ConfigServer Security & Firewall is a very popular and free security suite. This howto describes how to install it on your VPS. The software works great with cPanel, but does not require it.

The software comes in two parts:

ConfigServer Firewall: A firewall wrapper that makes managing iptables much easier.

Login Failure Daemon: This software scans login failures and automatically blocks IP addresses when they reach certain failure thresholds.

Please note that it is not recommended to run any other firewall management software at he same time as CSF.

1. Connect to your server

Please login to your VPS as the root user, or change (su) to the root user to begin.

2. Download and install CSF

The readme provides an installation method in just a couple of commands, please execute them as below:

cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Once executed, CSF should be installed.

Please note that once it is installed, LFD is not by default activated, so we'll look at how to actually enable it in the next step

3. Configuring

Once CSF is installed, we will need to enable it. Open up the file /etc/csf/csf.conf with a text editor of your choice. In this example we're using Nano.

Please see this guide on how to install Nano if you'd like to try it out: Install Nano on Linux Server

Locate the "TESTING" variable under "SECTION:Initial Settings" and change it from "0" to "1" in order for the Login Failure Daemon to work. Afterwards, execute these commands to restart the services:

service lfd restart
csf -r

That's it! CSF and LFD should now be configured and working.

4. Unblocking Passive FTP Ports (optional)

Passive FTP connections use a special set of ports as instructed by the FTP server. By default, these ports are not open in CSF. If you intend on using or allowing passive FTP connections find what they are inside your FTP server's config (in this example the server uses Pure-FTPd):

[[email protected] ~]# grep ^Passive /etc/pure-ftpd.conf
PassivePortRange 49152 65534

Per the above command and result we see that the passive port range is set to be 49152 - 65534 in the FTP server's configuration.

To add this range of ports to CSF, and thus enable passive FTP connections, add them in the format of FROM:TO to the end of the line beginning with "TCP_IN" in the CSF config file, so that it looks like this (note the range at the end of the line):

TCP_IN = "20,21,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,26,49152:65534"

On your server above ports may differ, so just ensure the passive port range is within the list of ports.

Afterward, reload CSF: csf -r

Useful Links and Further Reading

CSF and LFD contain a lot more features than just blocking ports, such as process tracking. You can view the readme describing each function below.

CSF Official Readme: https://download.configserver.com/csf/readme.txt

Need help?