How To: Config Server & Firewall Installation Guide

I’ve written this guide to help you you through installing and configuring CSF – Config Server Firewall, a popular alternative to APF. CSF comes with LFD and works with or without cPanel.

CSF Install Guide and How To

CSF – Config Server Firewall is a stateful packet inspection firewall, login/intrusion detection and security application for Linux servers. What does that mean in English? Simple – it’s a program that can greatly improve your dedicated server or VPS’s security.

It’s a firewall – so it can block/restrict ports you don’t want open, and prevents someone from using any port they want if they did break in.
It has intrusion detection – so it will scan the log files and monitor failed login attempts, such as FTP password guessing and block the IP.
Those are the 2 big things I like about CSF – and it has a nice interface for the non techie person, on cPanel servers.

If you have another firewall installed, like APF, CSF can help you automatically remove the existing firewall and install theirs instead. Keep in mind it won’t migrate over your configuration.


Installation is quite straightforward:

Login as the root user to SSH and run the following commands.

rm -fv csf.tgz
tar  -xzf csf.tgz
cd csf

If you would like to disable APF+BFD (which you will need to do if you have
them installed otherwise they will conflict horribly):


That’s it. You can then configure csf and lfd in WHM, or edit the files
directly in /etc/csf/*

Installation Completed

Don’t forget to:

1. Configure the TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options in the csf configuration to suite your server

2. Restart csf and lfd

3. Set TESTING to 0 once you’re happy with the firewall

csf is preconfigured to work on a cPanel server with all the standard cPanel
ports open. It also auto-configures your SSH port if it’s non-standard on

You should ensure that kernel logging daemon (klogd) is enabled. Typically, VPS
servers have this disabled and you should check /etc/init.d/syslog and make
sure that any klogd lines are not commented out. If you change the file,
remember to restart syslog.

Now – login to your cPanel server’s WHM as root and go to the bottom left menu. If already logged in then reload the page. In Plugins – you will see:  ConfigServer Security&Firewall

The firewall is STOPPED by default – it is not running. We need to configured it, and then take it out of Test Mode.

Click on Firewall Configuration

ETH_DEVICE =: Set this to eth+

TCP_IN/TCP_OUT/UDP_IN/UDP_OUT = : These are the ports you want to leave open for your server to operate. If you change the default SSH port make sure to add it here. Also add any other services you might have running such as Shoutcast or game servers. By default most of the ports used should already be configured.

MONOLITHIC_KERNEL = : 0 Only change this to 1 if your firewall will not start – otherwise leave it as it.

LF_DSHIELD = 0: Change this option to 86400. This is an automatic updated list of known attacking IPs. Enabling this will stop them from being able to connect to your server.

Spam Protection Alerts

If you want to add some spam protection, CSF can help. Look in the configuraiton for the following:

LF_SCRIPT_ALERT = 0 change this to 1. This will send an email alert to the system administrator when the limit configured below is reached within an hour.

LF_SCRIPT_LIMIT = 100 change this to 250. This will alert you when any scripts sends out 250 email messages in an hour.

Configuration Complete – Almost

Scroll down to the bottom and click on Change to save the settings. Then click Restart csf+lfd

You should see a big page of ACCEPT and near the bottom you should see:

csf: TESTING mode is enabled – don’t forget to disable it in the configuration

Starting lfd:[  OK  ]

Click on Return

Now TEST all your services to make sure everything is working – SSH, FTP, http. After you do a few quick tests go back into the Firewall Configuration page.

TESTING = 1 change this to 0 and click Change at the bottom. Then Restart csf+lfd

That’s it, the firewall is successfully installed and running!!
Firewall Status: Running – you should see this on the main CSF page in WHM.


Removing csf and lfd is even more simple:

cd /etc/csf

cPanel and basic iptables

Save this to a file and run it, This will empty your iptables and set a solid set of secure rules that are compatible with cPanel servers running DNS clustering. If you run DNS locally be sure to allow 53 on TCP AND UDP!

/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT

##Acceptable IP
/sbin/iptables -A INPUT -s x.x.x.xx -j ACCEPT #YOUR TRUSTED IP's

##General Web/File Services
/sbin/iptables -A INPUT -p tcp --dport 80  -j ACCEPT #HTTP
/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT #HTTPS
/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT #FTP
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT #SSH
/sbin/iptables -A INPUT -p tcp --dport 5666 -j ACCEPT #NRPE

##Email Services
/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT #SMTP
/sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT #POP3
/sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT #IMAP
/sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT #SMTPs
/sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT #IMAPs
/sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT #POP3s

##cPanel Services
/sbin/iptables -A INPUT -p tcp --dport 2083 -j ACCEPT #cPanel
/sbin/iptables -A INPUT -p tcp --dport 2087 -j ACCEPT #WHM
/sbin/iptables -A INPUT -p tcp --dport 2096 -j ACCEPT #Webmail

##Allow Ping
/sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT

##Final Blocks
/sbin/iptables -A INPUT -j DROP
/sbin/iptables -A OUTPUT -j ACCEPT
/sbin/iptables -A FORWARD -j DROP

Guide on removing iptable rules

If you loose access to your server while using this, well that sucks.   Setup a cron job to stop the iptables service every 5 minutes just in case.