Linux servers have gained tremendous popularity among businesses and individuals due to their flexibility, cost-effectiveness, and powerful performance. However, ensuring the security of these servers is of paramount importance.

In this article, we’ll explore how to secure Linux servers using CSF (ConfigServer Security & Firewall) or similar software, and provide you with links and examples to fortify your server.

What is CSF?

CSF is a powerful, stateful firewall that is specifically designed for Linux servers. It provides an easy-to-use interface and comprehensive security features, making it a popular choice among system administrators.

CSF is not only a firewall but also an intrusion detection system, actively monitoring and blocking malicious activity.

You can learn more about CSF and its features on their official website: ConfigServer Security & Firewall .

Why Choose CSF?

There are several reasons to choose CSF over other firewall solutions for your Linux server:

  • Easy installation and setup
  • Regular updates and active community support
  • Compatibility with most Linux distributions and control panels
  • Comprehensive security features, including intrusion detection and login failure tracking
  • Customizable configuration options

How to Install and Configure CSF

Before installing CSF, it’s essential to uninstall or disable any other firewalls on your server. Follow these steps to install and configure CSF:

  1. Log into your server as the root user via SSH.
  2. Download the latest version of CSF using the command:
1wget https://download.configserver.com/csf.tgz
  1. Extract the downloaded archive:
1tar -xzf csf.tgz
  1. Navigate to the extracted directory and run the installer script:
1cd csf
2sh install.sh
  1. Open the configuration file at /etc/csf/csf.conf with your favorite text editor (e.g., nano or vim). Customize the settings to suit your security requirements.
  2. After configuring CSF, test your server’s compatibility by running:
1perl /usr/local/csf/bin/csftest.pl
  1. If the test is successful, enable CSF by changing the TESTING setting in the configuration file to 0.
  2. Restart CSF to apply the changes:
1csf -r

For more detailed instructions and configuration options, refer to the official CSF documentation .

Optimal CSF Configuration for Enhanced Security

Here are some recommended settings for an optimal CSF configuration to enhance your Linux server’s security.

Keep in mind that these settings might not be suitable for every server environment, so it’s important to tailor them according to your specific needs. Always test any changes before implementing them on a production server.

  1. Restrict Incoming and Outgoing Connections

Limit incoming and outgoing connections to only the necessary ports by specifying them in the TCP_IN, TCP_OUT, UDP_IN, and UDP_OUT sections. For example:

1TCP_IN = "22,80,443"
2TCP_OUT = "22,80,443,53"
3UDP_IN = "53"
4UDP_OUT = "53"
  1. Enable Login Failure Detection

Ensure that CSF tracks login failures by enabling the LF_* options in the configuration file:

1LF_TRIGGER = "5"
2LF_SSHD = "5"
3LF_FTPD = "10"
4LF_SMTPAUTH = "5"
5LF_POP3D = "10"
6LF_IMAPD = "10"

This example sets a trigger for a temporary block after 5 failed login attempts within the specified time period for SSH, FTP, SMTP, POP3, and IMAP.

  1. Enable Process Tracking

Monitor server processes for suspicious activity by enabling process tracking:

1PT_LIMIT = "60"
2PT_USERMEM = "200"
3PT_USERTIME = "1800"
4PT_USERKILL = "1"

This example sets a 60-second interval for process tracking, with a memory usage limit of 200 MB, a maximum process time of 1800 seconds, and the ability to kill processes that exceed these limits.

  1. Remember to restart CSF after making any changes to the configuration file:
1csf -r

Using Profiles in CSF for Enhanced Security

Profiles in CSF are predefined sets of configuration options tailored to specific use cases or security levels. They allow you to quickly switch between different configurations without manually adjusting individual settings.

This can be especially useful when you want to enforce stricter security measures or relax the rules temporarily. In this section, we’ll explain what profiles are, how to use them, and some considerations when implementing them.

What are CSF Profiles?

CSF profiles are essentially configuration files that store specific settings for different scenarios. These profiles can be applied with a single command, making it easy to switch between various security configurations.

CSF comes with several default profiles, each designed for a particular purpose, such as a web server or a mail server.

How to Use CSF Profiles

  1. First, navigate to the CSF profile directory:
1cd /usr/local/csf/profiles
  1. List available profiles:
1ls

You should see a list of default profiles, such as webserver.conf, mailserver.conf, and default.conf.

  1. To apply a profile, use the following command:
1csf --profile <profile_name>
  1. For example, to apply the webserver.conf profile, use:
1csf --profile webserver
  1. If you want to create your custom profile, copy the existing configuration file to the profiles directory:
1cp /etc/csf/csf.conf /usr/local/csf/profiles/my_custom_profile.conf

Then, edit the my_custom_profile.conf file using your preferred text editor, and adjust the settings to suit your needs. Once you’ve made the changes, you can apply the custom profile using the same command mentioned earlier.

Considerations When Using CSF Profiles

  1. Backup your current configuration before applying a new profile. This ensures that you can easily revert to the previous settings if needed.
  2. Test the new profile in a non-production environment before applying it to a live server. This helps identify any potential issues or conflicts that could arise.
  3. When creating custom profiles, ensure that you follow best practices for securing Linux servers, and consider your specific use case and environment.
  4. Regularly review and update your profiles to stay up-to-date with the latest security recommendations and best practices.
  5. Keep in mind that applying a new profile will overwrite the current settings. Make sure to double-check the contents of the profile before applying it, especially if you’re using a custom profile or have made changes to the default profiles.

By understanding and utilizing CSF profiles, you can efficiently manage and switch between different security configurations for your Linux server. This not only saves time but also ensures that your server stays protected under various circumstances.

Setting Up the CSF User Interface

CSF provides a web-based user interface (UI) for managing and configuring the firewall. This graphical interface is particularly useful for those who are not comfortable working with command-line tools or prefer a visual way of managing settings.

In this section, we’ll walk you through setting up the CSF UI and discuss some considerations for using it.

How to Set Up the CSF UI

The CSF UI is available by default for popular control panels such as cPanel, DirectAdmin, and Webmin. If you are using one of these control panels, the CSF UI should already be integrated into your panel.

For other control panels or a server without a control panel, you can set up the CSF UI using the following steps:

  1. Ensure that you have the required dependencies installed on your server:
  • Perl
  • The LWP (libwww-perl) module
  • The GD (libgd) module
  • The GD::Graph module

You can install these dependencies using your package manager. For example, on Ubuntu:

1sudo apt-get install perl libwww-perl libgd-dev libgd-perl libgd-graph-perl
  1. Open the CSF configuration file at /etc/csf/csf.conf with your favorite text editor (e.g., nano or vim).
  2. Locate the following settings and modify them as follows:
1UI = "1"
2UI_PORT = "<your_desired_port>"
3UI_USER = "<your_username>"
4UI_PASS = "<your_password>"

Replace <your_desired_port> with an unused port number (e.g., 8080), <your_username> with a username of your choice, and <your_password> with a strong, unique password.

  1. Save and close the configuration file.
  2. Restart CSF to apply the changes:
1csf -r

Access the CSF UI by navigating to http://your_server_ip:<your_desired_port> in your web browser, and log in with the username and password you specified in the configuration file.

How to Set Up HTTPS for the CSF UI

It’s essential to secure the CSF UI with HTTPS to protect your login credentials and data transmission. Using HTTPS is highly recommended, especially when accessing the UI over the internet.

In this section, I’ll show you how to set up HTTPS for the CSF UI using Let’s Encrypt, ACME, or Certbot, and where to place the generated certificates so CSF can read them.

HTTPS with Certbot

  1. Ensure that you have Certbot installed on your server. You can follow the instructions for your specific distribution on the Certbot website .
  2. Generate a certificate for your domain using Certbot:
1sudo certbot certonly --standalone -d example.com

Replace example.com with your domain. Make sure the domain points to your server’s IP address.

  1. After generating the certificate, you will find the certificate files in the /etc/letsencrypt/live/example.com/ directory. The files you need are fullchain.pem (the certificate) and privkey.pem (the private key).
  2. Copy the certificate files to a location where CSF can read them:
1sudo cp /etc/letsencrypt/live/example.com/fullchain.pem /etc/csf/ui/ssl/cert.pem
2sudo cp /etc/letsencrypt/live/example.com/privkey.pem /etc/csf/ui/ssl/key.pem
  1. Open the CSF configuration file at /etc/csf/csf.conf with your favorite text editor (e.g., nano or vim).
  2. Modify the following settings:
1UI_SSL = "1"
2UI_CERT = "/etc/csf/ui/ssl/cert.pem"
3UI_KEY = "/etc/csf/ui/ssl/key.pem"
  1. Save and close the configuration file.
  2. Restart CSF to apply the changes:
1csf -r

Now, you can access the CSF UI securely over HTTPS by navigating to https://example.com:<your_desired_port> in your web browser.

Remember to renew the Let’s Encrypt certificate every 90 days, as they have a short validity period. You can automate this process using a cron job.

Keep in mind that HTTPS is necessary and highly recommended for securing the CSF UI. By following these steps, you can ensure that your login credentials and data transmission remain safe from potential threats.

Considerations When Using the CSF UI

  1. Choose a strong, unique password for the CSF UI to prevent unauthorized access. Make sure to update the password regularly and avoid using the same password for other services.
  2. Restrict access to the CSF UI by allowing only specific IP addresses to connect to the UI. You can do this by modifying the UI_ALLOW setting in the CSF configuration file:
1UI_ALLOW = "192.168.1.1,192.168.1.2"

Replace the example IP addresses with the ones you want to allow access to the CSF UI.

  1. Ensure that the chosen port for the CSF UI is not already in use by other services. Additionally, it’s recommended to choose a non-standard port to reduce the chances of automated attacks.
  2. Regularly update the CSF UI and its dependencies to protect against known vulnerabilities and security issues.
  3. Monitor access logs to identify any suspicious activity or unauthorized login attempts. CSF logs can be found at /var/log/lfd.log.

By setting up and using the CSF UI, you can efficiently manage and configure your firewall settings through an easy-to-use graphical interface.

Make sure to follow best practices and consider the points mentioned above to maintain a secure and reliable environment.

CSF Protection Against DDoS Attacks

CSF can help protect your server against Distributed Denial of Service (DDoS) attacks by implementing various configurations and security measures.

In this section, I’ll cover how CSF can defend against DDoS attacks and provide some example configurations and recommendations.

SYN Flood Protection

SYN flood attacks are a type of DDoS attack where an attacker sends a large number of SYN packets to a server, causing it to exhaust its resources while trying to establish connections.

To enable SYN flood protection in CSF, adjust the following settings in the /etc/csf/csf.conf file:

1SYNFLOOD = "1"
2SYNFLOOD_RATE = "100/s"
3SYNFLOOD_BURST = "150"

These settings will enable SYN flood protection and configure the rate and burst limits for incoming connections.

Connection Limit Protection

By limiting the number of simultaneous connections to your server, you can mitigate DDoS attacks targeting specific services.

To enable connection limit protection, configure the CONNLIMIT setting:

1CONNLIMIT = "22;5,80;50,443;50"

This example limits the number of connections to 5 for SSH (22), 50 for HTTP (80), and 50 for HTTPS (443).

Port Flood Protection

Port flood protection helps defend against DDoS attacks that target specific ports on your server.

To enable port flood protection, configure the PORTFLOOD setting:

1PORTFLOOD = "22;tcp;5;300,80;tcp;30;5,443;tcp;30;5"

This example limits the rate of new connections for SSH (22) to 5 per 300 seconds, and for HTTP (80) and HTTPS (443) to 30 per 5 seconds.

Blocklists

CSF can integrate with various IP blocklists to prevent known malicious IP addresses from accessing your server.

To enable blocklist integration, configure the BLOCKLIST_* settings in the CSF configuration file:

1BLOCKLIST_DE = "1"
2BLOCKLIST_6DE = "1"
3BLOCKLIST_DE_URL = "https://lists.blocklist.de/lists/all.txt"
4BLOCKLIST_6DE_URL = "https://lists.blocklist.de/lists/ipv6/all.txt"

This example enables integration with the blocklist.de blocklists for both IPv4 and IPv6 addresses.

Country-Level Blocking

CSF allows you to block access from specific countries using the CC_DENY and CC_ALLOW_FILTER settings. While this method may not be suitable for all situations, it can be useful in cases where you want to restrict access from countries known for launching DDoS attacks.

1CC_DENY = "CN,IR,RU"
2CC_ALLOW_FILTER = "US,CA,GB"

This example blocks access from China (CN), Iran (IR), and Russia (RU) and only allows incoming connections from the United States (US), Canada (CA), and the United Kingdom (GB).

Remember to restart CSF after making any changes to the configuration file:

1csf -r

By implementing these configurations and recommendations, you can significantly enhance your server’s protection against DDoS attacks.

Keep in mind that no security measure is foolproof, so it’s crucial to regularly monitor your server for potential threats and adapt your CSF settings accordingly.

Alternative Security Solutions

While CSF is an excellent choice for Linux server security, you might want to consider alternative solutions that offer similar features:

  • UFW (Uncomplicated Firewall) : A user-friendly firewall for Ubuntu-based systems.
  • Firewalld : A firewall management tool for Linux distributions that use systemd.
  • IPTables : A powerful command-line tool for packet filtering and network address translation on Linux.

Conclusion

Securing your Linux server is essential to protect your data and maintain your server’s integrity. CSF provides a powerful and user-friendly solution to achieve this goal.

By following the steps outlined in this article, you can easily install and configure CSF on your Linux server. Don’t forget to explore alternative security solutions like UFW, Firewalld, and IPTables if you’re looking for additional options.

I hope you found this article helpful and informative in securing your Linux server with CSF. If you enjoyed this article and found it valuable, please feel free to share it with others who might benefit from it. I also encourage you to leave a comment with your thoughts or questions, and I’ll be more than happy to help. 😊

Stay vigilant and keep your servers secure in 2023 and beyond!