CSF (ConfigServer Security & Firewall) is an advanced firewall configuration script created to provide better security for servers while giving an easy-to-use interface for configuration. It’s a powerful tool, especially for web hosts managing VPS or dedicated servers running cPanel, Webmin, DirectAdmin, or even a custom stack.
This guide walks you through installing CSF on a Linux-based server step by step.
✅ Prerequisites
Before you begin, ensure the following:
- You have root access to your server.
- Your server is running a Linux OS (CentOS, AlmaLinux, Debian, Ubuntu, etc.).
- Perl is installed (default on most systems).
- iptables must be installed and enabled (CSF is a frontend for iptables).
- Recommended: A supported control panel (optional) like cPanel or Webmin.
🧰 Step 1: Connect to Your Server
Use SSH to connect to your server as root:
bashssh root@your_server_ip
🔍 Step 2: Check for Required Packages
CSF needs some Perl modules and iptables. Install the necessary packages:
On RHEL-based systems (CentOS/AlmaLinux/Rocky):
yum install perl-libwww-perl perl-Time-HiRes
wget iptables -y
On Debian/Ubuntu systems:
bash
apt-get install libwww-perl libio-socket-ssl-perl libnet-ssleay-perl
wget iptables -y
📥 Step 3: Download and Install CSF
Go to /usr/src and download the latest CSF package:
bash
cd /usr/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
🧪 Step 4: Test if CSF is Compatible
After installation, check if your server supports CSF:
bash
perl /usr/local/csf/bin/csftest.pl
If you see a message like RESULT: csf should function on this server, you’re good to go.
⚙️ Step 5: Configure CSF (Basic Settings)
Configuration file location:
/etc/csf/csf.conf
Edit it using your favorite editor:
nano /etc/csf/csf.conf
Key settings to modify:
- TESTING = “0”
Set this to0to enable CSF fully. - RESTRICT_SYSLOG = “3”
Helps restrict access to syslog.
Save and exit (Ctrl + X, then Y, then Enter).
🚀 Step 6: Start CSF and LFD
Start the firewall and the login failure daemon:
bash
csf -e
systemctl start lfd
systemctl enable lfd
You can also start CSF using:
bash
systemctl start csf
systemctl enable csf
🔍 Step 7: Check Firewall Status
Make sure CSF is running:
bash
csf -v # Shows version
csf -l # Lists current rules
🔐 Step 8: Open Common Web Hosting Ports
By default, CSF blocks most ports. To support web hosting, ensure these are open:
In /etc/csf/csf.conf, edit the TCP_IN and TCP_OUT values to include:
text
20,21,22,25,53,80,110,143,443,465,587,993,995,3306,2077,2078,2082,2083,2086,2087,2095,2096
These ports are needed for:
- Web (80, 443)
- FTP (20, 21)
- SSH (22)
- Email (25, 465, 587, etc.)
- cPanel/WHM/Webmail (if applicable)
After making changes:
bash
csf -r # Restart CSF to apply changes
🧩 Optional: Web UI Integration (For cPanel, Webmin, etc.)
- cPanel: CSF integrates directly into WHM (check under Plugins).
- Webmin: Use the CSF module for easy GUI management.
- Standalone: Use command-line or install a GUI manually if needed.
🔄 Common CSF Commands
| Command | Description |
|---|---|
csf -e | Enable CSF |
csf -x | Disable CSF |
csf -r | Restart CSF |
csf -l | List current rules |
csf -t | Show temporary blocks |
csf -d IP | Permanently block an IP |
csf -dr IP | Remove a blocked IP |
csf -a IP | Allow an IP |
csf -ar IP | Remove an allowed IP |
🧼 Uninstall CSF (If Needed)
If you ever want to remove CSF:
bash
cd /etc/csf
sh uninstall.sh
🏁 Final Thoughts
CSF is one of the most reliable and actively maintained firewall solutions for Linux web hosting environments. It adds an extra layer of protection against brute force attacks, suspicious login activity, port scanning, and more. Once configured properly, it works silently in the background to protect your server and your customers.
For best results:
- Regularly update CSF (
csf -u) - Monitor logs (
/var/log/lfd.log) - Whitelist trusted IPs
For any custom support need for your server , please contact
📧 Email: support@anytimeserver.support
🌐 Website: https://anytimeserver.support