ConfigServer Firewall (CSF) is an advanced firewall suite for Linux systems that enhances the security on your Server. It also has the Login Failure Daemon (LFD) process that regularly scans for failed login attempts on your Server and takes action against the offending IP Addresses.
This documentation assumes that you are connected to the Server using an SSH client as a root user.
To Install CSF on a ServerTop
-
Change the present working directory to /usr/local/src using the command below. You may choose any other directory of your choice, where you want the installation script to be downloaded.
cd /usr/local/src
-
Run the below command to download the archive file to the present working directory:
wget http://configserver.com/free/csf.tgz
-
Extract the files using the command:
tar xfz csf.tgz
-
Go to the CSF directory using the command:
cd csf
-
To install CSF:
-
On a Server Without any Hosting Panel
Run the general installation script ./install.generic.sh.
-
On a Server With cPanel or DirectAdmin
-
Run the installation script ./install.cpanel.sh to install CSF on a Server with cPanel.
-
Run the installation script ./install.directadmin.sh to install CSF on a Server with DirectAdmin.
-
The CSF Firewall will be installed in the /etc/csf directory and the allowed inbound/outbound port configuration will be adjusted as per the current settings. You can make further adjustments through the configuration file /etc/csf/csf.conf.
-
-
Restart the firewall for the changes to take effect using the command:
/etc/init.d/csf restart
-
You can disable the testing flag by changing the value for TESTING from 1 to 0 in the configuration file /etc/csf/csf.conf using an editor like vi.
NoteEnsure that all your custom firewall settings are working perfectly before you disable the testing mode.
-
Restart the Firewall again.
To Manage CSFTop
CSF can be managed through the Command Line Interface. The command csf would present a list of commands and the information related to them.
A few basic commands are:
-
Allowing an IP Address
csf -a <ip_address>
-
Denying an IP Address
csf -d <ip_address>
You can manage the CSF settings from your WHM Panel (Home >> Plugins).
Once the installation is complete, you need to make sure that you have configured the firewall properly, before turning the testing mode off.
Ports and Settings to be enabledTop
cPanel | Plesk | |
---|---|---|
TCP_IN | 20, 21, 22, 25, 26, 53, 80, 110, 143, 443, 465, 993, 995, 2082, 2083, 2086, 2087, 2095, 2096 | 20, 21, 22, 25, 53, 80, 110, 143, 443, 465, 993, 995, 8443, 8880 |
TCP_OUT | 21, 22, 25, 26, 27, 37, 43, 53, 80, 110, 113, 443, 465, 873, 2089 | 20, 21, 22, 25, 53, 37, 43, 80, 113, 443, 465, 873, 5224, 5443 |
UDP_IN | 20, 21, 53, 953 | 20, 21, 37, 53, 873 |
UDP_OUT | 20, 21, 53, 113, 123, 873, 953 | 20, 21, 53, 113, 123, 873, 6277 |
Configure SMTP |
SMTP_BLOCK = "1" SMTP_ALLOWLOCAL = "1" SMTP_PORTS = "25,26" SMTPAUTH_LOG = "/var/log/exim_mainlog" |
SMTP_BLOCK = "1" SMTP_ALLOWLOCAL = "1" SMTP_PORTS = "25,587" SMTPAUTH_LOG = "/usr/local/psa/var/log/maillog" |