Config Server Firewall Installation Print

  • 0

Installing CSF

Installing CSF should be as simple as downloading the source file to your server and installing it. All commands below should be executed on your server via SSH, not on your local computer.

The first few steps of the installation are the same whether it is a cPanel server or a non-cPanel server.

Retrieving the Package

Best practice when installing any software from source: Use a temporary directory on a partition with plenty of space.

On our dedicated cPanel servers you will already have a directory that we generally use for such things called ‘temp’ on the home partition:

[root@host ~ ]# cd /home/temp/

It is a good idea to check your disk space usage before proceeding, just to be sure there is plenty available:

[root@host ~ ]# df -h

Use ‘wget’ to retrieve CSF install code:
[root@host ~ ]# wget

Once the download is complete, you will see something similar to the following, and be given a command prompt again:
14:53:02 (410.05 KB/s) - `csf.tgz' saved [487272/487272]

Next: Decompress the CSF install files and change directories to the newly created ‘csf’ directory:
[root@host ~ ]# tar zxvf csf.tgz
[root@host ~ ]# cd csf

This is where the paths diverge: cPanel server, or non-cPanel server.

[root@host /home/temp/csf/ ]# ./

If you are running a non-cpanel redhat server:

[root@host /home/temp/csf/ ]# ./ 

Either way you can look through the output of the script as it is running and it will tell you everything it has done. At the end, you will see something similar to the following:

TCP ports currently listening for incoming connections:

UDP ports currently listening for incoming connections:

Note: The port details above are for information only, csf hasn't 
been auto-configured.

Don't forget to:
1. Configure the TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options in 
the csf configuration to suite your server
2. Restart csf and lfd
3. Set TESTING to 0 once you're happy with the firewall

Adding current SSH session IP address to the csf whitelist in csf.allow:
Adding to csf.allow only while in TESTING 
mode (not iptables ACCEPT)
*WARNING* TESTING mode is enabled 
- do not forget to disable it in the configuration

Installation Completed

To start testing CSF, start it up:

[root@host ~ ]# /etc/init.d/csf restart

Once you have completed your testing be sure to take CSF out of testing mode by changing the flag in the csf.conf:

Edit the configuration with your favorite editor, in this case we will use vi:

[root@host ~ ]# vi /etc/csf/csf.conf 

Find this block of text near the top of the configuration file:

# Testing flag - enables a CRON job that clears iptables incase of
# configuration problems when you start csf. This should be enabled until you
# are sure that the firewall works - i.e. incase you get locked out of your
# server! Then do remember to set it to 0 and restart csf when you're sure
# everything is OK. Stopping csf will remove the line from /etc/crontab

Edit the last line of that block of text so that it reflects testing being disabled:

Finally, restart CSF:

[root@host ~ ]# /etc/init.d/csf restart

Your CSF firewall is up and running! Congratulations!

Common Installation Errors

If you see an error about libwww not being installed you can install it with yum or cpan:

yum install perl-libwww-perl 


perl -MCPAN -e 'install Bundle::LWP'

Beginning CSF: Making Changes Using the Command Line.

Updating CSF using the command line interface is simple by design! 

Here are the most common commands you will be using:

csf -d IPADDRESS will deny an IP.
csf -a IPADDRESS will allow an IP.
csf -r will reload all rules.

If you forget the command you are looking for just type ‘csf‘ on the command line and you will receive an list of all of your options:

[root@host ~ ]#  csf
ConfigServer Security & Firewall (
csf: v4.17
(c)2006, Way to the Web Limited (

Usage: /usr/sbin/csf [option] [value]

Option              Meaning
-h, --help          Show this message
-l, --status        List/Show iptables configuration
-s, --start         Start firewall rules
-f, --stop          Flush/Stop firewall rules
-r, --restart       Restart firewall rules
-a, --add ip        Add an IP address to be whitelisted to /etc/csf.allow
-d, --deny ip       Add an IP address to be blocked to /etc/csf.deny
-dr, --denyrm ip    Remove and unblock an IP address in /etc/csf.deny
-c, --check         Checks for updates to csf+lfd but does not perform an upgrade
-g, --grep ip       Search the iptables rules for an IP match (incl. CIDR)
-t, --temp          Displays the current list of temporary IP bans and their TTL
-tr, --temprm ip    Remove an IP address from the temporary IP ban list
-td, --tempdeny ip ttl [-p port] [-d direction]
                    Add an IP address to the temporary IP ban list. ttl is how
                    long to blocks for in seconds. Optional port. Optional
                    direction of block can be one of in, out or inout. Default
                    is in
-tf, --tempf        Flush all IP addresses from the temporary IP ban list
-u, --update        Checks for updates to csf+lfd and performs an upgrade if
-x, --disable       Disable csf and lfd
-e, --enable        Enable csf and lfd if previously disabled
-v, --version       Show csf version

Was this answer helpful?

« Back