Note that you will require root access on a VPS / Dedicated server in order to follow these directions.

In this tutorial, we will show you how to install CSF via the command line interface (cli). CSF (ConfigServer Firewall) is a front end to iptables, and is an alternative to APF. CSF is considered a more advanced option, and has a more robust feature set than APF. We must first remove APF before installing CSF, then we’ll cover additional CSF settings.

Removing APF from your Server

Before installing CSF, you must remove APF and its settings from your server. There are several tasks you must complete, as outlined below.

Stop & Disable the APF service

1. Log into your server via SSH as the root user.
2. Run the following command (highlighted in red) in your shell instance to stop the APF service:

   [email protected] [~]# service apf stop

3. Run this command (highlighted in red):

   [email protected] [~]# chkconfig –del apf

4. Then, run this command (highlighted in red):

   [email protected] [~]# rm -fr /etc/init.d/apf /usr/local/sbin/apf /etc/apf /usr/local/cpanel/whostmgr/cgi/{apfadd,addon_add2apf.cgi}

Remove APF & Add IP to Firewall WHM Plugin

1. You should still be connected to your server via SSH. Run the following commands (highlighted in red) to add your WHM IP to the firewall:

   [email protected] [~]# yum -y remove apf-ded whm-addip

2. Run this command:

   [email protected] [~]# rm -rf /usr/local/cpanel/whostmgr/cgi/apfadd

3. Then, this command:

   [email protected] [~]# rm -f /usr/local/cpanel/whostmgr/cgi/addon_add2apf.cgi

4. Run this command to open the “pluginscache.yaml” file in the editor:

   [email protected] [~]# nano /var/cpanel/pluginscache.yaml

   If you see something similar to the following, remove all the lines except for the uniquekey one.

   –
   acllist:
   – create-acct
   cgi: addon_add2apf.cgi
   icon: ”
   showname: Add IP to Firewall
   tagname: ”
   target: mainFrame
   uniquekey: add_ip_to_firewall

• Hit Ctrl+o on the keyboard, then the Enter key to save changes.
• Hit Ctrl+x on the keyboard to exit the nano editor.

Installing CSF

1. Log into your server via SSH
2. Run the following command (highlighted in red) in your shell instance:

   [email protected] [~]# yum install -y csf-ded

3. Then be sure to start it:

   [email protected] [~]# service csf start

4. Update the WHM plugin (ConfigServer Security & Firewall), by running the following commands (highlighted in red) one at a time in your shell instance:

   [email protected] [~]# wget https://download.configserver.com/csupdate

   [email protected] [~]# yum install dos2unix

   [email protected] [~]# dos2unix csupdate

   [email protected] [~]# chmod +x csupdate

   [email protected] [~]# ./csupdate

Additional CSF Settings

Steps when using Custom Nameservers

1. You should still be connected to your server via SSH.
2. Run the following command (highlighted in red) in your shell instance:

   [email protected] [~]# nano /etc/csf/csf.conf

3. Find the “UDP_IN” line and add 53. The line should look like this when you are finished:

   UDP_IN = “20,21,53”

4. Check the “TCP_IN” line and ensure it also includes 53. It should look like this:

   TCP_IN = “20,21,25,53,80,110,143,443,465,587,993,995,2082,2083,2086,2087,2095,2096,3306,587,30000:35000”

5. Hit Ctrl+o on the keyboard, then the Enter key to save changes.
6. Hit Ctrl+x on the keyboard to exit the nano editor.

Providing Reseller Rights

By default, only the root user has rights to edit the firewall rules. If you want to allow reseller (cPanel) users to edit the CSF rules, follow this section.

1. Log into your server via SSH.
2. Run this command (highlighted in red) to open the csf.resellers file in an editor:

   [email protected] [~]# nano /etc/csf/csf.conf

3. Add the following line to the file, but be sure to replace “userna5” with the actual cPanel username:

   userna5:0:USE,ALLOW,DENY,UNBLOCK

4. Hit Ctrl+o on the keyboard, then the Enter key to save changes.
5. Hit Ctrl+x on the keyboard to exit the nano editor.
6. Restart CSF by running the following command:

   [email protected] [~]# service csf restart

7. Login to WHM as the root user, click Edit Reseller Nameservers and Privileges.
8. Choose the user you want to give CSF privileges to, then click the Submit button.
9. Find and check the box for ConfigServer Security & Firewall (Reseller UI).

Optional: Turn on Brute Force Monitoring

1. Log into your server via SSH.
2. Run the following command (highlighted in red) in your shell instance:

   [email protected] [~]# sed ‘s/(LF_(PERMBLOCK|SSHD|FTPD|SMTPAUTH|POP3D|IMAPD|CPANEL) *= *”)[^”]+/11/;s/(LF_TRIGGER *= *”)[^”]+/13/’ -i /etc/csf/csf.conf

   Brute force monitoring will then be enabled.

Congratulations, now you know how to install CSF on your server!