How to Install ConfigServer Security & Firewall (CSF) on Ubuntu

by InMotion Hosting Contributor

1 Minutes, 51 Seconds to Read

ConfigServer Security & Firewall (CSF) is a stateful packet inspection (SPI) firewall and front-end manager for iptables. CSF is a more advanced alternative to APF and has integrations for Vesta Control Panel, Webmin, and more.

Below we cover how to install CSF on Ubuntu and complete basic tasks such as manage ports, configure Login Failure Daemon (lfd), and whitelist IPs.

If you need help at any time, contact our Managed Hosting team.

Install CSF

  1. Download the latest CSF file: wget https://download.configserver.com/csf.tgz
  2. Extract the archive: tar -xzf csf.tgz
  3. Navigate to the new directory: cd csf
  4. Start the installation script: sh install.sh
  5. Test the status of required iptables modules: perl /usr/local/csf/bin/csftest.pl

Basic CSF Tasks

Below are some common tasks to consider post-installation.

Open and Close Ports

  1. Edit your CSF configuration file: nano +137 /etc/csf/csf.conf takes you directly to the port settings
  2. Add or remove ports from TCP_IN (incoming TCP – most commonly used), TCP_OUT (outgoing TCP), UDP_IN (incoming UDP), and UDP_OUT (outgoing UDP) as needed

If installing CSF on a cPanel server, you’ll want to whitelist the following in TCP_IN: “20,21,25,53,80,110,143,443,465,587,993,995,2082,2083,2086,2087,2095,2096,3306,30000:35000”.

lfd for Brute-force Protection

Login Failure Daemon (lfd) scans log files every X seconds to protect against brute-force login attacks. You can use DENY_IP_LIMIT to set how many blocked IP addresses are tracked at once.

  1. Edit your CSF configuration file: nano +1880 /etc/csf/csf.conf
  2. Make your changes (We recommend 15000 for dedicated servers and 1000 for VPSs containers)
  3. Save changes
  4. Apply changes: csf -r

Whitelist IPs

This whitelists IPs through iptables: 

nano /etc/csf/csf.allow

The format is tcp/udp | in/out | s[ource]/d[estination]=port | u[ID]/g[ID]. For example, to allow inbound connections to MySQL on port 3306 from 1.2.3.4:

tcp|in|d=3306|s=1.2.3.4

TCP and IN are used as default if protocol (TCP/UDP) and connection direction (in or out) is excluded from a rule.

IPs listed here can still be blocked by lfd. To protect an IP from being blocked, edit the ignore list: 

nano /etc/csf/csf.ignore

To allow outbound TCP connections to port 22 on IP 1.2.3.4:

out|d=22|d=1.2.3.4

Pay only for what you need on your preferred Linux OS with our scalable Cloud Servers.

Share this Article
InMotion Hosting Contributor
InMotion Hosting Contributor Content Writer

InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!

More Articles by InMotion Hosting
Related Articles
Resetting the cPanel Password in WHM
How to Change your root Password in WHM
How to Stop and Disable Firewalld
Content Security Policy (CSP) Headers – Complete Reference Guide
Why You Need To Keep Your Website’s PHP Version Up-to-Date
Learning About Mod_security and Disabling Mod_security
Close Open Ports for PCI Compliance
How to Pass PCI Compliance Scans
DDoS Protection Using Corero
How to Open a Port in Firewalld

Need More Help?

Current Customers

Chat: Chat with Sales
Call: 757-416-6575 x2
Ticket: Submit a Support Ticket

Get Reliable Web Hosting

Chat: Chat with Sales
Email: [email protected]
Call: 757-416-6575 x1

Get web hosting that grows with your business. Our all-in-one hosting platform gives you everything your website needs to scale - so you can focus on the next big thing for you and your business.