Table of Contents
In this article, I will take you through Step by Step Guide to enable CSF Firewall GUI on Ubuntu 20.04 LTS. ConfigServer Security and Firewall(CSF) is a free and a Stateful packet Inspection firewall suitable for use in most of the Linux distributions. It comes with lot of in-built features and provides you an excellent protection from the external vulnerabilities. One of the many features that it has is an easy to use GUI Interface which you can use to setup firewall configuration. But this requires you to enable the CSF GUI first immediately after firewall installation. We will see the steps to enable CSF Firewall in great detail. More about CSF.
How to Enable CSF Firewall GUI on Ubuntu 20.04 LTS
Also Read: [Solved] Failed to Start ConfigServer Firewall & Security - lfd Error
Step 1: Prerequisites
a) You should have a running Ubuntu 20.04 LTS
Server.
b) You should have sudo
or root
access to run privileged commands.
c) You should have apt or apt-get
utility available in your System.
d) You should have CSF Firewall installed in your Server.
Step 2: Update Your Server
Before installing any new dependencies, it is always preferred to check for update once. You can run apt update
or apt-get update
command and verify all the installed packages are updated.
root@localhost:~# apt update
Hit:1 http://in.archive.ubuntu.com/ubuntu focal InRelease
Get:2 http://in.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Ign:3 https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 InRelease
Get:4 http://in.archive.ubuntu.com/ubuntu focal-backports InRelease [108 kB]
Get:5 https://artifacts.elastic.co/packages/oss-7.x/apt stable InRelease [10.4 kB]
Hit:6 https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 Release
Hit:7 https://dl.google.com/linux/chrome/deb stable InRelease
Get:8 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Get:9 http://in.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [1,388 kB]
Get:10 http://in.archive.ubuntu.com/ubuntu focal-updates/main i386 Packages [571 kB]
Step 3: Install Dependencies
Before enabling CSF GUI, it is important to install all the dependencies required by the smooth functioning of GUI Interface. This can be easily done by using below apt-get install
command.
root@localhost:~# apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libwww-perl -y
Step 4: Enable CSF GUI
For enabling CSF GUI you need to setup Integrated User Interface section in csf.conf
configuration file. Here you need to set UI=1
to enable User Interface in restricted mode. Then set UI_PORT
to any port which is not already being used and with value greater than 1023
. Since here I am using Port 8080
so I am setting UI_PORT=8080
.
Next we need to set UI_IP
value. If you want you can leave this blank to bind all the IP Addresses to this Server but here I am binding my local IP address 192.168.29.110
by setting UI_IP=192.168.29.110
. Then you need to specify the User and Password using UI_USER
and UI_PASS
. For the demo purpose, I am setting User as admin
and Password as Test@123$
.
NOTE:
UI_USER
and UI_PASS
to different value otherwise you will end up having issue with lfd service.root@localhost:~# nano /etc/csf/csf.conf ############################################################################### # SECTION:Integrated User Interface ############################################################################### # Integrated User Interface. This feature provides a HTML UI to csf and lfd, # without requiring a control panel or web server. The UI runs as a sub process # to the lfd daemon # # As it runs under the root account and successful login provides root access # to the server, great care should be taken when configuring and using this # feature. There are additional restrictions to enhance secure access to the UI # # See readme.txt for more information about using this feature BEFORE enabling # it for security and access reasons # # 1 to enable, 0 to disable UI = "1" # Set this to the port that want to bind this service to. You should configure # this port to be >1023 and different from any other port already being used # # Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's # to the port using Advanced Allow Filters (see readme.txt) UI_PORT = "8080" # Optionally set the IP address to bind to. Normally this should be left blank # to bind to all IP addresses on the server. # # If the server is configured for IPv6 but the IP to bind to is IPv4, then the # IP address MUST use the IPv6 representation. For example 1.2.3.4 must use # ::ffff:1.2.3.4 # # Leave blank to bind to all IP addresses on the server UI_IP = "192.168.29.110" # This should be a secure, hard to guess username # # This must be changed from the default UI_USER = "admin" # This should be a secure, hard to guess password. That is, at least 8 # characters long with a mixture of upper and lowercase characters plus # numbers and non-alphanumeric characters # # This must be changed from the default UI_PASS = "Test@123$"
Step 5: Allow IP
Next you need to allow the IP from where you are going to access CSF GUI. You can either allow the entire subnet or you can also choose to allow some specific IP Address like below.
root@localhost:~# nano /etc/csf/ui/ui.allow 192.168.29.241
Step 6: Apply Configuration
Then apply the configuration by using csf -r
command. This will update all the changes done in CSF Firewall.
root@localhost:~# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
......................................
Step 7: Restart Service
Then swiftly restart csf and lfd service by using systemctl restart csf
command and systemctl restart lfd
command as shown below.
root@localhost:~# systemctl restart csf root@localhost:~# systemctl restart lfd
Step 8: Open CSF GUI
Open your favorite browser and use URL https://192.168.29.110:8080
to access CSF GUI. Since I was having some problem accessing GUI interface on Google Chrome and Firefox browser so I have opened it in my one of the Windows machine Edge browser available in the same network. Once opened, you will see a page like below where it will ask you to enter Username
and Password
. You need to enter the same Username and Password which you set earlier in csf.conf
file. Once done then Press Enter
.
Once logged in, you will be redirected to below page where you will be able to see the Firewall Status and other configuration that you can now setup through GUI Interface.
Step 9: Troubleshooting
a) If you face any issue during CSF Firewall GUI enabling then it is always recommended to first check /var/log/lfd.log
file for any error.
root@localhost:~# nano /var/log/lfd.log
Dec 7 12:23:57 localhost lfd[1147]: *Error* lfd will not run with TESTING enabled in /etc/csf/csf.conf, at line 83
Dec 7 12:23:57 localhost lfd[1147]: daemon stopped
Dec 7 12:46:35 localhost lfd[4455]: *Error* lfd will not run with TESTING enabled in /etc/csf/csf.conf, at line 83
Dec 7 12:46:35 localhost lfd[4455]: daemon stopped
Dec 7 12:58:23 localhost lfd[6433]: *Error* lfd will not run with TESTING enabled in /etc/csf/csf.conf, at line 83
Dec 7 12:58:23 localhost lfd[6433]: daemon stopped
Dec 7 13:10:05 localhost lfd[6607]: *Error* lfd will not run with TESTING enabled in /etc/csf/csf.conf, at line 83
Dec 7 13:10:05 localhost lfd[6607]: daemon stopped
b) If you are trying to access CSF GUI Interface from Google Chrome or Mozilla Firefox browser and if you are encountering connection refused error then you may want to try once with Microsoft Edge or Safari or with any other browser you have. Sometimes Google Chrome and Firefox does not allow to access some specific port due to Security Issue.
c) Sometimes you might need to check below files and see if your IP is allowed to access CSF GUI Interface.
root@localhost:~# nano /etc/csf/ui/ui.ban root@localhost:~# nano /etc/csf/csf.deny
Hello,
I try anything but not help, when i try to login any time i get this message
The connection has timed out
An error occurred during a connection to xxx.xxx.xxx.xxx:8080.
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.
I have Ubuntu 20.04 and CSF only install
Thank you