How to Install and Configure CSF (Config Server Firewall)

Installation Process of CSF

cd /usr/src
rm -fv csf.tgz
tar -xzf csf.tgz
cd csf

If you are using UFW like other firewall configuration scripts, you need to disable it before proceeding further. Iptables rules are automatically removed.

You can disable the UFW, by running the following command:

ufw disable

Moving ahead, you need to execute the CSF’s installer script.

cd csf


The firewall is now installed, but you need to verify if the required iptables modules are available.

perl /usr/local/csf/bin/

If no lethal errors are reported, firewall will work effectively.

Basic Configuration

You can configure CSF by editing its configuration file csf.conf in /etc/csf:

nano /etc/csf/csf.conf

The changes can be applied by using the command:

csf -r

Step – 1: Configuring different ports

The less access your VPS has, the more protected your server is. Nevertheless, all ports cannot be closed, as the clients must be able to use your services.

The ports that are opened by default are:

TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

TCP_OUT = "20,21,22,25,53,80,110,113,443"

UDP_IN = "20,21,53"

UDP_OUT = "20,21,53,113,123"

Services using the open ports:

  • Port 20: FTP data transfer
  • Port 25: Simple mail transfer protocol (SMTP)
  • Port 53: Domain name system (DNS)
  • Port 80: Hypertext transfer protocol (HTTP)
  • Port 123: Network time protocol (NTP)
  • Port 443: Hypertext transfer protocol over SSL/TLS (HTTPS)
  • Port 587: E-mail message submission (SMTP)
  • Port 993: Internet message access protocol over SSL (IMAPS)

It may be possible that you are not taking use of all of these services, so you can close the ports that are currently not in use. It is, usually, recommended to close all the ports and add only those that are required.

Step – 2: Additional Settings

CSF offers a large number of multiple options in its configuration files. Out of this large number, some of the most commonly used settings are illustrated in detail here:

  • ICMP_IN Setting: ICMP_IN to 1 permits ping to your server, while 0 refuses such requests. In case of hosting any public services, it is suggested to allow ICMP requests, as these can be used to identify whether your service is available to use.
  • ICMP_IN_LIMIT: It sets the number of ping requests that are allowed from one IP address within a defined time limit. Usually, it is not required to change the default value i.e. 1/s.
  • DENY_IP_LIMIT: It sets the number of blocked IP addresses that CSF is tracking. It is also recommended to restrict the number of repudiated IP addresses, because having a lot of blocks may hold back the performance of the server.
  • DENY_TEMP_IP_LIMIT: It sets the number of temporarily blocked IP addresses that CSF is tracking.
  • PACKET_FILTER: It filters undesirable, invalid and illegal packets.
  • SYNFLOOD, SUNFLOOD_RATE and SYNFLOOD_BURST: It provides protection against SYN flood attacks; but, it will also decelerate the initialization of every connection. Therefore, you need to enable this only if you are aware that your server is under attack.
  • CONNLIMIT: It restricts the number of concurrent active connections on port.
  • PORTFLOOD: It restricts the number of connections per time interval, so that new connections can be made to specific ports.

Step – 3: Application of the Changes

If you are altering the settings in csf.conf, you need to save the files and restart CSF, so that the changes show their effect.

Once you are ready with the configuration, you need to close the file through Ctrl + X command. When you are asked whether you have saved the changes, press ‘Y’ to save the changes.

After this, you need to apply the changes by restarting CSF, using command:

csf –r

If everything went like planned, and you are still able to access the server, open the configuration file once more:

nano /etc/csf/csf.conf

,and change the setting TESTING at the start of the configuration file to 0 as stated here: TESTING = "0"

Moreover, save the file, and apply the changes using command: csf –r

Consenting and Blocking IP Addresses

Blocking certain IP addresses is one of the most features of a firewall. You may blacklist (restrict), allow (whitelist) or ignore IP addresses by editing the configuration files csf.deny, csf.allow and csf.ignore.

Allowing IP Addresses

If you want an IP address to be excluded from all types of filters or blocking, you can add them to csf.allow file. IP addresses that are allowed can even be accessed, if they are apparently blocked in csf.deny file.

Blocking IP Addresses

If you would like to block an IP address or ranges, open csf.deny.

nano /etc/csf/csf.deny

IP ranges are represented using the CIDR notation.

Ignoring IP Addresses

CSF also comes included with one feature that is excluding IP addresses from the firewall filters. IP addresses in csf.ignore will bypass the firewall filters, and can only be blocked if listed in csf.deny file.

Was this answer helpful?

 Print this Article

Also Read

How To Install Plesk on Centos

Step 1: Install all necessary packages (for CentOS)   yum install wget Step 2: Start Plesk...

How To Create SSL Certificate on Nginx for Ubuntu 14.04

Prerequisites Before starting, you need to setup some basic things on your server. Firstly, you...

How to Install MySQL Server on CentOS

Here, we will illustrate the basic installation of MySQL database server on CentOS Linux. Note:...

Powered by WHMCompleteSolution