InMotion Hosting Support Center

In this tutorial:

Note that you will require root access in order to follow these directions.

In this tutorial, we will show you how to install CSF on your Dedicated Server via command line interface (cli). CSF (ConfigServer Firewall) is a front end to iptables, and is an alternative to APF. CSF is considered a more advanced option, and has a more robust feature set than APF. We must first remove APF before installing CSF, then we'll cover additional CSF settings.

Removing APF from your Server

Before installing CSF, you must remove APF and its settings from your dedicated server. There are several tasks you must complete, as outlined below.

Stop & Disable the APF service

  1. Log into your server via SSH as the root user.
  2. Run the following command (highlighted in red) in your shell instance to stop the APF service:

    root@ded999 [~]# service apf stop

  3. Run this command (highlighted in red):

    root@ded999 [~]# chkconfig --del apf

  4. Then, run this command (highlighted in red):

    root@ded999 [~]# rm -fr /etc/init.d/apf /usr/local/sbin/apf /etc/apf /usr/local/cpanel/whostmgr/cgi/{apfadd,addon_add2apf.cgi}

Add the WHM IP to Firewall

  1. You should still be connected to your server via SSH. Run the following commands (highlighted in red) to add your WHM IP to the firewall:

    root@ded999 [~]# yum -y remove apf-ded whm-addip

  2. Run this command:

    root@ded999 [~]# rm -rf /usr/local/cpanel/whostmgr/cgi/apfadd

  3. Then, this command:

    root@ded999 [~]# rm -f /usr/local/cpanel/whostmgr/cgi/addon_add2apf.cgi

  4. Run this command to open the "pluginscache.yaml" file in the editor:

    root@ded999 [~]# nano /var/cpanel/pluginscache.yaml

    If you see something similar to the following, remove all the lines except for the uniquekey one.

    -
        acllist:
          - create-acct
        cgi: addon_add2apf.cgi
        icon: ''
        showname: Add IP to Firewall
        tagname: ''
        target: mainFrame
        uniquekey: add_ip_to_firewall

  5. Hit Ctrl+o on the keyboard, then the Enter key to save changes.
  6. Hit Ctrl+x on the keyboard to exit the nano editor.

Installing CSF

  1. Log into your Dedicated Server via SSH
  2. Run the following command (highlighted in red) in your shell instance:

    root@ded999 [~]# yum install -y csf-ded

  3. Then be sure to start it:

    root@ded999 [~]# service csf start

Additional CSF Settings

Steps when using Custom Nameservers

  1. You should still be connected to your Dedicated Server via SSH.
  2. Run the following command (highlighted in red) in your shell instance:

    root@ded999 [~]# nano /etc/csf/csf.conf

  3. Find the "UDP_IN" line and add 53. The line should look like this when you are finished:

    UDP_IN = "20,21,53"

  4. Check the "TCP_IN" line and ensure it also includes 53. It should look like this:

    TCP_IN = "20,21,25,53,80,110,143,443,465,587,993,995,2082,2083,2086,2087,2095,2096,3306,587,30000:35000"

  5. Hit Ctrl+o on the keyboard, then the Enter key to save changes.
  6. Hit Ctrl+x on the keyboard to exit the nano editor.

Providing Reseller Rights

By default, only the root user has rights to edit the firewall rules. If you want to allow reseller (cPanel) users to edit the CSF rules, follow this section.

  1. Log into your Dedicated Server via SSH.
  2. Run this command (highlighted in red) to open the csf.resellers file in an editor:

    root@ded999 [~]# nano /etc/csf/csf.conf

  3. Add the following line to the file, but be sure to replace "userna5" with the actual cPanel username:

    userna5:0:USE,ALLOW,DENY,UNBLOCK

  4. Hit Ctrl+o on the keyboard, then the Enter key to save changes.
  5. Hit Ctrl+x on the keyboard to exit the nano editor.
  6. Restart CSF by running the following command:

    root@ded999 [~]# service csf restart

  7. Login to WHM as the root user, click Edit Reseller Nameservers and Privileges.
  8. Choose the user you want to give CSF privileges to, then click the Submit button.
  9. Find and check the box for ConfigServer Security & Firewall (Reseller UI).

Optional: Turn on Brute Force Monitoring

  1. Log into your Dedicated Server via SSH.
  2. Run the following command (highlighted in red) in your shell instance:

    root@ded999 [~]# sed 's/\(LF_\(PERMBLOCK\|SSHD\|FTPD\|SMTPAUTH\|POP3D\|IMAPD\|CPANEL\) *= *"\)[^"]\+/\11/;s/\(LF_TRIGGER *= *"\)[^"]\+/\13/' -i /etc/csf/csf.conf

    Brute force monitoring will then be enabled.


Congratulations, now you know how to install CSF on your Dedicated server!

Support Center Login

Our Login page has moved, Click the button below to be taken to the login page.

Social Media Login

   
Social Login Joomla

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question
2016-12-14 8:08 pm
Is CSF also supported for VPS plans? Or will it be in the future? I've been reading into different management tools for iptables and CSF is looking to be the best option since they seem to also have cPanel support or integrations. CSF website suggests caution with Virtual Servers concerning Host firewall configurations, so I thought it was best to ask and leave a record for others to use too.

APF is nice and all but it is just too limited and lacking in functionality to be as effective as we sometimes need on the VPS. While I'd like to avoid bloating my firewall as much as possible, sometimes I need the ability to easily block certain countries or a couple thousand individual IPs from here in the US or both at the same time. Most of our Web software has in-PHP firewall solutions and the like but those end up using more resources than just blocking the repeat offenders from connecting all together for a little while.

Thanks for your time!
Staff
13,821 Points
2016-12-15 8:10 am
CSF can be installed on VPS without issue. I have it running on my personal VPS.
2016-12-15 6:09 pm
There seems to be some issues with the installation via the IMH package. It reports a non-fatal error about missing Perl Module Net::CIDR::Lite even though I have installed this module via WHM.
Next to that the CSF addon for WHM reports a 500 error, which relates to a syntax error of some kind according to the cpanel error_log file found at /usr/local/cpanel/logs/error_log. The error log lines are as follows:

Bareword found where operator expected at /usr/local/cpanel/Cpanel/URI/Escape/Fast.pm line 20, near "s/([^A-Za-z0-9\-_\.~])/$escapes{$1}/gr"
syntax error at /usr/local/cpanel/Cpanel/URI/Escape/Fast.pm line 20, near "s/([^A-Za-z0-9\-_\.~])/$escapes{$1}/gr "
Compilation failed in require at /usr/local/cpanel/Cpanel/Encoder/URI.pm line 10.
BEGIN failed--compilation aborted at /usr/local/cpanel/Cpanel/Encoder/URI.pm line 10.
Compilation failed in require at /usr/local/cpanel/Cpanel/HTTP/QueryString.pm line 10.
BEGIN failed--compilation aborted at /usr/local/cpanel/Cpanel/HTTP/QueryString.pm line 10.
Compilation failed in require at /usr/local/cpanel/Cpanel/MagicRevision.pm line 14.
BEGIN failed--compilation aborted at /usr/local/cpanel/Cpanel/MagicRevision.pm line 14.
Compilation failed in require at /usr/local/cpanel/Cpanel/Errors.pm line 8.
BEGIN failed--compilation aborted at /usr/local/cpanel/Cpanel/Errors.pm line 8.
Compilation failed in require at /usr/local/cpanel/Cpanel/cPanelFunctions.pm line 23.
BEGIN failed--compilation aborted at /usr/local/cpanel/Cpanel/cPanelFunctions.pm line 23.
Compilation failed in require at /usr/local/cpanel/whostmgr/docroot/cgi/configserver/csf.cgi line 16.
BEGIN failed--compilation aborted at /usr/local/cpanel/whostmgr/docroot/cgi/configserver/csf.cgi line 16.
[2016-12-15 13:35:24 -0800] info [cpsrvd] Internal Server Error: "GET /cpsessXXXXXXXX/cgi/configserver/csf.cgi HTTP/1.1" 500 No response from subprocess (/usr/local/cpanel/whostmgr/docroot/cgi/configserver/csf.cgi): The subprocess reported error number 255 when it ended.


We are using WHM/cPanel version 60, build 28, so I am wondering if I should perhaps follow the installation instructions ConfigServer provides and use their latest version download rather than just using the RPM package provided by IMH.

Thanks again for your time!
Staff
30,388 Points
2016-12-15 6:52 pm
This will require further testing. Since this is just our public forums, I recommend contacting Live Support so they can test within your specific account.

Thank you,
John-Paul

Post a Comment

Name:
Email Address:
Phone Number:
Comment:
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

4 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!