How to Install ConfigServer Security & Firewall (CSF) on Ubuntu

ConfigServer Security & Firewall (CSF) is a widely used firewall for Linux VPS and Dedicated Servers. It sits in front of iptables and provides a single configuration file for controlling ports, blocking brute-force login attempts, and whitelisting trusted IPs. This guide covers installing CSF on Ubuntu using the current community-maintained source, so your server is protected before you expose anything publicly.

Way to the Web Ltd, the original developer of CSF, permanently shut down on August 31, 2025, and released the project under the GPLv3 license. The original download host, download.configserver.com, is offline. The community-supported continuation of Ubuntu and other Debian-based servers is the Aetherinox fork, available from download.configserver.dev. cPanel users on WHM and RHEL-based servers have a separate cPanel-maintained fork; this article covers Ubuntu only and applies to the current Ubuntu LTS releases, 22.04 LTS, 24.04 LTS, and 26.04 LTS.

Prerequisites

• An Ubuntu VPS, Dedicated, or Cloud server with root or sudo access.
• Basic familiarity with the command line and a working SSH session. See How to Connect to Your Server with SSH if you need help connecting.
• Port 22 open and reachable for your current session. You will be restarting the firewall during this process, and locking yourself out of Secure Shell (SSH) is the most common mistake.

Step 1: Install Dependencies

CSF relies on several Perl modules and ipset for its blocking engine. Installing them first prevents a failed install with cryptic Perl errors.

sudo apt-get update && sudo apt-get install -y ipset libcrypt-ssleay-perl libio-socket-inet6-perl libio-socket-ssl-perl libnet-libidn-perl libsocket6-perl perl wget

When apt-get finishes without errors, you are ready to download CSF.

Step 2: Download and Extract CSF

Download the current release tarball from the community source at configserver.dev, then extract it.

wget https://download.configserver.dev/csf.tgz

tar -xzf csf.tgz

Tip: If you prefer a one-command install that downloads and runs the installer automatically, use the helper script instead: bash <(wget -qO - https://get.configserver.dev). This one-liner uses bash process substitution, so run it in a bash shell. The manual steps below give you more control and are recommended for first-time installs.

Step 3: Run the Pre-Install Test

Before installing, CSF ships a test script that checks whether your kernel supports all the iptables modules it needs. Running it now catches missing modules before they cause problems later.

cd csf
sudo perl csftest.pl

Review the output. Lines marked FATAL mean a required kernel feature is missing, and CSF will not work correctly. Lines marked WARNING indicate optional features that are absent but not blocking.

On a standard Ubuntu VPS or Dedicated Server, you should see no FATAL errors. If you do, contact your server provider, because the kernel may need to be rebuilt with the missing module.

Step 4: Install CSF on Ubuntu

With the pre-install test passing, run the installer from inside the csf directory.

sudo sh install.sh

The installer copies CSF’s files to /etc/csf/ and /usr/local/csf/, installs the csf and lfd system services, and loads the default iptables rules. When it finishes, you will see a line confirming that CSF and lfd have started.

Step 5: Configure Allowed Ports

CSF starts in testing mode (TESTING = "1"), which means all iptables rules are flushed every five minutes, so a misconfiguration cannot permanently lock you out. Open /etc/csf/csf.conf in your preferred editor and review the port settings before you disable testing mode.

sudo nano /etc/csf/csf.conf

The four key directives are TCP_IN, TCP_OUT, UDP_IN, and UDP_OUT. Each is a comma-separated list of ports. A reasonable starting point for a generic Ubuntu server looks like this:

Add mail ports (25, 465, 587, 110, 143, 993, 995) to TCP_IN if this server runs a mail service. If you run an FTP server, add ports 20 and 21 to TCP_IN, since FTP uses TCP. Add port 3306 to TCP_IN only if remote MySQL access is required, and restrict it to trusted IPs in /etc/csf/csf.allow rather than opening it to the world.

Warning: Make sure port 22 remains in TCP_IN before you restart CSF. Removing it while connected over SSH will lock you out of your server. If that happens, you will need to access the server through your hosting provider’s emergency console.

Step 6: Disable Testing Mode and Start CSF

Once you are satisfied with your port list, disable testing mode so CSF’s rules persist across reboots. In /etc/csf/csf.conf, find the line:

TESTING = "1"

Change it to:

TESTING = "0"

Save the file, then reload CSF to apply all rules and restart the Login Failure Daemon (lfd):

sudo csf -ra

Confirm both services are running:

sudo systemctl status csf lfd

Both should show active (running). With testing mode off and the services confirmed, your firewall rules are now live and persistent across reboots.

Configuring the Login Failure Daemon

The Login Failure Daemon (lfd) is the brute-force protection layer that runs alongside CSF. It scans your authentication logs at regular intervals and temporarily or permanently blocks IP addresses that trigger excessive failed login attempts. On a typical VPS, the default settings work well out of the box, but one value is worth checking: DENY_IP_LIMIT in /etc/csf/csf.conf.

This setting controls how many blocked IPs lfd tracks in memory. On a VPS, a conservative value such as 1000 avoids unnecessary memory use. On a dedicated server with high traffic, 15000 is a reasonable upper bound. Find the directive in csf.conf and adjust it to suit your server:

DENY_IP_LIMIT = "1000"

To check whether a specific IP is currently blocked, run sudo csf -g <ip-address> (replace <ip-address> with the actual IP). After any change to csf.conf, run sudo csf -ra to reload.

Whitelisting Trusted IP Addresses

CSF uses two files to exempt IPs from blocking. Understanding which one to use prevents lfd from accidentally blocking your own office IP or a monitoring service.

• /etc/csf/csf.allow: IPs listed here bypass all CSF firewall rules entirely. Use this for your own trusted IP addresses, your office range, or any server that must always have access regardless of firewall state.
• /etc/csf/csf.ignore: IPs listed here are not tracked by lfd for brute-force detection. Use this for monitoring agents, backup services, or any automated tool that legitimately generates repeated login events.

To whitelist an IP in csf.allow, add one entry per line. You can restrict an entry to a specific protocol and port using the syntax tcp|in|d=22|s=<trusted-ip> (replace <trusted-ip> with the actual IP address). To allow all traffic from an IP unconditionally, add just the IP address on its own line:

192.0.2.10

After editing either file, reload CSF with sudo csf -ra.

Troubleshooting

CSF install fails with Perl module errors

The installer requires the Perl modules listed in Step 1. If you see errors like Can't locate Net/LibIDN.pm, re-run the apt-get install command from Step 1, then retry the install. If a module still cannot be found, run sudo apt-get update first to refresh your package list.

csftest.pl reports FATAL errors

A FATAL result means the running kernel is missing a required iptables module. On a VPS this usually means the hypervisor’s kernel does not expose that module to your container. Contact InMotion Solutions or your VPS provider’s support team to request a kernel that includes the missing module, or ask whether it can be loaded as a kernel extension.

I am locked out of SSH after restarting CSF

If you accidentally removed port 22 from TCP_IN before reloading CSF, use your hosting provider’s out-of-band console to connect without SSH. For InMotion Hosting VPS customers, this is the VPS Manager console in AMP at secure1.inmotionhosting.com/amp. Once logged in, edit /etc/csf/csf.conf to add 22 back to TCP_IN, then run sudo csf -ra.

lfd blocks a legitimate IP repeatedly

Add the IP to /etc/csf/csf.ignore so lfd stops tracking it. If the IP also needs to bypass firewall rules, add it to /etc/csf/csf.allow as well. Reload with sudo csf -ra after either change.

The wget download fails or returns a 404

The original download.configserver.com domain is permanently offline. Make sure your download command points to https://download.configserver.dev/csf.tgz as shown in Step 2. If that URL also becomes unavailable, check the project repository at github.com/Aetherinox/csf-firewall for the latest release location.

Conclusion

Your Ubuntu server now has CSF installed and running from the current community-maintained source at configserver.dev, with testing mode disabled, your ports tuned to your workload, lfd watching for brute-force attempts, and trusted IPs whitelisted. A natural next step is hardening your SSH configuration: key-based authentication, a non-default port, and PermitRootLogin no in /etc/ssh/sshd_config will make lfd’s job significantly easier. If you need hands-on help with server security or CSF configuration, the InMotion Solutions team is available to assist.