CSF Firewall

From Just another day in the life of a linux sysadmin
Jump to navigation Jump to search

Working with CSF

There is one main thing to know about CSF boxes. Do not FLUSH IPTABLES. It removes all rules in the firewall, including the ones that route traffic.  This means the server is instantly offline as soon as you run that command.  In some cases, with certain kernels, it also causes a kernel panic.  If you do it accidentally, restart csf on the server.  

If you do need to flush the rules, you can instead do this:

csf -f

To see if an ip is being blocked, use the csf grep command:

csf -g $IP

If you're still not sure what's going on with an IP address, the following command will show you all the CSF files containing an IP:

grep -R $IP /etc/csf/

Here is a full list of available CSF flags:

# csf
ConfigServer Security & Firewall (http://www.configserver.com/cp/csf/)
csf: v4.17
(c)2006, Way to the Web Limited (http://www.waytotheweb.com)

Usage: /usr/sbin/csf [option] [value]

Option              Meaning
-h, --help          Show this message
-l, --status        List/Show iptables configuration
-s, --start         Start firewall rules
-f, --stop          Flush/Stop firewall rules
-r, --restart       Restart firewall rules
-a, --add ip        Add an IP address to be whitelisted to /etc/csf.allow
-d, --deny ip       Add an IP address to be blocked to /etc/csf.deny
-dr, --denyrm ip    Remove and unblock an IP address in /etc/csf.deny
-c, --check         Checks for updates to csf+lfd but does not perform an upgrade
-g, --grep ip       Search the iptables rules for an IP match (incl. CIDR)
-t, --temp          Displays the current list of temporary IP bans and their TTL
-tr, --temprm ip    Remove an IP address from the temporary IP ban list
-td, --tempdeny ip ttl [-p port] [-d direction]
                    Add an IP address to the temporary IP ban list. ttl is how
                    long to blocks for in seconds. Optional port. Optional
                    direction of block can be one of in, out or inout. Default
                    is in
-tf, --tempf        Flush all IP addresses from the temporary IP ban list
-u, --update        Checks for updates to csf+lfd and performs an upgrade if
-x, --disable       Disable csf and lfd
-e, --enable        Enable csf and lfd if previously disabled
-v, --version       Show csf version

Specs and WHM menu screenshots are available at the main site:

"ConfigServer Security & Firewall"

Removing Blocked IPs

The WHM "ConfigServer Security & Firewall" offers both "Remove Deny" and "Temporary IP Bans". Removing the "deny" will not clear temporary IP bans (tempip).

This is also true for commandline options:

  • Removing permanent deny:

<source lang="bash" startat="1"> csf --denyrm </source>

  • Removing Temorary bans:

<source lang="bash" startat="1"> csf --temprm </source>

Also check why it was blocked to help them avoid being blocked again.


Whitelisting IPs

CSF has two main files for whitelisting:


However, they do perform different functions. csf.allow is where you would add an IP to be allowed through the firewall. If a user's IP is in csf.allow it can still be blocked for login failures by the login failure daemon (LFD). If you notice a use was blocked with LFD you would need to add the IP to csf.ignore as well. With an IP listed in both of these places it will not be touched by CSF.

For more about LFD please see #LFD

Blacklisting/Whitelisting Entire Countries

CSF allows you either blacklist or whitelist entire countries within the main csf.conf file. The CC_DENY and CC_ALLOW values let you add country codes so that an entire country will be blocked or allowed. However:


If you search for CC_DENY in /etc/csf/csf.conf you'll see where to add the two-letter country codes. I also gives an example of how to enter them. Here is the official list of country codes - http://www.iso.org/iso/country_names_and_code_elements

Allow only an IP to access a given port

In the allow list (csf.allow) you can add an IP and port to provide access even if it is closed. You would add an entry such as:


This would let IP access port 3306 (mysql) even though the port isn't open in the firewall globally. This is also useful for security and PCI scans. It can also be used for someone that wants to lock down FTP access but still let trusted IPs access FTP.

DoS Prevention

CSF has a few tweaks we can use to help prevent/mitigate mild DoS attacks. This is limited, and if the DoS attack is even close to large you should use other tools to help with this, such as our DoS Procedures wiki or possibly even our managed DoS service.

The first is to adjust the maximum number of connections per IP address. In /etc/csf/csf.conf search for the CT_LIMIT value. By default it is 0, which allows unlimited connections. Change this to 100, as there's really no reason an IP should be connecting that many times.

You can also specify the port that this protection works on with the CT_PORTS variable. Make sure to place the value in quotes, so your entry should look like:

CT_PORTS = "80"

You can also specify multiple ports with commas, just like the other CSF configuration lines. An example would be:


So, if you perform the above steps and the server reaches 100 established connections from an IP to Apache, SMTP, or POP, it considered a DoS attack and that IP is blocked in the firewall.

CSF Installation


There are several reasons why you would replace APF with CSF. CSF is better at mitigating synfloods, DDoS attacks, and the general havoc that can be wrought upon a server through these issues.

However, there are many settings in csf that may need to be tweaked in order for it to work properly for a customer. MAKE SURE TO WARN THE CUSTOMER OF THIS BEFORE YOU SWITCH!!! Please look over the configuration VERY' carefully before deciding to take the customer back to apf - chances are there is a setting that can be easily changed to remove any reported error. If you follow through with this wiki all the currently open ports and settings should transfer over smoothly to CSF, but there can still be problems with LFD that need to be resolved.

Now that those warnings are out of the way, here is an overview of the things that need to happen when installing CSF. They are each outlined below in their respective section.

Install perl-libwww-perl if needed
Move the old rules
Install CSF
Remove testing mode
Add Office & Monitoring ranges
Add Guardian services if needed (check customer's Billing)
Migrate the old blocked IPs
Migrate the old allowed IPs
Install CSF ModSec plugin
If this is not a shared server, install CSF Messenger (optional - only if the customer wants this)

The following is a link to the CSF readme file. It may be of great use in your troubleshooting.


You can either install CSF to work specifically with cPanel or a generic install for Core Managed customers

Pre-Installation Check

There is a possibility depending on the type of server you're working with that the perl module libwww-perl will need to be installed if it is not already there. Check to see if it is installed with the following command:

yum list perl-libwww-perl

If it doesn't list that as an installed package, use one of the following two commands to install it:

yum install perl-libwww-perl
perl -MCPAN -e 'install Bundle::LWP'

Installing CSF with cPanel

Before installing you should remove APF. If it was installed via yum (most likely):

mkdir /home/OldAPFRules
chmod 700 /home/OldAPFRules
cp /etc/apf/* /home/OldAPFRules/
rpm -qa |grep apf
lpyum remove lp-apf
lpyum remove apf
yum remove lp-apf
yum remove apf

Depending on the CentOS release it could have been installed from source. If that is the case, remove it with these commands:

/etc/init.d/iptables stop
mkdir /home/OldAPFRules
chmod 700 /home/OldAPFRules
cp /etc/apf/*.rules /home/OldAPFRules/
rm -Rfv /etc/apf
rm -fv /etc/cron.daily/fw
chkconfig apf off
rm -fv /etc/init.d/apf

Then you can proceed with the installation:

cd /home/temp/
wget http://www.configserver.com/free/csf.tgz
tar zxvf csf.tgz
cd csf
/etc/init.d/csf restart

The cPanel installer script *should* autoconfigure the firewall to have cPanel ports open, but we'll check those for sure in just a bit.

After the installer completes, you will see output similar to the following:

TCP ports currently listening for incoming connections:
UDP ports currently listening for incoming connections:

Note: The port details above are for information only, csf hasn't been auto-configured.

Don't forget to:
1. Configure the TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options in the csf configuration to suite your server
2. Restart csf and lfd
3. Set TESTING to 0 once you're happy with the firewall

Adding current SSH session IP address to the csf whitelist in csf.allow:
Adding to csf.allow only while in TESTING mode (not iptables ACCEPT)
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration

That output is just giving you a list of ports that the CSF installer detected as having a service listening. You will want to add those ports to the appropriate TCP or UDP section in /etc/csf/csf.conf. Things such as an alternate SSH port should appear in this list.

Once you have added the ports and are confident the configuration is correct you'll need to edit the conf one last time to remove testing mode. It's the very first option on the conf - just change it from 1 to 0.

Please run the following commands to setup the standard RBLs. This will enable Dshield, Spamhaus and DROP List and set the default refresh time of 1 day:

perl -i -p -e 's/LF_DSHIELD = "0"/LF_DSHIELD = "86400"/g' /etc/csf/csf.conf
perl -i -p -e 's/LF_SPAMHAUS = "0"/LF_SPAMHAUS = "86400"/g' /etc/csf/csf.conf

Migrate the blocked IPs from the previous APF configuration

cat /home/OldAPFRules/deny_hosts.rules |egrep "\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" > /etc/csf/csf.deny

Migrate the allowed IPs from the previous APF configuration

cat /home/OldAPFRules/allow_hosts.rules |egrep "\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" > /etc/csf/csf.allow

Add the Allowed Ports

These are the default ports that we have setup on all of our boxes and this section is really just here for reference. The output from the CSF installation script mentioned above could be different so please take care when adjusting this section in /etc/csf/csf.conf.

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,3306"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,2087,2089,2703"

Plesk Ports

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,3306,6666,7786,8443,5224"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,5224"

Blocking or Unblocking Traceroute

You may find that traceroute is blocked when CSF is running (this appears to be the default). You can fix this by adding the appropriate UDP ports to the CSF configuration.


 # Allow incoming UDP ports
 UDP_IN = "33434:33523"

Add the Office and Monitoring Ranges.

Add the following range to the /etc/csf/csf.allow from this page: Internal IP Ranges

Template:Box Warning

If the customer has Guardian, continue with the below steps. If not, skip down one section to CSF#Add_the_blocked_IPs_from_the_APF_install

CSF Guardian related items

Template:Box Warning Please see https://wiki.int.liquidweb.com/articles/Guardian_server_install#Customers_using_CSF
Please see this also https://wiki.int.liquidweb.com/articles/Guardian_Client_Setup#Server_environment_changes

Enabling and testing CSF

Even after all this work, CSF still isn't running. You would need to run the following command to restart CSF

/etc/init.d/csf restart

At this point it's a GREAT IDEA to open up another tab in shell and try and SSH into the server. This way if something is wrong with the firewall you still have access to the server through your open tab.

At this point, YOU HAVE CSF INSTALLED AND WORKING. There's still a few nice things we can do for customers though.

CSF ModSecurity Plugin

This plugin provides the fancy WHM interface that you/customers can use to easily edit the CSF configuration without going through command line. If you'd like to read more, information can be found at: http://www.configserver.com/cp/cmc.html

 cd /usr/local/src
 wget http://www.configserver.com/free/cmc.tgz
 tar -zxvf cmc.tgz
 cd cmc/
 sh install.sh

When this is complete you should see an option in WHM called "ConfigServer Security&Firewall" under Plugins.

CSF Messenger

This (completely 100% optional) tool offers a TEXT and HTML page to be displayed when a person is blocked in CSF. The actual pages and images that display can be found at /etc/csf/messenger and can be changed, but CSF will need to be restarted when changed.


1) Update CSF in the server to the latest version from your WHM if available - follow the #Updating CSF section to do this.

2) In command line, or the WHM CSF plug-in, open /etc/csf/csf.conf

3) Search for "MESSENGER" and change it to MESSENGER = "1" - the enables the functionality.

perl -i -p -e 's/MESSENGER = "0"/MESSENGER = "1"/g' /etc/csf/csf.conf

4) In command line add a user using the following command

useradd csf -s /bin/false

5) Restart both CSF and LFD to get this working.

/etc/init.d/csf restart
/etc/init.d/lfd restart

6) Test your work by having someone else in the office give you their IP, block them in CSF, restart CSF, and have them go to a page on the server. They should get the message from CSF indicating they are blocked.

7) Once you confirm this is working, unblock the test IP and you're all set.

README documentation is here: http://www.configserver.com/free/csf/readme.txt

CSF Generic installation

This section can be used to install CSF on a non-cPanel (core managed) server.

cd /home/temp/
wget http://www.configserver.com/free/csf.tgz
tar zxvf csf.tgz
cd csf

After installer runs, you will need to edit the /etc/csf/csf.conf config file, and set the eth device, remove debugging mode, and set the proper ports to be open or closed.

Once you have your config options all set, start the firewall:

/etc/init.d/csf restart

Updating CSF

Updating CSF is very easy - this also is set to run automatically every night in cron. If you need to do it manually, run this command:

csf -u

Updates failing

A customer may receive emails like this, or you may get this error when updating CSF manually:

<source lang="bash">
Upgrading csf from v5.34 to 5.35...
Retrieving new csf package...
Oops: Unable to open /usr/src/csf.tgz.tmp: No such file or directory

The first thing to check is the folder path - it could be trying to download to a folder that doesn't exist. Try:

mkdir -p /usr/src/

Then try the manual update again to see if that resolves the issue.

Uninstalling CSF

Disable without uninstalling

To disable CSF without uninstalling it, simply touch csf.disable:

touch /etc/csf/csf.disable

and flush the exiting rules:

csf -f

You should get a confirmation similar to this:

csf and lfd have been disabled, use 'csf -e' to enable

To re-enable CSF:

 csf -e

When you run this it will also reload the list of rules in the firewall, so you'll see them scroll by just as if you restart CSF normally.

Remove CSF

To remove the ConfigServer mail queues:

rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cmq.cgi 
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cmqversion.txt 
rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cmq/

To remove ConfigServer Explorer:

rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cse.cgi 
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cseversion.txt 

To uninstall ConfigServer Mail Manage:

rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cmm.cgi 
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cmmversion.txt 
rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cmm/

To uninstall ConfigServer Firewall:



For more information about LFD in general, please see http://forum.configserver.com/viewtopic.php?f=6&t=2059

There are some LFD-specific configurations for CSF that you can take advantage of.

Whitelisting in LFD by default

If you always want to whitelist IP's in csf.allow instead of having to manually add them to csf.ignore, you can enable the option IGNORE_ALLOW in csf.conf. Make sure you restart both CSF and LFD after making this change.

Adjusting the block failure threshold

To view LFD's settings for when it is triggered, you need to search csf.conf for the specific flags for that specific service. For instance, if you want to modify the maximum number of attempts for SSH, you want LF_SSHD. If you want to alter this value for FTP, you want LF_FTPD, etc.

LFD Process Tracking Ignore List

1. If you're seeing spamd or any other processes being reported by LFD and you want to ignore it, the following can be added to /etc/csf/csf.pignore

cmd:spamd child

Then restart CSF and LFD.

2. If you're seeing awstats.pl being reported and want to ignore it, the following can be added to /etc/csf/csf.pignore:


Then restart CSF and LFD.

3. If you're seeing mailman being reported and want to ignore it, the following can be added to /etc/csf/csf.pignore:

pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner.*
pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl.*

Then restart CSF and LFD.

4. If you're seeing (deleted) processes being reported then you need to read the information provided in csf.conf for the PT_DELETED option. Currently this reads:

   # lfd will report processes, even if they're listed in csf.pignore, if they're
   # tagged as (deleted) by Linux. This information is provided in Linux under
   # /proc/PID/exe. A (deleted) process is one that is running a binary that has
   # the inode for the file removed from the file system directory. This usually
   # happens when the binary has been replaced due to an upgrade for it by the OS
   # vendor or another third party (e.g. cPanel). You need to investigate whether
   # this is indeed the case to be sure that the original binary has not been
   # replaced by a rootkit or is running an exploit.
   # To stop lfd reporting such process you need to restart the daemon to which it
   # belongs and therefore run the process using the replacement binary (presuming
   # one exists). This will normally mean running the associated startup script in
   # /etc/init.d/
   # If you don't want lfd to report deleted binary processes, set to 0
   PT_DELETED = "1"

If, for example, you still want to ignore pure-ftpd deleted executable reports, the following can be added to csf.pignore:


or, if you want to ignore deleted executable processes, set the following in csf.conf:


In either case, restart CSF and LFD after making any changes.

However, be aware that deleted executable file names will become more corrupted the longer they are left running, so even the pure-ftpd part of the name may no longer match over time. This is a symptom of the Linux file system and the way Linux handles processes that are running executables that no longer exist at the inode they originally ran from, this is simply what lfd is reporting.


CSF Booleans versus Ranges

Some values in csf.conf are not Boolean 1's and 0's; they are ranges: "0" being zero seconds and "86400" one day. If you restart CSF and see messages similar to the following:

*WARNING* LF_SPAMHAUS sanity check. LF_SPAMHAUS = 1. Recommended range: 0|3600-604800 (Default: 0)
*WARNING* LF_BOGON sanity check. LF_BOGON = 1. Recommended range: 0|3600-604800 (Default: 0)
*WARNING* LF_DSHIELD sanity check. LF_DSHIELD = 1. Recommended range: 0|3600-604800 (Default: 0)

then you have made this mistake. All the values listed above as noted in csf.conf are intervals between loading new copies of various blacklists. Be aware!