{"id":13247,"date":"2025-12-20T11:06:00","date_gmt":"2025-12-20T05:36:00","guid":{"rendered":"https:\/\/www.youstable.com\/blog\/?p=13247"},"modified":"2025-12-24T16:18:09","modified_gmt":"2025-12-24T10:48:09","slug":"use-csf-firewall-on-linux","status":"publish","type":"post","link":"https:\/\/www.youstable.com\/blog\/use-csf-firewall-on-linux","title":{"rendered":"How to Use CSF Firewall on Linux Server? LFD and iptables Guide"},"content":{"rendered":"\n

CSF (ConfigServer Security & Firewall)<\/strong> is a powerful Linux firewall suite that wraps iptables\/nftables with easy commands and intrusion detection. To use CSF on a Linux server: install CSF, edit \/etc\/csf\/csf.conf, set TESTING=0, open required ports, enable csf and lfd, then manage allow\/deny lists and rate-limits with simple csf commands.<\/p>\n\n\n\n

\n

Securing internet-facing servers starts with a solid firewall. This guide explains how to use CSF Firewall on Linux Server from installation to hardening, using beginner-friendly steps backed by real hosting experience. <\/p>\n<\/div>

\"\"<\/figure><\/div>\n\n\n\n

You\u2019ll learn how to install CSF<\/a>, configure ports, whitelist IPs, block attacks with LFD, and troubleshoot safely.<\/p>\n\n\n\n

What is CSF and Why Use it?<\/strong><\/h2>\n\n\n\n

CSF (ConfigServer Security & Firewall) is an advanced but user-friendly firewall and login\/intrusion protection system for Linux servers. It uses iptables or nftables under the hood, adds smart defaults, and includes LFD (Login Failure Daemon) to monitor logs and automatically block suspicious activity.<\/p>\n\n\n\n

How CSF Works<\/strong><\/h2>\n\n\n\n

CSF manages kernel-level packet filtering (iptables or nftables) using a central configuration file and helper scripts. You don\u2019t need to remember complex iptables syntax; you control access using readable options and simple commands like csf -a<\/code> (allow) or csf -d<\/code> (deny).<\/p>\n\n\n\n

What LFD Adds<\/strong><\/h2>\n\n\n\n

LFD scans authentication logs (SSH, mail, FTP, web) and network patterns. When it detects brute force attempts, floods, or anomalous processes, it can temporarily or permanently ban IPs, notify you, and enforce limits like connection tracking and port floods.<\/p>\n\n\n\n

CSF vs UFW vs firewalld<\/strong><\/h2>\n\n\n\n

UFW and firewalld are great for basic rules. CSF is ideal for servers needing integrated anti-bruteforce, rate limits, easy allow\/deny lists, country filters, and extensive automation across web hosting<\/a> stacks (cPanel, DirectAdmin, etc.).<\/p>\n\n\n\n

Prerequisites and Compatibility<\/strong><\/h2>\n\n\n\n

Before installing CSF, ensure you have:<\/strong><\/p>\n\n\n\n

    \n
  • Root or sudo access on a Linux server (Ubuntu\/Debian, RHEL\/AlmaLinux\/Rocky, CloudLinux)<\/li>\n\n\n\n
  • Perl and basic build tools (CSF uses Perl scripts)<\/li>\n\n\n\n
  • iptables\/nftables kernel support (most distro kernels include this)<\/li>\n\n\n\n
  • Console access (in case you need to recover from firewall lockouts)<\/li>\n<\/ul>\n\n\n\n

    On systems running firewalld or UFW, disable them to avoid conflicts. CSF manages the firewall stack directly.<\/p>\n\n\n\n

    # Stop other firewalls (choose your distro's default)\nsudo systemctl stop firewalld && sudo systemctl disable firewalld\nsudo ufw disable<\/code><\/pre>\n\n\n\n
    Install CSF on Linux (Ubuntu, Debian, RHEL, AlmaLinux, Rocky)<\/strong><\/h2>\n\n\n\n
    1) Install dependencies<\/strong><\/h3>\n\n\n\n
    # Ubuntu\/Debian\nsudo apt update\nsudo apt install -y perl wget curl tar iptables\n\n# RHEL\/AlmaLinux\/Rocky\nsudo dnf -y install perl wget curl tar iptables<\/code><\/pre>\n\n\n\n
    2) Download and install CSF<\/strong><\/h3>\n\n\n\n
    cd \/usr\/src\nsudo curl -L -o csf.tgz https:\/\/download.configserver.com\/csf.tgz\nsudo tar -xzf csf.tgz\ncd csf\nsudo sh install.sh\n\n# Verify kernel\/module compatibility\nsudo perl \/usr\/local\/csf\/bin\/csftest.pl<\/code><\/pre>\n\n\n\n
    If the test passes, CSF is installed and ready for configuration. The main config file is at \/etc\/csf\/csf.conf<\/code>. The main commands are csf<\/code> (firewall) and lfd<\/code> (daemon).<\/p>\n\n\n\n
    Initial CSF Configuration (Open Ports, Disable Testing)<\/strong><\/h2>\n\n\n\n
    Edit \/etc\/csf\/csf.conf<\/strong><\/h3>\n\n\n\n
    By default, CSF starts in testing mode and will flush rules periodically. Change the following settings before enabling, and open only the ports you need.<\/p>\n\n\n\n
    sudo cp \/etc\/csf\/csf.conf \/etc\/csf\/csf.conf.bak\nsudo nano \/etc\/csf\/csf.conf\n\n# Recommended baseline\nTESTING = \"0\"\nRESTRICT_SYSLOG = \"3\"\nIPV6 = \"1\"                 # Set to \"0\" if you don't use IPv6\n\n# Replace with your actual service ports\nTCP_IN = \"22,80,443\"\nTCP_OUT = \"80,443,53\"\nUDP_IN = \"53\"\nUDP_OUT = \"53,123\"\n\n# Connection tracking and flood controls\nCT_LIMIT = \"100\"\nCT_INTERVAL = \"30\"\nSYNFLOOD = \"1\"\nPORTFLOOD = \"22;tcp;5;300,80;tcp;200;5\"<\/code><\/pre>\n\n\n\n
    Notes:<\/strong><\/p>\n\n\n\n
      \n
    • Keep SSH (22 or your custom SSH port) in TCP_IN<\/code> to avoid lockout.<\/li>\n\n\n\n
    • PORTFLOOD<\/code> limits new connections per time frame (helpful for SSH and HTTP floods).<\/li>\n\n\n\n
    • Restrict TCP_OUT<\/code> to what you require (80\/443\/53 is a safe start).<\/li>\n<\/ul>\n\n\n\n
      Enable and Test CSF + LFD<\/strong><\/h3>\n\n\n\n
      After saving the config, enable CSF and start LFD. Keep your console session open until you verify access.<\/p>\n\n\n\n
      # Enable CSF and reload rules\nsudo csf -e\nsudo csf -r\n\n# Start\/enable LFD\nsudo systemctl enable --now lfd\n\n# List current rules (sanity check)\nsudo csf -l<\/code><\/pre>\n\n\n\n
      Open a second terminal and confirm you can SSH back in. If something goes wrong, you can quickly disable CSF:<\/p>\n\n\n\n
      # Disable CSF (flush rules)\nsudo csf -x\n\n# Re-enable when ready\nsudo csf -e<\/code><\/pre>\n\n\n\n
      Everyday CSF Commands (Allow, Deny, List)<\/strong><\/h2>\n\n\n\n
        \n
      • List rules:<\/strong> csf -l<\/code><\/li>\n\n\n\n
      • Search an IP in rules\/logs:<\/strong> csf -g 203.0.113.10<\/code><\/li>\n\n\n\n
      • Allow (whitelist) an IP:<\/strong> csf -a 203.0.113.10 \"Office IP\"<\/code><\/li>\n\n\n\n
      • Deny (block) an IP:<\/strong> csf -d 203.0.113.55 \"Abuse\"<\/code><\/li>\n\n\n\n
      • Remove from deny:<\/strong> csf -dr 203.0.113.55<\/code><\/li>\n\n\n\n
      • Temporary allow\/deny (e.g., 1 hour):<\/strong> csf -tr 203.0.113.10 3600<\/code> or csf -td 203.0.113.55 3600<\/code><\/li>\n\n\n\n
      • View temp bans:<\/strong> csf -t<\/code> (clear all temp: csf -ta<\/code>)<\/li>\n\n\n\n
      • Reload after edits:<\/strong> csf -r<\/code><\/li>\n<\/ul>\n\n\n\n
        You can also manage persistent lists via files:<\/strong><\/p>\n\n\n\n
          \n
        • \/etc\/csf\/csf.allow<\/code> \u2014 always allow (whitelist)<\/li>\n\n\n\n
        • \/etc\/csf\/csf.deny<\/code> \u2014 always deny (blacklist)<\/li>\n\n\n\n
        • \/etc\/csf\/csf.ignore<\/code> \u2014 ignore an IP\/user from certain checks<\/li>\n<\/ul>\n\n\n\n
          Real-World Examples (Open a Port, Whitelist, Temporary Access)<\/strong><\/h2>\n\n\n\n
          Open a custom application port<\/strong><\/h3>\n\n\n\n
          # Example: allow inbound port 3000 for a Node.js app\nsudo sed -i 's\/^TCP_IN = .*\/TCP_IN = \"22,80,443,3000\"\/' \/etc\/csf\/csf.conf\nsudo csf -r<\/code><\/pre>\n\n\n\n
          Whitelist your office IP<\/strong><\/h3>\n\n\n\n
          sudo csf -a 198.51.100.25 \"Office IP\"\nsudo csf -r<\/code><\/pre>\n\n\n\n
          Grant temporary access to a contractor<\/strong><\/h3>\n\n\n\n
          # Allow for 2 hours (7200 seconds)\nsudo csf -tr 198.51.100.200 7200<\/code><\/pre>\n\n\n\n
          Hardening with LFD (Brute Force & Abuse Controls)<\/strong><\/h2>\n\n\n\n
          LFD reads auth logs and automatically bans abusive IPs. Tune these common options in \/etc\/csf\/csf.conf<\/code>:<\/p>\n\n\n\n
          # SSH brute-force protection (ban after 5 failures)\nLF_SSHD = \"5\"\nLF_TRIGGER = \"5\"\n\n# Permanent block after multiple temp bans\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\n\n# Connection tracking limit (per IP)\nCT_LIMIT = \"100\"\nCT_INTERVAL = \"30\"\n\n# Process tracking (detect suspicious processes)\nPT_USERPROC = \"10\"<\/code><\/pre>\n\n\n\n
          These settings help neutralize SSH brute force, excessive connection usage, and malicious processes. Always test progressively; aggressive thresholds can block legitimate traffic during peaks.<\/p>\n\n\n\n
          Service Specific Ports (Web, Mail, DB, Panels)<\/strong><\/h2>\n\n\n\n
          Ensure your TCP_IN<\/code>\/UDP_IN<\/code> include only what your stack needs. Common examples:<\/p>\n\n\n\n
            \n
          • Web:<\/strong> 80 (HTTP), 443 (HTTPS)<\/li>\n\n\n\n
          • SSH: <\/strong>22 (or custom)<\/li>\n\n\n\n
          • DNS:<\/strong> 53 TCP\/UDP<\/li>\n\n\n\n
          • Mail:<\/strong> 25, 465, 587 (SMTP), 993 (IMAPS), 995 (POP3S)<\/li>\n\n\n\n
          • MySQL\/MariaDB<\/strong>: 3306 (restrict to internal\/VPN only)<\/li>\n\n\n\n
          • Control panels (as applicable): <\/strong>cPanel 2083\/2087, DirectAdmin 2222, Plesk 8443<\/li>\n<\/ul>\n\n\n\n
            If you run cPanel\/DirectAdmin, CSF integrates well and may add a GUI plugin. Always confirm panel ports are allowed before disabling testing mode.<\/p>\n\n\n\n
            Advanced CSF Features (Use Carefully)<\/strong><\/h2>\n\n\n\n
            Country-level blocks (GeoIP)<\/strong><\/h3>\n\n\n\n
            CSF can block\/allow by country codes, e.g.:<\/p>\n\n\n\n
            # Deny traffic from listed countries\nCC_DENY = \"CN,RU\"\n\n# Or allow only these (filter mode)\nCC_ALLOW_FILTER = \"US,GB\"<\/code><\/pre>\n\n\n\n
            GeoIP isn\u2019t perfect (CDNs\/VPNs can bypass it). Use it as an auxiliary control, not your only defense.<\/p>\n\n\n\n
            Rate-limit floods and port scans<\/strong><\/h3>\n\n\n\n
            Use PORTFLOOD<\/code> to limit new connections per IP, and enable SYN flood protection. Combine with LFD triggers to contain bursts while minimizing false positives.<\/p>\n\n\n\n
            IPv6 and modern stacks<\/strong><\/h3>\n\n\n\n
            If your server has IPv6, set IPV6 = \"1\"<\/code> and define v6 allow\/deny lists. On newer distros using nftables via iptables, CSF works as long as csftest passes. Avoid running CSF alongside firewalld\/UFW.<\/p>\n\n\n\n
            Troubleshooting & Recovery<\/strong><\/h2>\n\n\n\n
            Locked out after enabling?<\/strong><\/h3>\n\n\n\n
            Use console\/DRAC\/iLO\/VNC to access the server. Then:<\/p>\n\n\n\n
              \n
            • Disable CSF:<\/strong> csf -x<\/code><\/li>\n\n\n\n
            • Edit csf.conf<\/code> to include your SSH port in TCP_IN<\/code> and whitelist your IP in csf.allow<\/code><\/li>\n\n\n\n
            • Re-enable: <\/strong>csf -e && csf -r<\/code><\/li>\n<\/ul>\n\n\n\n
              Check logs and status<\/strong><\/h3>\n\n\n\n
                \n
              • \/var\/log\/lfd.log<\/code> \u2014 LFD bans, triggers, login failures<\/li>\n\n\n\n
              • \/var\/log\/messages<\/code> or \/var\/log\/syslog<\/code> \u2014 system messages<\/li>\n\n\n\n
              • csf -g <IP><\/code> \u2014 find why an IP is blocked\/allowed<\/li>\n<\/ul>\n\n\n\n
                Conflicts and edge cases<\/strong><\/h2>\n\n\n\n
                  \n
                • firewalld\/UFW:<\/strong> must be disabled to avoid rule conflicts.<\/li>\n\n\n\n
                • Docker:<\/strong> Docker manipulates iptables and NAT; review your published ports and test thoroughly. If possible, manage exposure via reverse proxies\/load balancers.<\/li>\n\n\n\n
                • Cloud firewalls:<\/strong> If using AWS Security Groups, GCP VPC or similar, align CSF rules with upstream policies.<\/li>\n<\/ul>\n\n\n\n
                  Best Practices for a Secure Linux Server with CSF<\/strong><\/h2>\n\n\n\n
                    \n
                  • Start in TESTING mode, verify access, then set TESTING = \"0\"<\/code>.<\/li>\n\n\n\n
                  • Open only the ports you truly need; restrict outbound traffic.<\/li>\n\n\n\n
                  • Whitelist trusted admin IPs; use temporary access for vendors.<\/li>\n\n\n\n
                  • Tune LFD gradually; monitor \/var\/log\/lfd.log<\/code> for false positives.<\/li>\n\n\n\n
                  • Back up csf.conf<\/code> before large changes; document your rules.<\/li>\n\n\n\n
                  • Combine CSF with strong SSH practices (keys, non-default port, no root login) and failover access.<\/li>\n<\/ul>\n\n\n\n
                    Managed Option: Let YouStable Configure CSF for You<\/strong><\/h2>\n\n\n\n
                    If you host with YouStable, our engineers can deploy and tune CSF\/LFD on your Linux server, align it with your application stack, and monitor blocks 24\/7. It\u2019s a stress-free way to get a hardened firewall without spending hours on trial-and-error.<\/p>\n\n\n\n
                    FAQs: <\/strong><\/h2>\n\n\n
                    \n
                    \n
                    \n
                    How do I install CSF firewall on Ubuntu or Debian quickly?<\/strong><\/h3>\n
                    \n\n
                    Update packages, install prerequisites, then download and run the installer:<\/p>\n
                    sudo apt update && sudo apt install -y perl wget curl tar iptables
                    cd \/usr\/src && sudo curl -L -o csf.tgz https:\/\/download.configserver.com\/csf.tgz
                    sudo tar -xzf csf.tgz && cd csf && sudo sh install.sh
                    sudo perl \/usr\/local\/csf\/bin\/csftest.pl<\/p>\n\n<\/div>\n<\/div>\n
                    \n
                    What ports should I open in CSF for a typical web server?<\/strong><\/h3>\n
                    \n\n
                    Minimum:<\/strong> TCP_IN 22,80,443; TCP_OUT 80,443,53; UDP_IN 53 (if DNS), UDP_OUT 53,123. Add mail, database, and panel ports as required. Only open what you actively use.<\/p>\n\n<\/div>\n<\/div>\n
                    \n
                    How do I whitelist or block an IP in CSF?<\/strong><\/h3>\n
                    \n\n
                    Whitelist: csf -a 203.0.113.10 \"Admin IP\"<\/code>. Block: csf -d 203.0.113.55 \"Abuse\"<\/code>. For temporary rules: csf -tr <IP> <seconds><\/code> or csf -td <IP> <seconds><\/code>. Reload with csf -r<\/code> if you edit config files.<\/p>\n\n<\/div>\n<\/div>\n
                    \n
                    Does CSF work with nftables and newer Linux releases?<\/strong><\/h3>\n
                    \n\n
                    Yes. Most modern distros use iptables-nft backends. If csftest.pl<\/code> reports compatibility, CSF will operate normally. Do not run CSF alongside firewalld or UFW, as they will conflict.<\/p>\n\n<\/div>\n<\/div>\n
                    \n
                    CSF vs UFW vs firewalld: which should I choose?<\/strong><\/h3>\n
                    \n\n
                    Choose CSF if you want integrated firewall + intrusion prevention (LFD), easy allow\/deny management, rate-limiting, and hosting-friendly features. UFW\/firewalld are simpler for desktops or basic servers but lack CSF\u2019s deep security automation out of the box.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"
                    CSF (ConfigServer Security & Firewall) is a powerful Linux firewall suite that wraps iptables\/nftables with easy commands and intrusion detection. […]<\/p>\n","protected":false},"author":21,"featured_media":15518,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[350],"tags":[],"class_list":["post-13247","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-knowledgebase"],"acf":[],"featured_image_src":"https:\/\/www.youstable.com\/blog\/wp-content\/uploads\/2025\/12\/How-to-Use-CSF-Firewall-on-Linux-Server.jpg","author_info":{"display_name":"Sanjeet Chauhan","author_link":"https:\/\/www.youstable.com\/blog\/author\/sanjeet"},"_links":{"self":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/13247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/comments?post=13247"}],"version-history":[{"count":5,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/13247\/revisions"}],"predecessor-version":[{"id":15519,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/13247\/revisions\/15519"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/media\/15518"}],"wp:attachment":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/media?parent=13247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/categories?post=13247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/tags?post=13247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}