Config Server Firewall (popularly known as CSF) is a free and open source firewall application suite for most Linux distributions and Linux based Virtual Private Servers (VPS). It provides the basic functionality of a firewall – filtering packets while also providing additional security to your server.

It includes features such as login/intrusion/flood detection, easy user interface while integrating with cPanel, Webmin and Direct Admin. It can recognize the different types of server attacks including SYN flood, port scan, DOS and brute force. It detects and temporarily block attackers of the server. In this guide, we will show you how to configure CSF on your CentOS and Ubuntu Cloudwafer server.

By default, all Cloudwafer servers are pre-installed with CSF thereby providing the extra layer of security from the point of purchase.

To verify whether all of the required firewall modules are available or not, type the following
perl /usr/local/csf/bin/

Everything should be fine and you should get the following output:
perl test

Configure CSF

The default CSF configuration file csf.conf is located in the /etc/csf directory. Type the command below to enter this directory.
nano /etc/csf/csf.conf

Configuring Ports

Certain ports are opened by default, and considering you are not using all these ports, you can close off those ports. The ports opened by default are shown below:

The services using the open ports:
Port 20: FTP data transfer
Port 21: FTP control
Port 22: Secure shell (SSH)
Port 25: Simple mail transfer protocol (SMTP)
Port 53: Domain name system (DNS)
Port 80: Hypertext transfer protocol (HTTP)
Port 110: Post office protocol v3 (POP3)
Port 113: Authentication service/identification protocol
Port 123: Network time protocol (NTP)
Port 143: Internet message access protocol (IMAP)
Port 443: Hypertext transfer protocol over SSL/TLS (HTTPS)
Port 465: URL Rendesvous Directory for SSM (Cisco)
Port 587: E-mail message submission (SMTP)
Port 993: Internet message access protocol over SSL (IMAPS)
Port 995: Post office protocol 3 over TLS/SSL (POP3S)

The ports most needed at any time on any server are:
TCP_IN: 22,53
TCP_OUT: 22,53,80,113,443
UPD_IN: 53
UPD_OUT: 53,113,123

After changing the settings in csf.conf, you should save the files and restart CSF for the changes to take effect with this command:
csf -r

Blocking and Allowing IP Addresses

CSF allows you to carry out one of the most basic features of a firewall – blocking and allowing certain IP addresses. It also has the option to ignore IP addresses. This is done by editing the configuration files of csf.deny, csf.allow and csf.ignore.

Blocking IP addresses

If you would like to block an IP address or range, open csf.deny with the command below:
nano /etc/csf/csf.deny

Below is the default csf.deny file as it contains no entries.

To block a specific IP address, add it to the file:
- To block a range of IP addresses, add the IP followed by the CIDR Value

You can also deny a specific IP and a range of IP addresses without opening the csf.deny file but by running the commands below:
csf -d

csf -dr

Allowing IP addresses

Allowing IP addresses is done in the same way as blocking addresses with one major difference. The file to be edited here is the csf.allow file opened with the command below:

nano /etc/csf/csf.allow

Below is the default csf.allow file as it contains no entries.

You can also allow a specific IP and a range of IP addresses without opening the csf.deny file but by running the commands below:
csf -a

csf -ar

It is vital to restart the CSF daemon after making changes in order for those changes to be applied.

Note: Allowed IP addresses are allowed even if they are explicitly blocked in csf.deny file.

Additional Vital Settings: There are some other noteworthy configurations that could be done to properly secure your server.


Enabling and Disabling CSF:

To disable CSF from the command line:
csf -e

To disable CSF from the command line:
csf -x