by 
Initial Setup
Update server packages to the latest.
sudo apt update
By default Ubuntu 20.04 ships with UFW which is a basic firewall. Remove UFW using the below command.
sudo apt remove ufw
Install Dependencies
Install the required dependencies that are used by CSF.
sudo apt install perl zip unzip libwww-perl liblwp-protocol-https-perl
Also, read Setup GeoIP Block using Apache 2023
Now you have all dependencies to install and configure CSF.
Install CSF
Navigate to /usr/src directory.
Download the latest package using wget.
sudo wget https://download.configserver.com/csf.tgz
Extract the downloaded package.
sudo tar -xzvf csf.tgz
Now install CSF.
cd csf sudo sh install.sh
Now you will receive an output as below which indicates the successful installation.
Installation Completed
Verify if the required iptables modules are present.
sudo perl /usr/local/csf/bin/csftest.pl
You will receive an output similar to the one below.
Testing ip_tables/iptable_filter…OK Testing ipt_LOG…OK Testing ipt_multiport/xt_multiport…OK Testing ipt_REJECT…OK Testing ipt_state/xt_state…OK Testing ipt_limit/xt_limit…OK Testing ipt_recent…OK Testing xt_connlimit…OK Testing ipt_owner/xt_owner…OK Testing iptable_nat/ipt_REDIRECT…OK Testing iptable_nat/ipt_DNAT…OK RESULT: csf should function on this server
You can check the CSF version using the following command.
sudo csf -v csf: v14.10 (generic) *WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
Configure CSF
Once the firewall is installed it is configured to run in TESTING mode by default.
To disable TESTING mode you need to make changes to the /etc/csf/csf.conf file.
sudo nano /etc/csf/csf.conf
Locate the line TESTING = “1”, and change the value to “0”.
TESTING = "0"
Locate the line RESTRICT_SYSLOG = “0”, and change the value to “3”. This means only members of the RESTRICT_SYSLOG_GROUP may access syslog/rsyslog files.
RESTRICT_SYSLOG = "3"
Hit CTRL+X followed by Y and ENTER to save and exit the file.
Reload CSF.
csf -ra
Additional Configuration
To allow additional ports connections.
Edit /etc/csf/csf.conf
Locate the TCP_IN directive and add your ports.
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995,3306"
I have added the MYSQL port to connect to a remote server.
Restart CSF after each change.
sudo csf -ra
Essential Commands to Manage CSF
Start CSF
sudo csf -sStop CSF
sudo csf -fRestart CSF
You must restart CSF each time the configuration file changes.
sudo csf -ra Allow IP address
Use the -a option to allow IP address.
sudo csf -a 10.0.2.12Deny IP address
Use the -d option to allow IP address.
sudo csf -d 10.0.2.12Remove IP from allow list
sudo csf -ar 10.0.2.12
Remove IP from deny list
sudo csf -dr 10.0.2.12
Check if IP is blocked
sudo csf -g IP-ADDRESS
Remove IP from block
sudo css -tr IP-ADDRESS
Allow IP lists
Add your IPs listed on a separate line in the allow file /etc/csf/csf.allow.
Deny IP lists
Add your IPs listed on a separate line in the allow file /etc/csf/csf.deny.
