How to Install ConfigServer Firewall (CSF) on Ubuntu

Posted on by Andrew "Fish" Popowich | Updated:
Reading Time: 5 minutes

What is a Firewall?

Broadly speaking, a firewall is part of a network or server that is designed to restrict potentially malicious and unauthorized access to the hardware while still allowing outward communication from the network or server. 

Firewall visualization

There are two types of firewalls; physical hardware firewalls which are devices that connect to the destination server and stop traffic from passing to it and, software-based firewalls that run on a server and filter/reject connection attempts. In both cases, the firewall is at its core, a security measure meant to protect your data from unauthorized access. Today, we are going to review how to install CSF Firewall on a Ubuntu server 

Why Use CSF?

If you’re using a Linux web server to host content, you absolutely will want to have protection in place to prevent your data from being accessed,  manipulated or compromised. ConfigServer Firewall (CSF) is compatible with a significant number of Linux operating systems, such as RedHat, CentOS, CloudLinux, Fedora, Ubuntu and even virtual software environments like VMWare and Xen can be protected using CSF.

Additionally, CSF works well with multiple control panels such as cPanel and Plesk; meaning, if you are familiar with the CSF commands, you can use it to protect your hardware even if you move your data to a different type of system. Because it is incredibly easy to install and manage, many hosting companies often set it up on new servers by default. Oh; and also, it’s free to use!

How Does CSF Compare To Alternatives?

The closest rival to ConfigServer Firewall (CSF) is Advanced Policy Firewall (APF). Both APF and CSF are simply front end interfaces for the deeper and more complex firewall software known as iptables. This being said, CSF does has better integration with cPanel, making it easier and more accessible to the end user. This means that if you are using cPanel on your server, you can perform many of your security related tasks (other than installation) within WHM. This allows you to use the plugin in the control panel which prevents you from having to log into the server as the root user, and manually run commands at the command prompt.

In addition to the firewalls mentioned above, we should also take a look at firewalld. Firewalld is a more comprehensive software firewall solution, which can be less appealing to new users due to the need to control it from the command line interface. If you are just starting out or, want something easier to work with, you will probably want to skip firewalld for now. If you choose to try firewalld, more resources can be found in the Liquid Web Knowledgebase.

Finally, in between your firewall solution and a CDN, is Cloudflare. If you were looking to add an additional layer of security to your server, Cloudflare can certainly help with that as well and, with the balanced connections it provides, it can aid in your servers overall security profile. While Cloudflare is not as effective as an actual software firewall (nor is it intended to be), you need to make sure you have a firewall solution on the server itself, meaning you would need Cloudflare, in addition to CSF and not instead of CSF.

How Do You Install CSF On Ubuntu?

So, you have decided to install CSF on your Ubuntu server. Great! Let’s do a little prep work to get ready. We’re going to install CSF via command line, so you will need to log in to your server as the root user (Here is a Basic SSH tutorial on how to SSH into the server if you are unfamiliar with that process).

First, let’s make sure CSF isn’t installed. The best way to accomplish this is via a status check; Let’s run the following command:

root@host:~# /etc/init.d/csf status

If CSF is not installed, then let’s get started to change that! If that works and CSF is not installed, you should see this:

No such file or directory

Step 1 – Download the Software

Let’s download the package. Run the following command to retrieve the files and copy them to your server:

root@host:~# wget http://download.configserver.com/csf.tgz

Step 2 – Unpack the Files
If successful, you should see the full progress bar and confirmation like this:

Progress bar

Once you have the files downloaded, unpack them with the following command:

root@host:~# tar -xzf csf.tgz

Step 3 – Install via the Script

If this works and all the necessary folders have been created and the files placed inside, you’ll see no output with that command:

No output

Okay, it’s go time! We need to switch to the directory that was created in the unpacking:

root@host:~# cd csf

And when you get back to the command prompt, let’s run the installer:

root@host:~# sh install.sh

Now, a lot of text is going to scroll by. It’ll start like this:

root@host:~# sh install.sh output

And end like this:

root@host:~# sh install.sh output end
It will then say “Installation Complete” to let you know it’s all done!

Step 4 – Test the Installation

There is a testing script already included with CSF, so you just have to run this script like so:

root@host:~# perl /usr/local/csf/bin/csftest.pl

This Perl script will check several tasks for validity and let you know if the firewall will run as noted in the “RESULT” output as seen below:

Perl script output

And that’s it! You have installed CSF! Please review our Ubuntu best practices information below to finish up this procedure. 

What Are The Best Practices For Initial Configuration?

Now that your new firewall is set up, we should be good to go. We have quite a few Knowledgebase articles to accomplish different tasks with CSF through WHM, such as how to unblock your IP address, unblock another IP address or open a port, and even how to perform basic DDoS mitigation. You can also review our excellent guide on Ubuntu server best practices.

If you’re happy with your firewall configuration, the next thing we need to do is to take it out of testing mode to enable it to start working as soon as possible. To accomplish this, we need to edit the CSF configuration file located at /etc/csf/csf.conf and using vim to edit the file, look for the following entry:

TESTING = "1"

and change this to:

TESTING = "0"

This setting is very close to the top of the config file on line 11 so you shouldn’t have any trouble locating it. Next, let’s save the file and then run:

csf -ra

This will restart both the CSF service and the related LFD service and, apply the modifications you have just made. Now your server is protected by the CSF firewall!

Special Note

At Liquid Web, if you’re using a hosted private cloud solution, Dedicated Server or Virtual Private Server that has Linux on it and, it is either Fully Managed or Core Managed, then CSF is already installed for you! We have included this software in our server creation process to ensure you’re secure from the start. If you need any help configuring your firewall, you can always open a ticket by emailing support@liquidweb.com, or calling us at 1-800-580-4985 (1-517-322-0434) or, open a chat with us, and we’ll be happy to show you why we’re the Most Helpful Humans in Hosting!

Avatar for Andrew "Fish" Popowich

About the Author: Andrew "Fish" Popowich

Andrew "Fish" Popowich has been in IT since Palm Pilots were a technological marvel. He's continued to adopt and adapt to new technology, often obsessing over new gadgets or new methods for old processes. This is especially evident with his writing, where he is always looking for new, noisier keyboards and interesting new applications to assist him as he creates new content to publish on Kindle and DriveThruRPG.

Latest Articles

Blocking IP or whitelisting IP addresses with UFW

Read Article

CentOS Linux 7 end of life migrations

Read Article

Use ChatGPT to diagnose and resolve server issues

Read Article

What is SDDC VMware?

Read Article

Best authentication practices for email senders

Read Article