What is CSF Firewall on Linux Server? – (Install & Configure in 2026)

CSF firewall (ConfigServer Security & Firewall) is a robust, iptables/nftables based security suite for Linux servers. It combines a stateful firewall with login/brute force detection (via the LFD daemon), rate limiting, port flood control, and easy allow/deny lists.

CSF simplifies server hardening, integrates with popular control panels, and helps block malicious traffic before it reaches applications.

In this guide, you’ll understand how the CSF firewall works on a Linux server, how to install and configure it, must‑know commands, best practices, and practical examples from real hosting environments.

Whether you run a VPS or a dedicated machine, CSF offers a beginner friendly path to better security.

What is CSF (ConfigServer Security & Firewall)?

CSF is a comprehensive firewall and intrusion prevention system for Linux. Under the hood, it manages iptables (legacy) or nftables rules and pairs them with the Login Failure Daemon (LFD), which watches system logs for suspicious behavior.

When LFD detects brute-force attempts or floods, it can automatically block offending IPs temporarily or permanently.

Key highlights:-

• Easy rule management using allow/deny lists, connection limits, and port flood protection.
• Log-driven detection via LFD for SSH, mail, FTP, cPanel/DirectAdmin, and more.
• Works with cPanel, DirectAdmin, Webmin, and standalone Linux servers.
• Supports both IPv4 and IPv6, country-based blocks (GeoIP), and external blocklists.

Why Use the CSF Firewall on a Linux Server?

Compared to managing raw iptables/nftables, CSF provides a cleaner interface, safer defaults, and lots of ready-made protections.

You’ll get:-

• Quick hardening: sensible defaults, minimal open ports.
• Brute-force protection: automatic blocking of repeated login failures.
• Rate limiting: stop port floods and connection abuse without touching application code.
• Observability: clear logs, alerts, and search commands for troubleshooting.
• Panel integration: GUI management on popular hosting panels.

How CSF Works: Firewall + LFD Architecture

CSF manages kernel-level packet filtering using iptables (or nftables via iptables compatibility). It enforces inbound/outbound port rules, connection counts, and flood limits.

LFD continuously parses logs (e.g., SSH, Exim, Dovecot, PAM) and reacts to suspicious events by adding IPs to a deny list, often starting with temporary blocks and escalating to permanent blocks if abuse continues.

A typical flow:-

• Traffic hits the server and is evaluated by kernel firewall rules installed by CSF.
• LFD watches authentication logs; repeated failures trigger an automated block.
• Admin IPs can be allowlisted to prevent accidental lockouts.
• Rate limits and connection tracking prevent floods and excessive concurrent connections.

Prerequisites and Installation (Ubuntu/Debian/AlmaLinux/Rocky/CentOS)

Before installing CSF, ensure you have console/serial access in case of misconfiguration. If using a panel (cPanel/DirectAdmin), install CSF via the panel’s recommended method or repository.

1. Prepare the server

# RHEL/AlmaLinux/Rocky
sudo dnf update -y
sudo dnf install -y perl wget tar

# Stop other firewalls to avoid conflicts (you can migrate rules later)
sudo systemctl stop firewalld 2>/dev/null || true
sudo systemctl disable firewalld 2>/dev/null || true

# Ubuntu/Debian
sudo apt update
sudo apt install -y perl wget tar
# If UFW is enabled, disable it (optional if you plan to replace with CSF)
sudo ufw disable

2. Download and install CSF

cd /usr/src
sudo wget https://download.configserver.com/csf.tgz
sudo tar -xzf csf.tgz
cd csf
sudo sh install.sh

# Test required iptables/nftables modules
sudo /usr/local/csf/bin/csftest.pl

If csftest reports OK, proceed. CSF installs two services: csf (rules) and lfd (Login Failure Daemon).

3. Initial configuration and testing mode

By default, CSF starts in TESTING mode so you don’t lock yourself out. Edit the main config and set your essential ports before disabling testing:

sudo nano /etc/csf/csf.conf
# Recommended essentials:
# TESTING = "1" <-- keep this until you confirm connectivity
# TCP_IN = "22,80,443"
# TCP_OUT = "80,443,53"
# UDP_IN = "53"
# UDP_OUT = "53,123"
# IPV6 = "1" (if you use IPv6)
# RESTRICT_SYSLOG = "3"

# Then restart CSF/LFD to apply
sudo csf -r
sudo systemctl restart lfd

4. Disable testing mode when ready

Once you confirm SSH/HTTP/HTTPS access works, set TESTING = “0” and reload:

sudo sed -i 's/^TESTING = "1"/TESTING = "0"/' /etc/csf/csf.conf
sudo csf -r
sudo systemctl enable --now lfd

Essential CSF Configuration (csf.conf)

Use the main configuration file at /etc/csf/csf.conf. Below are common, secure defaults to adapt to your stack (web, email, DNS, control panel):

# Core
TESTING = "0"
IPV6 = "1"
RESTRICT_SYSLOG = "3"

# Inbound/Outbound ports (adjust to your services)
TCP_IN = "22,80,443"
TCP_OUT = "80,443,53"
UDP_IN = "53"
UDP_OUT = "53,123"

# Brute-force detection (LFD)
LF_SSHD = "5"            # 5 failed SSH logins triggers a block
LF_TRIGGER = "5"         # Global trigger level
LF_PERMBLOCK = "1"       # Escalate to permanent bans on repeat offenders
LF_DIRWATCH = "300"      # Monitor web dirs for suspicious files

# Connection tracking & flood controls
CT_LIMIT = "150"         # Max concurrent connections from a single IP
CT_INTERVAL = "30"
SYNFLOOD = "1"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"

# Port flood & connection limits (examples)
PORTFLOOD = "80;tcp;40;5,443;tcp;40;5"
CONNLIMIT = "22;5,80;50,443;50"

# Optional: Country blocks (GeoIP must be configured)
# CC_DENY = "CN,RU"
# CC_ALLOW = ""

# Alerts
# LF_ALERT_TO = "you@example.com"

Open only the ports you actually use. For example, cPanel servers typically need 2083/2087, mail servers need 25/465/587/993/995, and DNS uses 53. After any change, run csf -r to reload.

Managing Allow/Block Lists

CSF stores IP lists here:-

• /etc/csf/csf.allow – allowlist (never block these)
• /etc/csf/csf.deny – permanent deny list
• /etc/csf/csf.ignore – LFD will ignore these IPs/users

# Allowlist your office IP (prevents lockouts)
sudo csf -a 203.0.113.10 "office"

# Deny a bad IP temporarily (1 hour)
sudo csf -td 198.51.100.25 3600 "ssh brute force"

# Remove a deny/allow
sudo csf -dr 198.51.100.25
sudo csf -ar 203.0.113.10

# Search for an IP across rules
sudo csf -g 198.51.100.25

# List current rules
sudo csf -l

Note: To open or close ports, edit csf.conf (TCP_IN/TCP_OUT/UDP_IN/UDP_OUT) rather than using allow/deny IP lists.

Common CSF Commands You’ll Use Often

• csf -e: Enable CSF
• csf -x: Disable CSF (leaves LFD running)
• csf -r: Reload rules after configuration changes
• systemctl restart lfd: Restart LFD daemon
• csf --temp: View temporary blocks
• tail -f /var/log/lfd.log: Watch LFD activity in real time

Best-Practice Hardening Tips

• Allowlist your admin IPs first to avoid lockouts.
• Keep only necessary ports open; close unused services at the application/service level.
• Enable RESTRICT_SYSLOG=3 to limit log access and reduce abuse.
• Tune CT_LIMIT, PORTFLOOD, and CONNLIMIT for your traffic profile (e.g., higher values for busy WooCommerce stores).
• Use temporary bans first to analyze false positives, then escalate to permanents.
• Rotate logs and monitor LFD alerts to spot attack patterns early.
• Test GeoIP blocks carefully; country blocks can cause legitimate user issues.
• If you use a CDN or reverse proxy, consider allowlisting its IP ranges and rate-limiting at the edge, too.

Troubleshooting CSF and LFD

• Accidental lockout: if you still have console access, run csf -x to disable; fix rules, allowlist your IP, then csf -e.
• No connectivity after enabling: ensure your SSH port is included in TCP_IN and your web ports in TCP_IN/TCP_OUT; reload CSF.
• Firewall conflicts: stop/disable firewalld or UFW if CSF is your primary firewall.
• Missing kernel modules: run /usr/local/csf/bin/csftest.pl and install required packages; ensure iptables/nftables is available.
• NAT/Cloud networking: verify the correct network interface and that your provider’s security groups permit the same ports.
• Debugging: check /var/log/lfd.log and /var/log/messages/syslog for clues; use csf -g <IP> to locate matched rules.

CSF vs. Fail2ban, UFW, and Firewalld

• CSF vs Fail2ban: Both watch logs and block attackers. CSF bundles firewall management + LFD in one tool; Fail2ban typically works alongside UFW/iptables. CSF offers a broader, integrated suite with simpler port and limit controls.
• CSF vs UFW/Firewalld: UFW/Firewalld are primarily rule managers. CSF adds intrusion prevention, rate limiting, flood control, and hosting-panel integration.

Real World Use Cases and Example Port Sets

• WordPress-only server: open 22, 80, 443. Add PORTFLOOD on 80/443, CONNLIMIT on 22. Consider a CDN and WAF at the edge for DDoS mitigation.
• cPanel hosting: 22, 80, 443, 2083, 2087, 21 (if FTP), email ports (25/465/587/993/995), 53 for DNS. Monitor LFD for mail auth abuse.
• Mail relay: 22, 25/465/587, 993/995, 53. Tighten CT_LIMIT and watch for SMTP auth brute-force.
• SFTP-only node: 22 with CONNLIMIT and stricter LF_SSHD thresholds; disable all web ports.

Security and Performance Considerations

• DDoS reality check: CSF can rate-limit and block obvious abusers but won’t stop large volumetric attacks. Use upstream protection (CDN/WAF, provider-level filters) for serious DDoS.
• Keep overhead low: reasonable limits (CT_LIMIT, PORTFLOOD) protect services without harming legitimate traffic.
• Outbound controls: restrict TCP_OUT/UDP_OUT to reduce malware exfiltration risk.
• IPv6 parity: mirror IPv4 rules for IPv6 if IPV6=1 is enabled.
• Change management: document rules, use version control for configs in teams, and apply changes during maintenance windows.

FAQ’s: CSF Firewall on Linux Server