How to install and configure CSF (Config Server Firewall) on Ubuntu 20.04 LTS

2021-03-24 By Ryan 4142 Views linux csf firewall security
26 reviews

Config Server Firewall (CSF) is a popular security tool for Linux that comes with multiple features such as a stateful packet inspection firewall (SPI), intrusion detection, a login failure daemon, DDOS protection, and control panel integration.

This guide will describe the installation, basic configuration, and important commands for CSF on Ubuntu 20.04 LTS server. Please take SSH access to the Ubuntu server as root or a sudo user for running the steps.

Prepare the Ubuntu server for the CSF Installation

  1. Run the below command to remove the UFW Firewall which is installed on Ubuntu 20.04 by default.

    # apt remove ufw


  2. Install the CSF dependencies and Sendmail to send alerts to the administrator.

    # apt install perl zip unzip libwww-perl liblwp-protocol-https-perl


    # apt install sendmail-bin


Initiate the CSF Installation

  1. Change the directory on the cloud server to /usr/src and download the CSF distribution, then extract CSF.

    # cd /usr/src  
    # wget 
    # tar -xzf csf.tgz


  2. Change to /usr/src/csf and install the script.

    # cd csf
    # sh


  3. Run the below command to verify the required iptables modules for CSF are available. You may confirm that all tests report OK and the result will be the same as in the image below.

    # perl /usr/local/csf/bin/


  4. Verify the CSF status with the below command once installation is completed.

    # csf -v


Start CSF Configuration

  1. First edit the /etc/csf/csf.conf to disable the TESTING mode. By default, CSF runs in TESTING mode.

    # vi /etc/csf/csf.conf

    Locate the line TESTING = 1 and change the value to 0 as in the below image.


  2. Locate the line RESTRICT_SYSLOG = "0", and change the value to 3 to set the access of syslog/rsyslog files for only the members of the RESTRICT_SYSLOG_GROUP.


  3. Save the configuration file and then stop and reload CSF with the below command.

    # csf -ra


Important CSF Commands & Configuration

  1. Start CSF tool.

    # csf -s


  2. Stop/Flush CSF tool.

    # csf -f


  3. Restart CSF tools.

    # csf -ra


  4. Edit /etc/csf/csf.conf to allow IP traffic by port.

    # vi /etc/csf/csf.conf

    Locate the lines shown in the below image and add the required ports.


    Restart CSF for the changes to take effect.

    # csf -ra


  5. Deny by IP address.

    # csf -d


  6. Allow by IP address.

    # csf -a


  7. Remove IP from the allow list.

    # csf -ar


  8. Remove IP from the deny list.

    # csf -dr


  9. Block IP addresses by adding an entry to /etc/csf/csf.deny.


  10. Add trusted IP addresses to /etc/csf/csf.allow.


  11. Check ALL listening ports.

    # csf -p


What do you think about this article?

Rate this article
Need assistance?

Try this guide to receive free bundled services at signup on a new free account.

Sign Up

Your Feedback Is Important

We hope you’ll give the new products and updates a try. If you have an idea for improving our products or want to vote on other user ideas so they get prioritized, please submit your feedback on our Community platform. And if you have any questions, please feel free to ask in the Community or contact our Technical Support team.