---
title: "How to Install ConfigServer Security &#038; Firewall (CSF) on Ubuntu"
description: "ConfigServer Security &amp; Firewall (CSF) is a widely used firewall for Linux VPS and Dedicated Servers. It sits in front of iptables and provides a single configuration file for controlling ports,..."
url: https://www.inmotionhosting.com/support/security/install-csf-on-ubuntu/
date: 2026-06-08
modified: 2026-06-09
author: "Derrell"
categories: ["Security"]
type: post
lang: en
---

# How to Install ConfigServer Security &#038; Firewall (CSF) on Ubuntu

**ConfigServer Security & Firewall (CSF) **is a widely used firewall for Linux VPS and Dedicated Servers. It sits in front of iptables and provides a single configuration file for controlling ports, blocking brute-force login attempts, and whitelisting trusted IPs. This guide covers installing CSF on Ubuntu using the current community-maintained source, so your server is protected before you expose anything publicly.

Way to the Web Ltd, the original developer of CSF, permanently shut down on August 31, 2025, and released the project under the GPLv3 license. The original download host, download.configserver.com, is offline. The community-supported continuation of Ubuntu and other Debian-based servers is the Aetherinox fork, available from download.configserver.dev. cPanel users on WHM and RHEL-based servers have a separate cPanel-maintained fork; this article covers Ubuntu only and applies to the current Ubuntu LTS releases, 22.04 LTS, 24.04 LTS, and 26.04 LTS.

## Prerequisites

- An Ubuntu VPS, Dedicated, or Cloud server with root or sudo access.
- Basic familiarity with the command line and a working SSH session. See [How to Connect to Your Server with SSH](https://www.inmotionhosting.com/support/server/ssh/how-to-login-ssh/) if you need help connecting.
- Port 22 open and reachable for your current session. You will be restarting the firewall during this process, and locking yourself out of Secure Shell (SSH) is the most common mistake.

## Step 1: Install Dependencies

CSF relies on several Perl modules and `ipset` for its blocking engine. Installing them first prevents a failed install with cryptic Perl errors.

```
sudo apt-get update && sudo apt-get install -y ipset libcrypt-ssleay-perl libio-socket-inet6-perl libio-socket-ssl-perl libnet-libidn-perl libsocket6-perl perl wget
```

When `apt-get` finishes without errors, you are ready to download CSF.

## Step 2: Download and Extract CSF

Download the current release tarball from the community source at `configserver.dev`, then extract it.

```
wget https://download.configserver.dev/csf.tgz
```

```
tar -xzf csf.tgz
```

**Tip:** If you prefer a one-command install that downloads and runs the installer automatically, use the helper script instead: `bash <(wget -qO - https://get.configserver.dev)`. This one-liner uses bash process substitution, so run it in a bash shell. The manual steps below give you more control and are recommended for first-time installs.

## Step 3: Run the Pre-Install Test

Before installing, CSF ships a test script that checks whether your kernel supports all the iptables modules it needs. Running it now catches missing modules before they cause problems later.

```
cd csf
sudo perl csftest.pl
```

Review the output. Lines marked `FATAL` mean a required kernel feature is missing, and CSF will not work correctly. Lines marked `WARNING` indicate optional features that are absent but not blocking.

On a standard Ubuntu VPS or Dedicated Server, you should see no `FATAL` errors. If you do, contact your server provider, because the kernel may need to be rebuilt with the missing module.

## Step 4: Install CSF on Ubuntu

With the pre-install test passing, run the installer from inside the `csf` directory.

```
sudo sh install.sh
```

The installer copies CSF’s files to `/etc/csf/` and `/usr/local/csf/`, installs the `csf` and `lfd` system services, and loads the default iptables rules. When it finishes, you will see a line confirming that CSF and lfd have started.

## Step 5: Configure Allowed Ports

CSF starts in testing mode (`TESTING = "1"`), which means all iptables rules are flushed every five minutes, so a misconfiguration cannot permanently lock you out. Open `/etc/csf/csf.conf` in your preferred editor and review the port settings before you disable testing mode.

```
sudo nano /etc/csf/csf.conf
```

The four key directives are `TCP_IN`, `TCP_OUT`, `UDP_IN`, and `UDP_OUT`. Each is a comma-separated list of ports. A reasonable starting point for a generic Ubuntu server looks like this:

| Directive | Purpose | Common ports |
| --- | --- | --- |
| `TCP_IN` | Inbound TCP connections allowed | 22 (SSH), 80 (HTTP), 443 (HTTPS) |
| `TCP_OUT` | Outbound TCP connections allowed | 22, 25, 80, 443, 587, 993, 995 |
| `UDP_IN` | Inbound UDP allowed | 53 (DNS, if this server is a resolver) |
| `UDP_OUT` | Outbound UDP allowed | 53 (DNS) |

Add mail ports (25, 465, 587, 110, 143, 993, 995) to `TCP_IN` if this server runs a mail service. If you run an FTP server, add ports 20 and 21 to `TCP_IN`, since FTP uses TCP. Add port 3306 to `TCP_IN` only if remote MySQL access is required, and restrict it to trusted IPs in `/etc/csf/csf.allow` rather than opening it to the world.

**Warning:** Make sure port 22 remains in `TCP_IN` before you restart CSF. Removing it while connected over SSH will lock you out of your server. If that happens, you will need to access the server through your hosting provider’s emergency console.

## Step 6: Disable Testing Mode and Start CSF

Once you are satisfied with your port list, disable testing mode so CSF’s rules persist across reboots. In `/etc/csf/csf.conf`, find the line:

```
TESTING = "1"
```

Change it to:

```
TESTING = "0"
```

Save the file, then reload CSF to apply all rules and restart the Login Failure Daemon (lfd):

```
sudo csf -ra
```

Confirm both services are running:

```
sudo systemctl status csf lfd
```

Both should show `active (running)`. With testing mode off and the services confirmed, your firewall rules are now live and persistent across reboots.

## Configuring the Login Failure Daemon

The Login Failure Daemon (lfd) is the brute-force protection layer that runs alongside CSF. It scans your authentication logs at regular intervals and temporarily or permanently blocks IP addresses that trigger excessive failed login attempts. On a typical VPS, the default settings work well out of the box, but one value is worth checking: `DENY_IP_LIMIT` in `/etc/csf/csf.conf`.

This setting controls how many blocked IPs lfd tracks in memory. On a VPS, a conservative value such as `1000` avoids unnecessary memory use. On a dedicated server with high traffic, `15000` is a reasonable upper bound. Find the directive in `csf.conf` and adjust it to suit your server:

```
DENY_IP_LIMIT = "1000"
```

To check whether a specific IP is currently blocked, run `sudo csf -g <ip-address>` (replace `<ip-address>` with the actual IP). After any change to `csf.conf`, run `sudo csf -ra` to reload.

## Whitelisting Trusted IP Addresses

CSF uses two files to exempt IPs from blocking. Understanding which one to use prevents lfd from accidentally blocking your own office IP or a monitoring service.

- **/etc/csf/csf.allow**: IPs listed here bypass all CSF firewall rules entirely. Use this for your own trusted IP addresses, your office range, or any server that must always have access regardless of firewall state.
- **/etc/csf/csf.ignore**: IPs listed here are not tracked by lfd for brute-force detection. Use this for monitoring agents, backup services, or any automated tool that legitimately generates repeated login events.

To whitelist an IP in `csf.allow`, add one entry per line. You can restrict an entry to a specific protocol and port using the syntax `tcp|in|d=22|s=<trusted-ip>` (replace `<trusted-ip>` with the actual IP address). To allow all traffic from an IP unconditionally, add just the IP address on its own line:

```
192.0.2.10
```

After editing either file, reload CSF with `sudo csf -ra`.

## Troubleshooting

### CSF install fails with Perl module errors

The installer requires the Perl modules listed in Step 1. If you see errors like `Can't locate Net/LibIDN.pm`, re-run the `apt-get install` command from Step 1, then retry the install. If a module still cannot be found, run `sudo apt-get update` first to refresh your package list.

### csftest.pl reports FATAL errors

A `FATAL` result means the running kernel is missing a required iptables module. On a VPS this usually means the hypervisor’s kernel does not expose that module to your container. Contact [InMotion Solutions](https://www.inmotionhosting.com/solutions/inmotion-solutions) or your VPS provider’s support team to request a kernel that includes the missing module, or ask whether it can be loaded as a kernel extension.

### I am locked out of SSH after restarting CSF

If you accidentally removed port 22 from `TCP_IN` before reloading CSF, use your hosting provider’s out-of-band console to connect without SSH. For InMotion Hosting VPS customers, this is the VPS Manager console in AMP at [secure1.inmotionhosting.com/amp](https://secure1.inmotionhosting.com/amp). Once logged in, edit `/etc/csf/csf.conf` to add 22 back to `TCP_IN`, then run `sudo csf -ra`.

### lfd blocks a legitimate IP repeatedly

Add the IP to `/etc/csf/csf.ignore` so lfd stops tracking it. If the IP also needs to bypass firewall rules, add it to `/etc/csf/csf.allow` as well. Reload with `sudo csf -ra` after either change.

### The wget download fails or returns a 404

The original `download.configserver.com` domain is permanently offline. Make sure your download command points to `https://download.configserver.dev/csf.tgz` as shown in Step 2. If that URL also becomes unavailable, check the project repository at [github.com/Aetherinox/csf-firewall](https://github.com/Aetherinox/csf-firewall) for the latest release location.

**Bare Metal Servers for Maximum Performance**

Get direct hardware access without virtualization overhead. Bare metal servers deliver the highest performance for demanding applications.

![check mark](https://design.inmotionhosting.com/assets/icons/standard/check-blue.svg)Hardware That’s Entirely Yours
![check mark](https://design.inmotionhosting.com/assets/icons/standard/check-blue.svg)Raw Server Performance

![check mark](https://design.inmotionhosting.com/assets/icons/standard/check-blue.svg)Complete Customization Freedom

[Bare Metal Servers](https://www.inmotionhosting.com/bare-metal-servers?mktgp=t&irgwc=1&affiliates=5001860&utm_campaign=Jumbotron&utm_source=supportcenter&utm_medium=cta&utm_term=bare-metal-cta1)

## Conclusion

Your Ubuntu server now has CSF installed and running from the current community-maintained source at `configserver.dev`, with testing mode disabled, your ports tuned to your workload, lfd watching for brute-force attempts, and trusted IPs whitelisted. A natural next step is hardening your SSH configuration: key-based authentication, a non-default port, and `PermitRootLogin no` in `/etc/ssh/sshd_config` will make lfd’s job significantly easier. If you need hands-on help with server security or CSF configuration, the [InMotion Solutions team](https://www.inmotionhosting.com/solutions/inmotion-solutions) is available to assist.
