ConfigServer Security and Firewall (csf)

csf is a firewall based on iptables that is very easy to configure and use. Together with it comes the Login Failure Daemon (lfd) that, other than logging failed log in attempts on various services, it blocks the IPs that have several failed logins in a short period of time. This protects against Brute Force attacks. lfd also reports on usage of resources in the server eg RAM, CPU and number of processes. The full list of services that lfd monitors for failed login attempts is:
• Courier imap, Dovecot, uw-imap, Kerio
• openSSH
• cPanel, WHM, Webmail (cPanel servers only)
• Pure-ftpd, vsftpd, Proftpd
• Password protected web pages (htpasswd)
• Mod_security failures (v1 and v2)
• Suhosin failures
• Custom login failures with separate log file and regular expression matching

As earlier stated, installation is quite easy. Run the following commands in order to install csf and lfd. Note that, no other iptables configuration script should be running. Uninstall any other script so csf can install and work properly.
• cd /usr/src
• rm -fv csf.tgz
• wget
• tar -xzf csf.tgz
• cd csf
• sh
You then need to test whether all required iptables modules are there. Use the command below. It should not bring any Fatal Errors:
• perl /usr/local/csf/bin/

Note: For lfd to work, csf must not be in Testing mode. To disable Testing mode, open /etc/csf/csf.conf and look for the line TESTING = “1”. Replace 1 with 0. Then restart csf and lfd.


It’s even easier to uninstall csf. Run:

• cd /etc/csf
• sh
csf is a powerful and flexible firewall solution. It is bundled with several popular web hosting control panels including cPanel, Centos Web Panel and Webmin

ssh commands for csf

It is sometimes convenient to use SSH to accomplish tasks via command line instead of loading GUI interfaces. csf provides commands to use in it’s management. Equivalent actions can be completed using GUI in webhosting panels like cpanel or cwp. Here is a cheatshee of the commandst:

Command Description Usage
csf -s Start firewall rules # csf -s
csf -f Stop firewall rules # csf -f
csf -r Restart firewall rules # csf -r
csf -a ip Allow an Ip address. Add it to /etc/csf/csf.allow # csf -a

# csf -a My ip address

csf -d ip Deny an Ip address. Add it to /etc/csf/csf.deny # csf -d

# csf -d An attacker

csf -g ip Search iptables/ip6tables for a match in IP, Port or CIDR # csf -g
csf -t Displays the current list of temporary allow and deny IP entries with their TTL and comment # csf -t
csf -tr ip Remove an IP from the temporary IP ban or allow list. # csf -tr
csf -tf Flush all IPs from the temporary IP entries # csf -tf
csf -dr ip Unblock an IP and remove from /etc/csf/csf.deny # csf -dr
csf -df Remove and unblock all entries in /etc/csf/csf.deny # csf -df

Note: You need root privileges to run these commands

To prevent an IP from being blocked by csf, you need to add it to whitelist. This is essentially, just adding it to /etc/csf/csf.allow and /etc/csf/csf.ignore lists. When an IP is in whitelist, it will no longer be checked by lfd

Your first step will be to enable IGNORE_ALLOW in /etc/csf/csf.conf. By default, it’s value is “0”, change that to “1” the restart csf and lfd

In conclusion, here are some useful links to csf and lfd:

1. More details about csf and lfd can be found here
2. More details on installation of csf and lfd can be found here

Leave a Reply

Your email address will not be published. Required fields are marked *