Configure CSF on your AWS instance

Configure CSF on your AWS instance

March 5, 2021 / Nirav Shah

Config Server Firewall (popularly known as CSF) is a free and open-source firewall application suite for most Linux distributions and Linux based Virtual Private Servers (VPS). It provides the basic functionality of a firewall – filtering packets while also providing additional security to your server.

To verify the required firewall modules command:

perl /usr/local/csf/bin/csftest.pl

Everything should be fine and you should get the following output:

Configure CSF on your AWS instance

nano /etc/csf/csf.conf

Certain ports are opened by default, and these ports are given below:

Configure CSF on your AWS instance

The services using the open ports

  • Port 110: Post office protocol v3 (POP3)
  • Port 113: Authentication service/identification protocol
  • Port 123: Network time protocol (NTP)
  • Port 143: Internet message access protocol (IMAP)
  • Port 443: Hypertext transfer protocol over SSL/TLS (HTTPS)
  • Port 465: URL Rendezvous Directory for SSM (Cisco)
  • Port 587: E-mail message submission (SMTP)
  • Port 993: Internet message access protocol over SSL (IMAPS)
  • Port 995: Post office protocol 3 over TLS/SSL (POP3S)
  • The ports most needed at any time on any server are:
  • TCP_IN: 22,53
  • TCP_OUT: 22,53,80,113,443
  • UPD_IN: 53
  • UPD_OUT: 53,113,123

After changing the settings in csf.conf, you should save the files and restart CSF for the changes to take effect with this command:

csf -r

Blocking and Allowing IP Addresses

Blocking IP addresses

If you would like to block an IP address or range, open csf.deny with the command below:

nano /etc/csf/csf.deny

Below is the default csf.deny file as it contains no entries.

Configure CSF on your AWS instance

To block a specific IP address, add it to the file:

– 196.xx.xx.xx To block a range of IP addresses, add the IP followed by the CIDR Value

– 196.xx.xx.xx/29.

Allowing IP addresses

nano /etc/csf/csf.allow

Below is the default csf.allow file as it contains no entries.

Configure CSF on your AWS instance

You can also allow a specific IP and a range of IP addresses without opening the csf.deny file but by running the commands below:

csf -a 196.x.x.x
csf -ar 196.x.x.x

Note: Allowed IP addresses are allowed even if they are explicitly blocked in a csf.deny file.

Talk to AWS Certified Consultant

    Spread Love By Sharing:

    Let’s Talk About Your Needed AWS Infrastructure Management Services

    Have queries about your project idea or concept? Please drop in your project details to discuss with our AWS Global Cloud Infrastructure service specialists and consultants.

    • Swift Hiring and Onboarding
    • Experienced and Trained AWS Team
    • Quality Consulting and Programming
    Let’s Connect and Discuss Your Project