---
title: "How to Install CSF for Better cPanel Server Security"
description: "ConfigServer Security &amp; Firewall (CSF) is a stateful packet inspection (SPI) firewall with login/intrusion detection capabilities for Linux VPS Hosting running CentOS, Ubuntu, and other Unix..."
url: https://www.inmotionhosting.com/support/security/install-csf/
date: 2017-04-29
modified: 2021-08-17
author: "InMotion Hosting Contributor"
categories: ["Security"]
type: post
lang: en
---

# How to Install CSF for Better cPanel Server Security

![Install CSF Hero Image](https://www.inmotionhosting.com/support/wp-content/uploads/2021/02/How-to-Install-CSF-1024x538.jpg)

[**ConfigServer Security & Firewall (CSF)**](https://configserver.com/cp/csf.html)** **is a stateful packet inspection (SPI) firewall with login/intrusion detection capabilities for [Linux VPS Hosting](https://www.inmotionhosting.com/vps-hosting?utm_source=supportcenter&utm_medium=link&utm_campaign=supportcenter) running CentOS, Ubuntu, and other Unix operating systems. Simply put, CSF simplifies the proactive and reactive processes related to Linux cybersecurity.

- [What is CSF?](#what)
  - [Uninstall APF from your InMotion cPanel Server](#uninstall)
  - [Stop APF and Remove Add IP to Firewall from WHM](#disable)
- [Install CSF](#install)
  - [Steps when using Custom Nameservers](#nameserver)
  - [Provide Reseller Rights for cPanel Users](#reseller)

## What is CSF?

Managing firewall settings with iptables commands can get complicated. Also, the active rules for iptables are not persistent. This makes it easy to understand why there are several iptables managers, or *wrappers*, available including **UncomplicatedFirewall (UFW)** and **Firewalld**. So if CSF is not unique in providing basic iptables rule management, why use it? What helps set it apart from similar applications are its additional built-in features:

- The ability to perform a basic server security settings checks
- **Login Failure Daemon (LFD)** to prevent brute-force login attempts
- Monitor and search important system log files directly in WebHost Manager (WHM) on cPanel servers
- View currently listening ports and what processes are listening on them
- Preset configurations, called profiles, to easily switch security settings for different use cases (development, panic mode, etc.)
- And lots more…

Our cPanel-managed VPS and dedicated server hosting plans start with **Advanced Policy Firewall (APF)** installed. However, CSF is more advanced and includes a long list of features in WHM. APF must be uninstalled before you install CSF.

### Uninstall APF from your InMotion cPanel Server

InMotion Hosting cPanel server administrators must remove APF before you install CSF. 

### Stop and Disable the APF Service

1. [Log into your server via SSH](https://www.inmotionhosting.com/support/server/ssh/how-to-login-ssh/) as the root user.
2. Stop the APF service: systemctl stop apf
3. Remove symbolic links from chkconfig management:chkconfig --del apf
4. Remove remaining APF files: rm -fr /etc/init.d/apf /usr/local/sbin/apf /etc/apf /usr/local/cpanel/whostmgr/cgi/{apfadd,addon_add2apf.cgi}

Next, remove Add IP to Firewall from WHM.

1. Uninstall the APF and WHM firewall YUM packages: yum -y remove apf-ded whm-addip
2. Remove remaining WHM configuration files: rm -rf /usr/local/cpanel/whostmgr/cgi/apfadd /usr/local/cpanel/whostmgr/cgi/addon_add2apf.cgi
3. Open the pluginscache.yaml file with a file editor (e.g. Nano, VIM, Emacs):nano /var/cpanel/pluginscache.yaml
4. If you see something similar to the following, remove all the lines except for the *uniquekey* one.–acllist:– create-acctcgi: addon_add2apf.cgiicon: ”showname: Add IP to Firewalltagname: ”target: mainFrameuniquekey: add_ip_to_firewall
5. Save changes. In Nano, type Ctrl + X on your keyboard to save and exit Nano.

## Install CSF

1. SSH into your server.
2. Install CSF from the YUM repository: yum install -y csf-ded
3. Start the CSF service with Systemd:systemctl start csf
4. Update the CSF WHM plugin.The quickest method is to use this Perl command:curl -sL https://download.configserver.com/csupdate | perlIf you want to be thorough, you can use the manual method instead.wget https://download.configserver.com/csupdateyum install dos2unixpredos2unix csupdatechmod +x csupdate./csupdate

Turn on Brute force monitoring for a head start in hardening your system.

1. Log into your VPS via SSH.
2. This sed one-liner adds brute force monitoring to your CSF configuration file:sed ‘s/\(LF_\(PERMBLOCK\|SSHD\|FTPD\|SMTPAUTH\|POP3D\|IMAPD\|CPANEL\) *= *”\)[^”]\+/\11/;s/\(LF_TRIGGER *= *”\)[^”]\+/\13/’ -i /etc/csf/csf.conf

### Steps when using Custom Nameservers

If you are using custom nameservers, you must complete the following section to allow incoming UDP connections.

1. While still in SSH, edit your primary CSF configuration file: nano /etc/csf/csf.conf
2. Find the *UDP_IN* line and add `53` for port 53 (DNS). The result should read:`UDP_IN = “20,21,53”`.
3. Ensure the *TCP_IN* line also includes `53`. It should look similar to: `TCP_IN = “20,21,25,53,80,110,143,443,465,587,993,995,2082,2083,2086,2087,2095,2096,3306,587,30000:35000”`. There may need more or less ports whitelisted depending on software and server hardening requirements.
4. Save changes. In Nano, type Ctrl + X to save and exit Nano.

### Provide Reseller Rights for cPanel Users

By default, only the root user has rights to edit firewall rules. If you want to allow reseller cPanel users to edit the CSF rules, follow this section.

1. Edit the CSF resellers file:nano /etc/csf/csf.conf
2. Add the following line, but replace “userna5” with the actual cPanel username: userna5:0:USE,ALLOW,DENY,UNBLOCK
3. Save changes. In Nano, type Ctrl + X to save and exit Nano.
4. Restart CSF: systemctl restart csf
5. [Login to WHM](https://www.inmotionhosting.com/support/edu/whm/log-into-whm/) as the root user.
6. Select **Edit Reseller Nameservers and Privileges**.
7. Choose the cPanel user you want to grant CSF privileges to, then click **Submit**. If there’s only one cPanel user on the server, you’ll already automatically be redirected to its privileges page.
8. Check the box for **ConfigServer Security & Firewall (Reseller UI)**.
9. At the bottom, select **Save all Settings**.

After installing CSF, check your preset profiles or audit your [open ports](https://www.inmotionhosting.com/support/security/how-to-view-listening-ports-with-configserver-security-firewall-csf/).
