Configure CSF on your AWS instance

Configure CSF on your AWS instance

March 5, 2021 / Eternal Team

Config Server Firewall (popularly known as CSF) is a free and open-source firewall application suite for most Linux distributions and Linux based Virtual Private Servers (VPS). It provides the basic functionality of a firewall – filtering packets while also providing additional security to your server.

To verify the required firewall modules command:

perl /usr/local/csf/bin/

Everything should be fine and you should get the following output:

Configure CSF on your AWS instance

nano /etc/csf/csf.conf

Certain ports are opened by default, and these ports are given below:

Configure CSF on your AWS instance

The services using the open ports

  • Port 110: Post office protocol v3 (POP3)
  • Port 113: Authentication service/identification protocol
  • Port 123: Network time protocol (NTP)
  • Port 143: Internet message access protocol (IMAP)
  • Port 443: Hypertext transfer protocol over SSL/TLS (HTTPS)
  • Port 465: URL Rendezvous Directory for SSM (Cisco)
  • Port 587: E-mail message submission (SMTP)
  • Port 993: Internet message access protocol over SSL (IMAPS)
  • Port 995: Post office protocol 3 over TLS/SSL (POP3S)
  • The ports most needed at any time on any server are:
  • TCP_IN: 22,53
  • TCP_OUT: 22,53,80,113,443
  • UPD_IN: 53
  • UPD_OUT: 53,113,123

After changing the settings in csf.conf, you should save the files and restart CSF for the changes to take effect with this command:

csf -r

Blocking and Allowing IP Addresses

Blocking IP addresses

If you would like to block an IP address or range, open csf.deny with the command below:

nano /etc/csf/csf.deny

Below is the default csf.deny file as it contains no entries.

Configure CSF on your AWS instance

To block a specific IP address, add it to the file:

– 196.xx.xx.xx To block a range of IP addresses, add the IP followed by the CIDR Value

– 196.xx.xx.xx/29.

Allowing IP addresses

nano /etc/csf/csf.allow

Below is the default csf.allow file as it contains no entries.

Configure CSF on your AWS instance

You can also allow a specific IP and a range of IP addresses without opening the csf.deny file but by running the commands below:

csf -a 196.x.x.x
csf -ar 196.x.x.x

Note: Allowed IP addresses are allowed even if they are explicitly blocked in a csf.deny file.


Talk to AWS Certified Consultant

    Want to start a project?

    It’s simple.

    Contact us