To set up CSF (ConfigServer Security & Firewall) on a Linux server, remove conflicting firewalls, install dependencies, download and install CSF, configure allowed ports in /etc/csf/csf.conf, disable TESTING mode, then enable and restart CSF/LFD. Finally, verify rules and log activity to ensure services work and your server is protected.
In this guide, you’ll learn how to setup CSF Firewall on Linux Server the right way—from clean installation to secure configuration and troubleshooting. We’ll cover Ubuntu/Debian and CentOS/RHEL/AlmaLinux/Rocky Linux steps, practical commands, and best practices I use when hardening production servers.
What Is CSF Firewall and Why Use It?
CSF (ConfigServer Security & Firewall) is an advanced Linux firewall and intrusion prevention system that manages iptables rules and includes LFD (Login Failure Daemon) to block brute-force attacks. Compared to basic firewalls, CSF adds rate limiting, login monitoring, email alerts, and per-service protections—all with simple, readable configuration.
It’s popular on web servers (with or without cPanel/DirectAdmin) because it’s easy to audit, stable under load, and production-proven for hosting workloads.
Prerequisites and Supported Distros
- Root or sudo access to your Linux server
- Supported OS: Ubuntu/Debian, CentOS 7, RHEL 7/8/9, AlmaLinux/Rocky Linux 8/9
- iptables or iptables-nft packages available
- Port 22 (or your custom SSH port) allowed while configuring
Tip: Keep a console or out-of-band access (VNC/KVM/Hypervisor console) open while enabling CSF to prevent accidental lockouts.
Step-by-Step: Install CSF Firewall on Linux
1) Prepare your server
Update packages and stop any other firewall managers (UFW or firewalld). Running multiple firewalls causes conflicts and dropped connections.
# Ubuntu/Debian
sudo apt update && sudo apt -y upgrade
sudo ufw disable || true
sudo systemctl stop firewalld 2>/dev/null || true
sudo systemctl disable firewalld 2>/dev/null || true
# CentOS/RHEL/AlmaLinux/Rocky
sudo yum -y update || sudo dnf -y upgrade
sudo systemctl stop firewalld || true
sudo systemctl disable firewalld || true2) Install required packages
CSF is written in Perl and controls iptables. Install the required dependencies.
# Ubuntu/Debian
sudo apt install -y wget curl perl libwww-perl liblwp-protocol-https-perl iptables
# CentOS/RHEL/AlmaLinux/Rocky
sudo yum install -y wget curl perl iptables-services || sudo dnf install -y wget curl perl iptables-services3) Download and install CSF
Use the official bundle, extract, and run the installer.
cd /usr/src
sudo wget https://download.configserver.com/csf.tgz
sudo tar -xzf csf.tgz
cd csf
sudo sh install.sh4) Verify kernel/iptables support
Confirm your system supports the required iptables modules.
sudo perl /usr/local/csf/bin/csftest.plIf you see “RESULT: csf should function on this server,” you’re good to proceed. If not, install/update iptables packages or reboot to load modules.
Basic CSF Configuration (Allow Ports, Disable Testing Mode)
Edit csf.conf essentials
By default CSF runs in TESTING mode and won’t load persistent rules. Open the main config and adjust key options.
sudo nano /etc/csf/csf.confRecommended baseline (adjust to your services and SSH port):
# Disable testing when ready
TESTING = "0"
# Common inbound ports (edit to match your stack)
TCP_IN = "22,80,443,25,465,587,110,143,993,995"
UDP_IN = "53,123"
# Common outbound ports (package repos, DNS, NTP, SMTP as needed)
TCP_OUT = "80,443,25,465,587,110,143,993,995,20,21,22,53"
UDP_OUT = "53,123"
# Security hardening
RESTRICT_SYSLOG = "3"
SYNFLOOD = "1"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"
# Connection Tracking (limit abusive connections)
CT_LIMIT = "100"
CT_INTERVAL = "30"
CT_PERMANENT = "1"
CT_PORTS = "80,443,21,22"Mail alerts are useful in production. Set an email for LF_ALERT_TO and ensure your server can send mail (Postfix or an SMTP relay).
Enable and start CSF/LFD
After saving csf.conf, enable CSF and its login failure daemon.
sudo csf -e # enable CSF
sudo systemctl enable lfd
sudo systemctl start lfd
sudo csf -l # list current rulesKeep your SSH session open. Test connectivity to your web/mail/DB ports from another terminal before closing the session.
Open/Close Ports and Manage IPs
Common port examples
To permanently allow or remove a port, edit /etc/csf/csf.conf and reload CSF.
# Example: allow HTTP/HTTPS and SSH on custom port 2222
TCP_IN = "2222,80,443"
sudo csf -r # reload after savingAlternatively, use temporary allows while testing:
# Allow a port temporarily for testing (removed on reload)
sudo csf --tempallow 203.0.113.10 -p 2222 -d 3600Allow, Deny, and Unblock IPs
CSF offers simple commands and flat files for IP management.
- Whitelist (allow through firewall):
sudo csf -a 203.0.113.10or add to/etc/csf/csf.allow - Blacklist (block completely):
sudo csf -d 203.0.113.10 "Abuse"or add to/etc/csf/csf.deny - Remove from deny:
sudo csf -dr 203.0.113.10 - Ignore from LFD tracking: add to
/etc/csf/csf.ignore
Reload rules after changes when using the files approach: sudo csf -r.
Useful CSF and LFD Commands
- Enable/disable CSF:
csf -e/csf -x - Start/stop/reload:
csf -s/csf -f/csf -r - List rules:
csf -l - Temporary allow/deny:
csf --tempallow IP/csf --tempdeny IP - Watch logs for LFD:
tail -f /var/log/lfd.log - Service status:
systemctl status lfd
Security Hardening Tips with CSF
- Lock down SSH: move SSH to a high, random port and reflect it in TCP_IN. Set
LF_SSHD = "5"andLF_SSHD_PERM = "1"to block repeated failures. - Limit connection floods: enable SYNFLOOD and set appropriate
CT_LIMITfor web-heavy servers. - Restrict outbound traffic: allow only required
TCP_OUTandUDP_OUT, reducing malware exfiltration risk. - Harden syslog access:
RESTRICT_SYSLOG = "3"to prevent non-root reads. - Use country blocks selectively: GeoIP can be enabled but can add overhead; use for high-risk regions only.
- Audit regularly: review
/var/log/lfd.logand rotate logs. Spot patterns and tune thresholds. - Backups and config versioning: keep a copy of
/etc/csf/csf.confand related files in version control or snapshots.
Troubleshooting Common CSF Issues
- Locked yourself out: use console access to run
csf -x(disable) or setTESTING = "1", thencsf -r. Whitelist your IP incsf.allow. - Services unreachable: confirm ports in
TCP_IN/UDP_IN, reload CSF, and check app bindings and SELinux contexts if applicable. - LFD not starting: check
systemctl status lfdand/var/log/lfd.log. Ensure Perl modules are present. - Conflicts with other firewalls: make sure UFW/firewalld are disabled. CSF should be the only firewall manager.
- nftables vs iptables: On newer distros, iptables is an nft wrapper; ensure
iptablespackages are installed. CSF supports iptables-nft.
Real-World Use Cases and When CSF Fits Best
- Shared hosting or cPanel servers: CSF has a WHM plugin and tailored LFD rules for common services.
- Small to medium web apps: easy rule management with good intrusion prevention without a steep learning curve.
- Email servers: fine-grained outbound controls and brute-force protections for SMTP/IMAP/POP.
- API gateways and reverse proxies: connection tracking and rate limiting reduce abuse.
If you need a minimal, native alternative, UFW (Ubuntu) or firewalld (RHEL-family) are lighter. For hosting stacks that benefit from LFD and prebuilt patterns, CSF is a strong choice.
Managed Option: Let YouStable Handle It
Don’t want to babysit firewall rules? With YouStable’s Managed VPS and Dedicated Servers, our engineers preinstall and harden CSF/LFD, set safe port policies, add proactive monitoring, and maintain updates. That means fewer false positives and faster recoveries when traffic spikes or attacks hit.
FAQs: CSF Firewall on Linux Server
What is CSF and LFD, and how do they work together?
CSF manages iptables rules (allow, deny, rate limit). LFD (Login Failure Daemon) monitors logs for repeated failures (SSH, mail, FTP) and automatically bans abusive IPs through CSF. Together they provide a firewall plus intrusion prevention and alerting.
How do I open or close a port in CSF?
Edit /etc/csf/csf.conf, add/remove the port in TCP_IN or UDP_IN for inbound (or TCP_OUT/UDP_OUT for outbound), save, then run csf -r. Always test from a second terminal before closing your main session.
How can I whitelist, blacklist, or unblock an IP?
Whitelist: csf -a IP. Blacklist: csf -d IP "Reason". Remove from deny: csf -dr IP. You can also edit /etc/csf/csf.allow and /etc/csf/csf.deny, then reload with csf -r.
CSF vs UFW vs firewalld: which should I choose?
UFW and firewalld are simple, native managers. CSF adds LFD-based intrusion prevention, rate limiting, alerts, and hosting-friendly defaults. For production web/email servers, CSF is often more effective; for minimal setups, UFW/firewalld may suffice.
Does CSF work with nftables on newer Linux versions?
Yes. Most modern distros ship iptables-nft as a compatibility layer. Ensure iptables packages are installed. CSF interacts via iptables commands that map to nftables in the background.
Conclusion
Setting up CSF Firewall on a Linux server is straightforward and powerful: install, allow the right ports, disable TESTING, enable CSF/LFD, and tune for your workload. With connection tracking, brute-force blocking, and clear logs, CSF provides a robust, admin-friendly security layer for modern hosting environments.
If you prefer a hands-off, hardened configuration with ongoing monitoring, YouStable’s managed servers include CSF best practices out of the box—so you can focus on your apps, not your firewall.
