Just Host Web Hosting Help
VPS and Dedicated Hosting: ConfigServer Security and Firewall
CSF is a firewall for VPS and Dedicated servers. CSF is not installed as part of our default images on VPS or Dedicated servers; however, it is quite a popular add-on, as it greatly simplifies tasks such as opening or closing ports. Rather than having to figure out iptables command syntax, CSF offers a GUI-based approach, integrated with WHM.
Customers can either install it themselves or request to have support install it. We may also suggest its installation. While we do not provide detailed support for the application, it is one you are likely to encounter while supporting servers, so some familiarity with its operation is recommended.
We can install CSF on request. This is done as root through the command line. The commands to do so are given below for your convenience, but you should always check the manufacturer’s site for the current version. These can be found here.
tar -xzf csf.tgz
You will see Installation Completed.
rm -Rfv csf/ csf.tgz
This will install the application and create the plugin for WHM, but it will initially be set in “Testing” mode. This can be disabled by logging into WHM, going to the Plugins » ConfigServer Security & Firewall section, clicking on the csf tab, and then in the csf -- ConfigServer Firewall, clicking on the Firewall Configuration button. Testing appears at the top, as in the screenshot below, and can be set to OFF.
By default, the RESTRICT_SYSLOG option is disabled, which will give a warning in the CSF control panel. This should be changed, as shown below with “3” being the recommended setting.
After making the updates, you need to scroll down to the bottom, press the ‘Change’ button, and you will be prompted to “Restart csf+lfd”, completing the process of enabling CSF.
After installation and activation, it is strongly recommended to disable cPHulk, as its operation can potentially conflict with CSF. This is done in WHM > Security Center » cPHulk Brute Force Protection.
By default, the initial configuration will open up a standard set of ports, as used by cPanel and associated services. If the customer has made any changes, for example, changing SSH/SFTP to run on a port other than 22, CSF’s configuration should be updated to take account of these. Support IP addresses can also be whitelisted, to help avoid potential future issues.
CSF configuration can be done in two ways, through the WHM GUI or on the command line.
Through the GUI
As mentioned above, most configuration is done through WHM > Plugins » ConfigServer Security & Firewall > csf tab > csf -- ConfigServer Firewall section > Firewall Configuration.
This offers detailed information for each section about its purpose and potential settings. The most commonly accessed section is the one which sets the open or closed ports:
You can add, delete or change ports, in- or out-bound, by editing the list, separating each with a comma. A range of ports to be opened can be specified by separating them with a colon, e.g. 49152:65534.
After making changes, update the configuration file using the ‘Change’ button and restart csf/lfd, as discussed above.
However, IP addresses can be blocked, unblocked or whitelisted “on the fly”, directly from the csf tab, as below. You can also search for an IP address and see if it has been blocked by CSF.
A little further down, you can find ‘Firewall Enable’ and ‘Firewall Disable’ options, which allow you to turn on and off CSF monitoring.
Using the Command Line
The configuration files for CSF live in /etc/csf, and can be edited manually, using your tool of choice. The main ones to know are:
- csf.conf -- the main configuration file
- cff.allow -- a list of IPs that should always be allowed through the firewall
- csf.deny -- a list of IPs that should never be allowed through the firewall
- csf.ignore -- a list of IPs that lfd should ignore and not block if detected
Note: after making changes to these by direct editing of the configuration files, it is typically necessary to reload CSF, so that the new settings get picked up. This can be done by running the following command as root:
Many functions of CSF can be carried out from the command line, saving you the need to log in to WHM. Here are some of the most common ones.
- csf -e -- Enable CSF
- csf -x -- Disable CSF. This is especially useful as it can be run through the HAL command line, and can help us get on to the server if support IPs have been blocked by CSF.
- csf -s -- Start the firewall rules
- csf -f -- Flush/Stop firewall rules
- csf -r -- Restart or reload the firewall rules
- csf -a 126.96.36.199 [Optional comment] -- Allow IP 188.8.131.52 and add to /etc/csf/csf.allow
- csf -td 184.108.40.206 [Optional comment] -- Place IP 220.127.116.11 on the temporary deny list
- csf -tr 18.104.22.168 -- Remove IP 22.214.171.124 from the temporary IP ban csf -tf -- Flush all IPs from the temporary IP entries
- csf -d 126.96.36.199 [Optional comment] -- Deny IP 188.8.131.52 and add to /etc/csf/csf.deny
- csf -dr 184.108.40.206 -- Unblock IP 220.127.116.11 and remove from /etc/csf/csf.deny
- csf -df -- Remove and unblock all entries in /etc/csf/csf.deny
- csf -g 18.104.22.168 -- Search the iptables rules for a match (e.g. IP, CIDR, Port Number)
- csf -t -- Displays the current list of temporary allow and deny IP entries with their TTL and comments
Common QuestionsWhat is the difference between “allow” and “ignore”?
Allowing an IP will mean it should always be let through the firewall. Ignoring an IP means it won’t get blocked if it is detected, for example, if there are multiple failed login attempts from it. Both allowing and ignoring an IP you want to permit is the safest bet.Can IP ranges be blocked?
Yes. This can be done through the GUI or command line, but in both cases, the range needs to be specified in CIDR format. For example, to block the range from 22.214.171.124 through to 126.96.36.199, you must input it into the system as 188.8.131.52/24.