How to Install Config Server Firewall (CSF) on Debian/Ubuntu

ConfigServer and Security Firewall, abbreviated as CSF, is an open-source and advanced firewall designed for Linux systems. It not only provides the basic functionality of a firewall but also offers a wide array of add-on features such as login/intrusion detection, exploit checks, ping of death protection and so much more.

[ You might also like: 10 Useful Open Source Security Firewalls for Linux Systems ]

Additionally, it also provides UI integration for widely-used control panels such as cPanel, Webmin, Vesta CP, CyberPanel, and DirectAdmin. You can find a full list of supported features and operating systems on ConfigServer’s official website.

In this guide, we will walk you through the installation and configuration of the ConfigServer Security & Firewall (CSF) on Debian and Ubuntu.

Step 1: Install CSF Firewall on Debian and Ubuntu

First off, you need to install some dependencies before you get started out with installing the CSF firewall. On your terminal, update the package index:

$ sudo apt update

Next, install the dependencies as shown:

$ sudo apt install wget libio-socket-ssl-perl git perl iptables libnet-libidn-perl libcrypt-ssleay-perl  libio-socket-inet6-perl libsocket6-perl sendmail dnsutils unzip

With that out of the way, you can now proceed to the next step.

Since CSF is not included in the default Debian and Ubuntu repositories, you need to manually install it. To proceed, download the CSF tarball file which contains all the installation files using the following wget command.

$ wget

This downloads a compressed file called csf.tgz.

Download Config Server Firewall
Download Config Server Firewall

Next, extract the compressed file.

$ tar -xvzf csf.tgz

This creates a folder called csf.

$ ls -l
Config Server Firewall Files
Config Server Firewall Files

Next, navigate into the csf folder.

$ cd csf

Then install CSF Firewall by running the installation script shown.

$ sudo bash

If everything went okay, you should get the output as shown.

Install Config Server Firewall
Install Config Server Firewall

At this point, CSF is installed. However, you need to verify that the required iptables are loaded. To achieve this, run the command:

$ sudo perl /usr/local/csf/bin/
List CSF Iptables Rules
List CSF Iptables Rules

Step 2: Configure CSF Firewall on Debian and Ubuntu

Some additional configuration is needed Next up, we need to modify a few settings to enable CSF. So, head over to the csf.conf configuration file.

$ sudo nano /etc/csf/csf.conf

Edit the TESTING directive from “1” to “0” as indicated below.

Disable CSF Testing
Disable CSF Testing

Next, set the RESTRICT_SYSLOG directive to “3” to restrict rsyslog/syslog access only to members of the RESTRICT_SYSLOG_GROUP.

Restrict CSF Rsyslog Access
Restrict CSF Rsyslog Access

Next, you can open TCP and UDP ports by locating the TCP_IN, TCP_OUT, UDP_IN, and UDP_OUT directives.

By default, the following ports are opened.

TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"

UDP_IN = "20,21,53,80,443"

UDP_OUT = "20,21,53,113,123"
Open CSF Ports
Open CSF Ports

Chances are that you don’t need all those ports opened, and best server practices demand that you only open the ports you are using. We recommend that you remove all unnecessary ports and leave the ones which are used by the services running on your system.

Once you are done specifying the ports you need, reload CSF as shown.

$ sudo csf -r

To list all the IP table rules defined on the server, run the command:

$ sudo csf -l

You can start and enable the CSF firewall on startup as follows:

$ sudo systemctl start csf
$ sudo systemctl enable csf

Then confirm that indeed the firewall is running:

$ sudo systemctl status csf
Check CSF Status
Check CSF Status

Step 3: Blocking and Allowing IP Addresses in CSF Firewall

One of the key functionalities of a firewall is the ability to allow or block IP addresses from accessing the server. With CSF, you can whitelist (allow), blacklist (deny) or ignore IP addresses by modifying the following configuration files:

  • csf.allow
  • csf.deny
  • csf.ignore

Block an IP Address in CSF

To block an IP address, simply access the csf.deny configuration file.

$ sudo nano /etc/csf/csf.deny

Then specify the IP addresses that you want to block. You can specify the IP addresses line by line as shown:

Or you can use the CIDR notation to block an entire subnet.

Allow an IP Address in CSF

To allow an IP address through Iptables and exclude it from all filters or blocks, edit the csf.allow configuration file.

$ sudo nano /etc/csf/csf.allow

You can list an IP address per line, or use the CIDR addressing as previously demonstrated when blocking IPs.

NOTE: An IP address will be allowed even when it is explicitly defined in the csf.deny configuration file. To ensure that an IP address is blocked or blacklisted, ensure that it is not listed in the csf.allow file.

Exclude an IP Address in CSF

Additionally, CSF provides you with the ability to exclude an IP address from IPtables or filters. Any IP address in the csf.ignore file will be exempted from the iptables filters. It can only be blocked if specified in the csf.deny file.

To exempt an IP address from the filters, access the csf.ignore file.

$ sudo nano /etc/csf/csf.ignore

Once again, you can list the IPs line by line or use CIDR notation.


And that wraps up our guide today. We hope you can now install and configure the CSF firewall without a hitch.

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

James Kiarie
This is James, a certified Linux administrator and a tech enthusiast who loves keeping in touch with emerging trends in the tech world. When I'm not running commands on the terminal, I'm taking listening to some cool music. taking a casual stroll or watching a nice movie.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

1 Comment

Leave a Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.