ConfigServer Firewall setup

Install and configure ConfigServer firewall for your server.

ConfigServer Firewall setup

CSF installation on servers with cPanel

SSH onto the box and sudo as root, execute the following commands to download and install:


tar -xzf csf.tgz

cd csf


This will take care of installing the firewall, now for the configuration. PS: leave your ssh connection opened since it will be required again.

Login to the box whm console and search for firewall, from here we go to Firewall configuration.

Configuration - ports and settings

Change the TESTING from 1 to a 0 - this will disable the testing mode, we need to be really careful with what other settings we change because we might get our selfs locked out of the box

Switch to IPv4 Settings and add the following to TCP_IN and TCP_OUT


5666 - is the nagios NRPE port to allow the server to be monitored via Nagios

The range 30000:50000 will be used by pure-ftpd to allow ftp connections to the server

Once this is done we save the settings.

Configuration - protection profile

From the main firewall screen we now go to Firewall Profiles Here we need to activate the protection_medium profile. We use the medium one because the high security profile will generate a large number of false-positives and it will block normal users.

Configuration - pure ftpd

We go back into the ssh console and edit the /etc/pure-ftpd.conf with our favourite editor and uncomment the line

PassivePortRange 30000 50000

Save the file and restart the service either through WHM or from ssh.

Install on server without cPanel

On Centos minimal you need to run

yum install perl-libwww-perl

On Ubuntu run

apt-get install libwww-perl

Follow the installation steps above.

in the terminal run

csf --profile apply protection_medium

If the server is monitored using nagios nrpe we need to add the 5666 port to TCP_IN and TCP_OUT for both IPv4 and IPv6 in /etc/csf/csf.conf5) restart csf and lfd services and test the configuration, if everything is okay proceed, if connection is lost, wait 5 minutes for the cron to clear the iptables rules

csf -ra

edit again /etc/csf/csf.conf and disable testing mode - only do this if you are sure the configuration works, you might get locked out of the server7) restart csf and lfd

Quick commands

Quick ip block csf -d [comment]

Quick ip allow csf -a [comment]

Quick ip unblock csf -dr [comment]

Search for an IP csf -g

More information about this firewall can be found at