ConfigServer Security and Firewall (CSF) is a Stateful Packet Inspection (SPI) firewall and login intrusion detection system for Linux servers. It acts as a front-end to iptables and nftables, making it straightforward to manage complex firewall rules without writing raw iptables commands. CSF also ships with the Login Failure Daemon (LFD) – a background process that monitors login attempts across services like SSH, FTP, SMTP, and web apps, and automatically blocks IPs that show brute-force behavior.
This guide covers CSF installation and configuration on RHEL 10, Rocky Linux 10, AlmaLinux 10, and Ubuntu 24.04. We walk through dependency setup, firewall rule configuration, LFD tuning, brute-force protection, port flood mitigation, and the CSF web UI. CSF is maintained as a community fork on GitHub after the original developer (Way to the Web Ltd) discontinued active development in August 2025. The project remains actively updated with new releases and security fixes.
Prerequisites
Before you begin, confirm you have the following in place:
- A server running RHEL 10, Rocky Linux 10, AlmaLinux 10, or Ubuntu 24.04 with SSH access configured
- Root access or a user account with sudo privileges
- Disable any existing firewall (firewalld or ufw) before installing CSF – it manages iptables/nftables directly and will conflict with other firewall managers
- Know your SSH port number (default 22) – you will need to whitelist it in CSF before taking the firewall out of test mode
Step 1: Install CSF Firewall Dependencies
CSF is written in Perl and requires several Perl modules for full functionality. The Login Failure Daemon also needs networking utilities for DNS lookups and IP resolution.
On RHEL 10 / Rocky Linux 10 / AlmaLinux 10
First, disable firewalld since CSF manages iptables directly and will conflict with it:
sudo systemctl stop firewalld
sudo systemctl disable firewalld
sudo systemctl mask firewalldInstall the required packages:
sudo dnf install -y perl perl-IO-Socket-INET6 perl-IO-Socket-SSL perl-Net-SSLeay perl-Socket6 perl-libwww-perl perl-LWP-Protocol-https perl-JSON perl-Time-HiRes perl-Crypt-SSLeay perl-Net-LibIDN2 perl-Math-BigInt ipset iptables-services wget bind-utils net-toolsEnable iptables services so CSF rules persist across reboots:
sudo systemctl enable iptables
sudo systemctl start iptablesOn Ubuntu 24.04
Disable ufw before proceeding:
sudo ufw disableInstall the Perl dependencies and iptables:
sudo apt update
sudo apt install -y perl libio-socket-inet6-perl libio-socket-ssl-perl libnet-ssleay-perl libsocket6-perl libcrypt-ssleay-perl libnet-libidn-perl libwww-perl liblwp-protocol-https-perl libjson-perl libtime-hires-perl libgd-graph-perl ipset iptables wget dnsutils sendmailStep 2: Download and Install CSF
CSF provides an installer script that handles the setup automatically. Download the latest release tarball and run the installer:
cd /usr/src
sudo wget https://download.configserver.dev/csf.tgz
sudo tar -xzf csf.tgz
cd csf
sudo sh install.shThe installer places configuration files in /etc/csf/ and installs the csf and lfd binaries. After installation, verify that CSF has the required iptables modules available by running the built-in test:
sudo perl /usr/local/csf/bin/csftest.plThe test checks for iptables modules like ip_tables, iptable_filter, ip_conntrack, and others. A successful test shows RESULT: csf should function on this server. If any module is missing, install the corresponding kernel module or package before continuing.
Step 3: Configure CSF Firewall Rules
The main CSF configuration file is /etc/csf/csf.conf. This file controls which ports are open, the testing mode state, and all firewall behavior. Open it for editing:
sudo vi /etc/csf/csf.confDisable Testing Mode
CSF installs in TESTING mode by default, which means the firewall rules flush automatically after 5 minutes. This prevents lockouts during initial setup. Keep it enabled until you confirm your SSH port is whitelisted, then set:
TESTING = "0"Configure Allowed TCP and UDP Ports
Define which inbound and outbound ports are open. The defaults are reasonable for a web server, but adjust them to match your services. Here is an example for a typical web and mail server:
# Inbound TCP ports
TCP_IN = "22,25,53,80,443,587,993,995"
# Outbound TCP ports
TCP_OUT = "22,25,53,80,113,443,587,993,995"
# Inbound UDP ports
UDP_IN = "53"
# Outbound UDP ports
UDP_OUT = "53,113,123"Common ports to include based on your services:
- 22 – SSH (change if you use a custom SSH port)
- 80, 443 – HTTP and HTTPS
- 25, 587 – SMTP mail
- 993, 995 – IMAP and POP3 over SSL
- 53 – DNS (TCP and UDP)
- 3306 – MySQL/MariaDB (only if remote access is needed)
- 5432 – PostgreSQL (only if remote access is needed)
Remove any ports you do not use. A minimal server running only SSH and a web server needs just 22,80,443 in TCP_IN.
Additional Settings
A few other settings worth configuring in csf.conf:
# Enable SYN flood protection
SYNFLOOD = "1"
SYNFLOOD_RATE = "75/s"
SYNFLOOD_BURST = "25"
# Connection tracking - limit connections per IP
CT_LIMIT = "300"
# Enable port scan tracking
PS_INTERVAL = "300"
PS_LIMIT = "10"
# ICMP rate limiting
ICMP_IN = "1"
ICMP_IN_RATE = "1/s"After making changes, restart CSF to apply the new rules:
sudo csf -rStep 4: Whitelist and Blacklist IPs in CSF
CSF uses three files to manage IP access: /etc/csf/csf.allow for permanently whitelisted IPs, /etc/csf/csf.deny for permanently blocked IPs, and /etc/csf/csf.ignore for IPs that LFD should never block.
Whitelist Your IP
Always whitelist your own IP address to prevent accidental lockouts. Replace the example IP with your actual public IP:
sudo csf -a 192.168.1.100The command adds the IP to /etc/csf/csf.allow and immediately allows all traffic from it. You can add a comment for documentation:
sudo csf -a 192.168.1.100 "Office static IP"Blacklist an IP
Block a specific IP permanently:
sudo csf -d 10.0.5.200Block an entire subnet (useful for blocking IP ranges from specific countries or data centers):
sudo csf -d 10.0.5.0/24 "Malicious subnet"Temporary Blocks
Temporarily block an IP for a set duration (in seconds). This is useful for suspected but unconfirmed threats:
sudo csf -td 10.0.5.200 3600 "Suspicious activity - 1 hour block"Temporarily allow an IP:
sudo csf -ta 10.0.5.50 7200 "Contractor access - 2 hours"Step 5: Configure the Login Failure Daemon (LFD)
LFD is the companion process that makes CSF more than just a firewall. It continuously monitors log files for failed login attempts and triggers IP blocks when thresholds are exceeded. LFD settings are in the same /etc/csf/csf.conf file.
sudo vi /etc/csf/csf.confKey LFD settings to tune:
# Number of login failures before blocking
LF_TRIGGER = "5"
# Time period (seconds) in which failures are counted
LF_INTERVAL = "3600"
# Temporary block duration (seconds) - 0 = permanent
LF_TRIGGER_PERM = "3600"
# Enable email alerts on blocks
LF_EMAIL_ALERT = "1"
# Email address for alerts
LF_ALERT_TO = "[email protected]"
# Enable process tracking - detects suspicious processes
PT_LIMIT = "0"
# Enable directory watching - monitors /tmp and /dev/shm
LF_DIRWATCH = "300"With these settings, LFD blocks any IP that fails 5 login attempts within 1 hour and holds the block for 1 hour. Set LF_TRIGGER_PERM to 0 if you want permanent blocks instead.
Step 6: Protect Against Brute-Force Attacks
CSF provides per-service brute-force thresholds that work independently from the global LF_TRIGGER setting. Each service has its own failure counter and block action.
sudo vi /etc/csf/csf.confConfigure per-service thresholds:
# SSH brute-force protection
LF_SSHD = "5"
LF_SSHD_PERM = "1"
# FTP brute-force protection
LF_FTPD = "10"
LF_FTPD_PERM = "1"
# SMTP authentication brute-force
LF_SMTPAUTH = "5"
LF_SMTPAUTH_PERM = "1"
# POP3 brute-force
LF_POP3D = "10"
LF_POP3D_PERM = "1"
# IMAP brute-force
LF_IMAPD = "10"
LF_IMAPD_PERM = "1"
# HTTP basic auth brute-force
LF_HTACCESS = "5"
LF_HTACCESS_PERM = "1"The _PERM setting controls the block duration: 1 means permanent block, 0 means temporary (using LF_TRIGGER_PERM duration), and any other number is the block time in seconds. Setting SSH brute-force to 5 attempts with permanent blocking is aggressive – adjust based on your environment. If you have users who legitimately mistype passwords, set LF_SSHD_PERM to 3600 for a 1-hour temporary block instead.
After updating, restart both CSF and LFD:
sudo csf -r
sudo systemctl restart lfdStep 7: Configure Port Flood Protection
Port flood protection limits the rate of incoming connections to specific ports. This prevents denial-of-service attacks that overwhelm a service by flooding it with connection requests.
sudo vi /etc/csf/csf.confEnable and configure port flood settings:
# Enable port flood protection
PORTFLOOD = "22;tcp;5;300,80;tcp;30;5,443;tcp;30;5"The PORTFLOOD format is port;protocol;hitcount;interval separated by commas. The example above does the following:
- 22;tcp;5;300 – Allow maximum 5 new SSH connections per IP within 300 seconds
- 80;tcp;30;5 – Allow maximum 30 new HTTP connections per IP within 5 seconds
- 443;tcp;30;5 – Allow maximum 30 new HTTPS connections per IP within 5 seconds
You can also use CONNLIMIT to cap concurrent connections per IP to a port:
CONNLIMIT = "22;3,80;50,443;50"This limits each IP to 3 concurrent SSH connections and 50 concurrent HTTP/HTTPS connections. Apply the changes:
sudo csf -rStep 8: Set Up the CSF Web UI
CSF includes an optional web-based interface that runs on its own port. This is useful for managing firewall rules through a browser without needing SSH access. The web UI runs independently – it does not require cPanel or any other control panel.
sudo vi /etc/csf/csf.confEnable and configure the web UI:
# Enable the CSF UI
UI = "1"
# Port for the web UI
UI_PORT = "6666"
# Restrict to specific IPs (recommended)
UI_ALLOW = "192.168.1.100"
# Username and password
UI_USER = "admin"
UI_PASS = "YourStrongPasswordHere"The UI_ALLOW setting restricts access to the web interface to specific IP addresses. Always set this – never leave the UI accessible from all IPs. Make sure to add the UI port to your TCP_IN list:
TCP_IN = "22,25,53,80,443,587,993,995,6666"Restart CSF and LFD to activate the web UI:
sudo csf -r
sudo systemctl restart lfdAccess the UI at https://your-server-ip:6666 using the credentials you configured. The web UI shows firewall status, active blocks, allows/denies, and provides quick actions for common tasks.
Step 9: Common CSF Commands
CSF provides a straightforward command-line interface for day-to-day firewall management. Here are the commands you will use most often.
Start, stop, and restart CSF:
sudo csf -sThis starts CSF and applies all rules from the configuration. To stop CSF and flush all firewall rules:
sudo csf -fRestart CSF (stop and start in one step – this is the command to run after every configuration change):
sudo csf -rCheck the current firewall status:
sudo csf -lSearch for an IP in all CSF rules (allow, deny, temp lists):
sudo csf -g 10.0.5.200This shows whether the IP is blocked, allowed, or temporarily listed along with the chain and rule details. View all temporary blocks and allows:
sudo csf -tRemove an IP from the deny list (unblock):
sudo csf -dr 10.0.5.200Remove an IP from the allow list:
sudo csf -ar 192.168.1.100CSF Command Reference Table
The following table summarizes the most commonly used CSF commands for quick reference:
| Command | Description |
|---|---|
csf -s | Start CSF and apply all firewall rules |
csf -f | Stop CSF and flush all iptables rules |
csf -r | Restart CSF (reload configuration changes) |
csf -l | List all active iptables rules |
csf -a IP | Allow an IP address permanently |
csf -d IP | Deny (block) an IP address permanently |
csf -ta IP TTL | Temporarily allow an IP for TTL seconds |
csf -td IP TTL | Temporarily deny an IP for TTL seconds |
csf -ar IP | Remove an IP from the allow list |
csf -dr IP | Remove an IP from the deny list |
csf -g IP | Search for an IP across all rules |
csf -t | List all temporary allow and deny entries |
csf -x | Disable CSF completely |
csf -e | Enable CSF |
csf -c | Check for CSF updates |
Verify CSF Is Running
After completing the configuration, verify that both CSF and LFD services are active:
sudo systemctl status csfThe service should show active (running). Also check LFD:
sudo systemctl status lfdBoth services should be active. Enable them to start on boot if they are not already:
sudo systemctl enable csf
sudo systemctl enable lfdConfirm your firewall rules are loaded:
sudo csf -l | head -30This should display the iptables chains created by CSF including the INPUT, OUTPUT, and FORWARD chains with your configured port rules.
Conclusion
CSF provides a complete firewall and intrusion detection solution that is straightforward to configure on any Linux server. With the Login Failure Daemon handling brute-force detection automatically, and granular port controls through a single configuration file, CSF covers what most production servers need for network security. If you also want a dedicated network firewall appliance, consider deploying OPNSense firewall at your network edge.
For production environments, consider setting up email alerts through LFD so you are notified of blocked IPs, set up server monitoring with Prometheus and Grafana for visibility into system health, keep the CSF documentation bookmarked for advanced features like country-based blocking and IP reputation lists, and regularly review /var/log/lfd.log to track what LFD is blocking on your server.
