How to Install CSF for Better cPanel Server Security

Install CSF Hero Image

In this tutorial, we will show you how to install CSF (ConfigServer Security & Firewall) on your Managed VPS Hosting via command-line interface (CLI). CSF is a front-end to iptables, and is an alternative to APF. CSF is considered a more advanced option, and has a more robust feature set in WebHost Manager (WHM) than APF. We must first remove APF before installing CSF, then we’ll cover additional CSF settings.

Note that you will require root access in order to follow these directions.

Get better performance and security with our Managed VPS Hosting.

Remove APF from your Server

Before installing CSF, you must remove APF and its settings from your VPS server. There are several tasks you must complete, as outlined below.

Stop & Disable the APF service

  1. Log into your server via SSH as the root user.
  2. Run the following command (highlighted in red) in your shell instance to stop the APF service:

    [email protected] [~]# service apf stop

  3. Run this command (highlighted in red):

    [email protected] [~]# chkconfig –del apf

  4. Then, run this command (highlighted in red):

    [email protected] [~]# rm -fr /etc/init.d/apf /usr/local/sbin/apf /etc/apf /usr/local/cpanel/whostmgr/cgi/{apfadd,addon_add2apf.cgi}

Add the WHM IP to Firewall

  1. You should still be connected to your server via SSH. Run the following commands (highlighted in red) to add your WHM IP to the firewall:

    [email protected] [~]# yum -y remove apf-ded whm-addip

  2. Run this command:

    [email protected] [~]# rm -rf /usr/local/cpanel/whostmgr/cgi/apfadd

  3. Then, this command:

    [email protected] [~]# rm -f /usr/local/cpanel/whostmgr/cgi/addon_add2apf.cgi

  4. Run this command to open the “pluginscache.yaml” file in the editor:

    [email protected] [~]# nano /var/cpanel/pluginscache.yaml

    If you see something similar to the following, remove all the lines except for the uniquekey one.


    acllist:
    – create-acct
    cgi: addon_add2apf.cgi
    icon: ”
    showname: Add IP to Firewall
    tagname: ”
    target: mainFrame
    uniquekey: add_ip_to_firewall

  • Hit Ctrl+o on the keyboard, then the Enter key to save changes.
  • Hit Ctrl+x on the keyboard to exit the nano editor.

Install CSF

  1. Log into your VPS Server via SSH
  2. Run the following command (highlighted in red) in your shell instance:

    [email protected] [~]# yum install -y csf-ded

  3. Then be sure to start it:

    [email protected] [~]# service csf start

  4. Update the WHM plugin (ConfigServer Security & Firewall), by running the following commands (highlighted in red) one at a time in your shell instance:

    [email protected] [~]# wget https://download.configserver.com/csupdate

    [email protected] [~]# yum install dos2unix

    [email protected] [~]# dos2unix csupdate

    [email protected] [~]# chmod +x csupdate

    [email protected] [~]# ./csupdatehttps://www.inmotionhosting.com/support/product-guides/vps-hosting/install-csf/

Configure CSF Settings

Steps when using Custom Nameservers

  1. You should still be connected to your VPS Server via SSH.
  2. Run the following command (highlighted in red) in your shell instance:

    [email protected] [~]# nano /etc/csf/csf.conf

  3. Find the “UDP_IN” line and add 53. The line should look like this when you are finished:

    UDP_IN = “20,21,53”

  4. Check the “TCP_IN” line and ensure it also includes 53. It should look like this:

    TCP_IN = “20,21,25,53,80,110,143,443,465,587,993,995,2082,2083,2086,2087,2095,2096,3306,587,30000:35000”

  5. Hit Ctrl+o on the keyboard, then the Enter key to save changes.
  6. Hit Ctrl+x on the keyboard to exit the nano editor.

Provide Reseller Rights

By default, only the root user has rights to edit the firewall rules. If you want to allow reseller (cPanel) users to edit the CSF rules, follow this section.

  1. Log into your VPS Server via SSH.
  2. Run this command (highlighted in red) to open the csf.resellers file in an editor:

    [email protected] [~]# nano /etc/csf/csf.conf

  3. Add the following line to the file, but be sure to replace “userna5” with the actual cPanel username:

    userna5:0:USE,ALLOW,DENY,UNBLOCK

  4. Hit Ctrl+o on the keyboard, then the Enter key to save changes.
  5. Hit Ctrl+x on the keyboard to exit the nano editor.
  6. Restart CSF by running the following command:

    [email protected] [~]# service csf restart

  7. Login to WHM as the root user, click Edit Reseller Nameservers and Privileges.
  8. Choose the user you want to give CSF privileges to, then click the Submit button.
  9. Find and check the box for ConfigServer Security & Firewall (Reseller UI).

Optional: Turn on Brute Force Monitoring

  1. Log into your VPS Server via SSH.
  2. Run the following command (highlighted in red) in your shell instance:

    [email protected] [~]# sed ‘s/\(LF_\(PERMBLOCK\|SSHD\|FTPD\|SMTPAUTH\|POP3D\|IMAPD\|CPANEL\) *= *”\)[^”]\+/\11/;s/\(LF_TRIGGER *= *”\)[^”]\+/\13/’ -i /etc/csf/csf.conf

    Brute force monitoring will then be enabled.

Create a backup after you install CSF
Backup and Restore CSF Profiles

Congratulations, now you know how to install CSF on your VPS server!

Learn more about server management from our Managed VPS Hosting Product Guide.

AC
Arnel Custodio Technical Writer; WordPress Contributor & Volunteer

As a writer for InMotion Hosting, Arnel has always aimed to share helpful information and provide knowledge that will help solve problems and aid in achieving goals. He's also been active with WordPress local community groups and events since 2004.

More Articles by Arnel

Was this article helpful? Let us know!