How to Install CSF for Better cPanel Server Security

ConfigServer Security & Firewall (CSF) is a stateful packet inspection (SPI) firewall with login/intrusion detection capabilities for Linux VPS Hosting running CentOS, Ubuntu, and other Unix operating systems. Simply put, CSF simplifies the proactive and reactive processes related to Linux cybersecurity.

• What is CSF?
  • Uninstall APF from your InMotion cPanel Server
  • Stop APF and Remove Add IP to Firewall from WHM
• Install CSF
  • Steps when using Custom Nameservers
  • Provide Reseller Rights for cPanel Users

What is CSF?

Managing firewall settings with iptables commands can get complicated. Also, the active rules for iptables are not persistent. This makes it easy to understand why there are several iptables managers, or wrappers, available including UncomplicatedFirewall (UFW) and Firewalld. So if CSF is not unique in providing basic iptables rule management, why use it? What helps set it apart from similar applications are its additional built-in features:

• The ability to perform a basic server security settings checks
• Login Failure Daemon (LFD) to prevent brute-force login attempts
• Monitor and search important system log files directly in WebHost Manager (WHM) on cPanel servers
• View currently listening ports and what processes are listening on them
• Preset configurations, called profiles, to easily switch security settings for different use cases (development, panic mode, etc.)
• And lots more…

Our cPanel-managed VPS and dedicated server hosting plans start with Advanced Policy Firewall (APF) installed. However, CSF is more advanced and includes a long list of features in WHM. APF must be uninstalled before you install CSF.

Uninstall APF from your InMotion cPanel Server

InMotion Hosting cPanel server administrators must remove APF before you install CSF. 

Stop and Disable the APF Service

1. Log into your server via SSH as the root user.
2. Stop the APF service:

   systemctl stop apf

3. Remove symbolic links from chkconfig management:

   chkconfig --del apf

4. Remove remaining APF files:

   rm -fr /etc/init.d/apf /usr/local/sbin/apf /etc/apf /usr/local/cpanel/whostmgr/cgi/{apfadd,addon_add2apf.cgi}

Next, remove Add IP to Firewall from WHM.

1. Uninstall the APF and WHM firewall YUM packages:

   yum -y remove apf-ded whm-addip

2. Remove remaining WHM configuration files:

   rm -rf /usr/local/cpanel/whostmgr/cgi/apfadd /usr/local/cpanel/whostmgr/cgi/addon_add2apf.cgi

3. Open the pluginscache.yaml file with a file editor (e.g. Nano, VIM, Emacs):

   nano /var/cpanel/pluginscache.yaml

4. If you see something similar to the following, remove all the lines except for the uniquekey one.

   –
   acllist:
   – create-acct
   cgi: addon_add2apf.cgi
   icon: ”
   showname: Add IP to Firewall
   tagname: ”
   target: mainFrame
   uniquekey: add_ip_to_firewall

5. Save changes. In Nano, type Ctrl + X on your keyboard to save and exit Nano.

Install CSF

1. SSH into your server.
2. Install CSF from the YUM repository:

   yum install -y csf-ded

3. Start the CSF service with Systemd:

   systemctl start csf

4. Update the CSF WHM plugin.
   The quickest method is to use this Perl command:

   curl -sL https://download.configserver.com/csupdate | perl

   If you want to be thorough, you can use the manual method instead.

   wget https://download.configserver.com/csupdate

   yum install dos2unix

   predos2unix csupdate

   chmod +x csupdate

   ./csupdate

Turn on Brute force monitoring for a head start in hardening your system.

1. Log into your VPS via SSH.
2. This sed one-liner adds brute force monitoring to your CSF configuration file:

   sed ‘s/\(LF_\(PERMBLOCK\|SSHD\|FTPD\|SMTPAUTH\|POP3D\|IMAPD\|CPANEL\) *= *”\)[^”]\+/\11/;s/\(LF_TRIGGER *= *”\)[^”]\+/\13/’ -i /etc/csf/csf.conf

Steps when using Custom Nameservers

If you are using custom nameservers, you must complete the following section to allow incoming UDP connections.

1. While still in SSH, edit your primary CSF configuration file:

   nano /etc/csf/csf.conf

2. Find the UDP_IN line and add 53 for port 53 (DNS). The result should read:
   UDP_IN = “20,21,53”.
3. Ensure the TCP_IN line also includes 53. It should look similar to:
   TCP_IN = “20,21,25,53,80,110,143,443,465,587,993,995,2082,2083,2086,2087,2095,2096,3306,587,30000:35000”. There may need more or less ports whitelisted depending on software and server hardening requirements.
4. Save changes. In Nano, type Ctrl + X to save and exit Nano.

Provide Reseller Rights for cPanel Users

By default, only the root user has rights to edit firewall rules. If you want to allow reseller cPanel users to edit the CSF rules, follow this section.

1. Edit the CSF resellers file:

   nano /etc/csf/csf.conf

2. Add the following line, but replace “userna5” with the actual cPanel username:

   userna5:0:USE,ALLOW,DENY,UNBLOCK

3. Save changes. In Nano, type Ctrl + X to save and exit Nano.
4. Restart CSF:

   systemctl restart csf

5. Login to WHM as the root user.
6. Select Edit Reseller Nameservers and Privileges.
7. Choose the cPanel user you want to grant CSF privileges to, then click Submit. If there’s only one cPanel user on the server, you’ll already automatically be redirected to its privileges page.
8. Check the box for ConfigServer Security & Firewall (Reseller UI).
9. At the bottom, select Save all Settings.

After installing CSF, check your preset profiles or audit your open ports.