following changes:

# lfd will not start while this is enabled
TESTING = "0"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"

# Allow incoming UDP ports
UDP_IN = "20,21,53"

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123"

# Allow incoming PING. Disabling PING will likely break external uptime
# monitoring
ICMP_IN = "1"

# Set the per IP address incoming ICMP packet rate for PING requests. This
# ratelimits PING requests which if exceeded results in silently rejected
# packets. Disable or increase this value if you are seeing PING drops that you
# do not want
#
# To disable rate limiting set to "0", otherwise set according to the iptables
# documentation for the limit module. For example, "1/s" will limit to one
# packet per second
ICMP_IN_RATE = "1/s"

# Allow outgoing PING
#
# Unless there is a specific reason, this option should NOT be disabled as it
# could break OS functionality
ICMP_OUT = "1"

Save and close the file. Then, reload the CFS firewall with the following command:

csf -r

You can see the list of default rules by running the following command:

csf -l

CSF Advance Configuration

CSF allows you to block the login failure of various services like SSH, FTP, and SMTP. You can also configure CSF to prevent the server from DDOS attacks. You can do this by configuring csf.conf file as below:

nano /etc/csf/csf.conf

Make the following changes:

#Set the PERM setting to "1" to permanently block the IP address, or LF_TRIGGER_PERM can be set to 
#value greater than  "1" and the IP address will be blocked temporarily for that value in seconds.

LF_TRIGGER_PERM = 1

#Block the users on the 22, 21 and 25 port after a 3 failed connection attempt.

LF_SSHD = 3
LF_FTPD = 3
LF_SMTPAUTH = 3

#To prevent Distributed Attacks from making multiple failed attempts from different IP addresses. You can set #the minimum amount of unique IP addresses allowed to log in with the same credentials is 3 as below:
LF_DISTATTACK = 1
LF_DISTATTACK_UNIQ = 3

# Distributed FTP Logins. This option will keep track of successful FTP logins.
# If the number of successful logins to an individual account is at least
# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,
# then all of the IP addresses will be blocked

LF_DISFTP = 1
LF_DISTFTP_UNIQ = 3
LF_DISTFTP_PERM = 1

#Limit the number of connections allowed from a single host
CT_LIMIT = "20"

#Connection Tracking interval in seconds.
CT_INTERVAL = "10"

#Set this to 1 to block ips permanent.
CT_PERMANENT = 1

#Sent email alerts for each blocked ip.
CT_EMAIL_ALERT =1

#If you opt for temporary IP blocks for CT, then the following is the interval
#in seconds that the IP will remain blocked
CT_BLOCK_TIME = 1800

#The number of connections to port 80 exceeds 30 in five seconds, all the new connections will be blocked.
PORTFLOOD = "80;tcp;30;5"

Save and close the file when you are finished.

You can also monitor critical system files for changes by checking md5 sums periodically and will alert you of changes. You can do this by editing /etc/csf/csf.dirwatch file.

nano /etc/csf/csf.dirwatch

Add important files that would indicate a security breach:

/root/.ssh/authorized_keys
/etc/ssh/sshd_config
/etc/shadow

Save and close the file. Then, reload CFS and lfd to apply the changes:

csf -r
service lfd restart

Working With CSF

You can also allow, deny, remove, and perform other tasks using the CFS command line.

To allow an IP address:

csf -a 192.168.0.103

To deny an IP address:

csf -d 192.168.0.103

To remove a blocked IP address:

csf -dr 192.168.0.103

To check whether an IP is blocked by CSF:

csf -g 192.168.0.103

To disable csf and lfd completely:

csf -x

To enable the CSF firewall:

csf -e

To flush the CSF firewall:

csf -f

To remove an IP from the allow list:

csf -ar 192.168.0.103

To restart the CSF firewall:

csf -r

Install CSF Web UI

CSF Web UI requires some perl modules to be installed on your system. You can install all of them by running the following command:

apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl -y

Next, enable the CSF Web UI by editing /etc/csf/csf.conf file:

nano /etc/csf/csf.conf

Make the following changes:

# 1 to enable, 0 to disable
UI = "1"

# Set this to the port that want to bind this service to. You should configure
# this port to be >1023 and different from any other port already being used
## Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's
# to the port using Advanced Allow Filters (see readme.txt)
UI_PORT = "8080"

# Leave blank to bind to all IP addresses on the server
UI_IP = ""

# This should be a secure, hard to guess username
# 
# This must be changed from the default
UI_USER = "admin"

# This should be a secure, hard to guess password. That is, at least 8
# characters long with a mixture of upper and lowercase characters plus
# numbers and non-alphanumeric characters
#
# This must be changed from the default
UI_PASS = "admin"

Save and close the file. Then, all IP addresses to /etc/csf/ui/ui.allow will allow access to CSF UI:

nano /etc/csf/ui/ui.allow

Add your IP address

192.168.0.103

Save and close the file. Next, you will need to start lfd daemon to apply the changes:

service lfd restart

You can check the status of lfd with the following command:

service lfd status

Output:

● lfd.service - ConfigServer Firewall & Security - lfd
   Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2018-09-08 20:19:49 IST; 5s ago
  Process: 7741 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
 Main PID: 7756 (lfd - sleeping)
   CGroup: /system.slice/lfd.service
           ├─7756 lfd - sleepin
           ├─7763 lfd U
           ├─7764 lfd - retrieving countrycodelookups list
           ├─7765 lfd - checking system integrit
           ├─7767 sh -c /usr/bin/md5sum /usr/bin/* /usr/sbin/* /bin/* /sbin/* /usr/local/bin/* /usr/local/sbin/* /etc/init.d/* /etc/xinetd.d/* 
           └─7769 /usr/bin/md5sum /usr/bin/2to3 /usr/bin/2to3-2.7 /usr/bin/2to3-3.5 /usr/bin/Mail /usr/bin/NF /usr/bin/[ /usr/bin/aa-enabled /u

Sep 08 20:19:47 mail.example.com systemd[1]: Starting ConfigServer Firewall & Security - lfd...
Sep 08 20:19:49 mail.example.com systemd[1]: Started ConfigServer Firewall & Security - lfd.

Now, open your web browser and type the URL https://your-ip-address:8080. You will be redirected to the CSF Web UI login page. Here, provide the username and the password, which you specified earlier. You will be redirected to the CSF Web UI:

Congratulations! You have successfully installed and configured the CSF firewall on the Ubuntu 16.04 server. You can now easily configure and manage the CSF firewall through CSF Web UI.