Although Uncomplicated Firewall is an outstanding security service on Ubuntu Server, there might be times when you need more. But if you don’t have the time (or the inclination) to learn the highly complex iptables, you might want an option that lies somewhere in between. Such an option is the ConfigServer/Security Firewall combination, which offers a solid firewall solution that can be expanded with add-ons for things such as login/intrusion detection, exploit checks, ping of death protection, and more.
I’ll walk you through the installation of CSF on Ubuntu Server 20.04.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
What you’ll need
In order to install CSF, you’ll need a running instance of Ubuntu Server and a user with sudo privileges. That’s it. Let’s dive in.
How to install ConfigServer on Ubuntu Server 20.04
The first thing to be done is to install the necessary dependencies. Log into your Ubuntu Server and issue the command:
sudo apt install wget libio-socket-ssl-perl git perl iptables libnet-libidn-perl libcrypt-ssleay-perl libio-socket-inet6-perl libsocket6-perl sendmail dnsutils unzip -y
When that command completes, download the latest version of CSF with the command:
Unpack that newly downloaded tar file with:
tar -xvfz csf.tgz
Change into the newly created directory with:
Install CSF by running the included script with:
sudo bash install.sh
Before we continue on, let’s make sure iptables is loaded with:
sudo perl /usr/local/csf/bin/csftest.pl
You should see:
RESULT: csf should function on this server
How to configure CSF on Ubuntu Server 20.04
We’re ready to configure CSF. Open the configuration file with:
sudo nano /etc/csf/csf.conf
The first thing we must do is change the line:
TESTING = "1"
TESTING = "0"
Next, we need to restrict rsyslog/syslog access to members of a specific group. For this, locate the line:
RESTRICT_SYSLOG = "0"
Change that line to:
RESTRICT_SYSLOG = "3"
Now comes the fun part. Scroll down until you see the line starting with:
This is where you can configure ports to be allowed through the firewall. By default CSF will allow ports 20, 21, 22, 25, 53, 80, 110, 143, 443, 465, 587, 993 and 995. Change that line to only the ports you need open for the server in question.
Next, find the lines starting with TCP_OUT, UDP_IN, and UDP_OUT and do the same thing (configuring only the ports you want open for incoming and outgoing traffic).
Once you’ve completed that task, save and close the file.
Start and enable CSF with the command:
sudo systemctl enable --now csf
How to block and allow IP addresses with CSF
This is one of the ways CSF stands out among the competition. Let me show you how easy it is to block or allow an IP address. To block an IP address, open the deny file with:
sudo nano /etc/csf/csf.deny
At the bottom of that file, add the IP addresses you want to block (one per line), like so:
You can also block an entire subnet like this:
To allow an IP address, open the allow file with:
sudo nano /etc/csf/csf.allow
In that file, add the IP addresses or subnets (in the same way you did for deny) and then save the file.
Finally, you can set CSF to exclude an IP address in the csf.ignore file (which is configured in the same way you configured the deny and allow files).
And that’s all there is to installing and configuring the ConfigServer Security Firewall combination on Ubuntu Server. If you’re looking for a powerful, yet simple, firewall for your servers, this might be exactly what you’re looking for.
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.