CSF, A Powerful and Easy to Control Firewall for Linux Servers

ConfigServer Security & Firewall, commonly known as CSF, is one of the most popular firewall tools on Linux servers. It is developed by ConfigServer Services and works as an intelligent management layer for iptables, combined with a login intrusion detection system through LFD.

With CSF, you do more than just open and close ports. You can automatically block IP addresses that show suspicious behavior such as SSH brute force attempts, email spam activity, or excessive connections to the server.

Below is a step by step guide to installing and using CSF with detailed commands.

Step 1: Prepare the System Before Installing CSF

Log in to your server as root via SSH.

Update the system first:

yum update -y

Install required packages for CSF:

yum install perl-libwww-perl perl-Time-HiRes -y

On AlmaLinux or Rocky Linux, you can use yum or dnf in the same way.

Step 2: Download and Install CSF

Move to a source directory:

cd /usr/src

Download the CSF package from the official site:

wget https://download.configserver.com/csf.tgz

Extract it:

tar -xzf csf.tgz
cd csf

Run the installation script:

sh install.sh

After installation, check iptables compatibility:

perl /usr/local/csf/bin/csftest.pl

If most tests return OK, your system is compatible with CSF.

Step 3: Basic Configuration Before Enabling the Firewall

The main configuration file is located at:

nano /etc/csf/csf.conf

Find the line:

TESTING = "1"

Keep this value for now so CSF runs in testing mode and does not actually block traffic.

Open SSH Port

Find the line:

TCP_IN =

Add your SSH port, for example the default 22:

TCP_IN = "22,80,443"

Ports 80 and 443 are for web traffic. Add other service ports later if needed.

Do the same for outgoing connections:

TCP_OUT = "22,80,443"

Save and exit.

Step 4: Start CSF in Testing Mode

Run:

csf -r

This reloads all firewall rules.

Check CSF status:

csf -l

At this stage, CSF only logs activity and does not block because TESTING mode is still enabled.

Step 5: Enable Full Protection Mode

After confirming you can still access the server via SSH, edit the config again:

nano /etc/csf/csf.conf

Change:

TESTING = "0"

Save and reload:

csf -r

From now on, CSF will actively block IP addresses.

Step 6: Check and Manage Blocked IPs

Search for a specific IP:

csf -g 1.2.3.4

Replace 1.2.3.4 with the IP you want to check.

List temporary blocks:

csf -t

Manually block an IP:

csf -d 1.2.3.4 "Manual block"

Remove a block:

csf -dr 1.2.3.4

Step 7: Monitor Attack Logs

LFD logs are located at:

tail -f /var/log/lfd.log

You will see entries about IPs being blocked due to SSH login failures, port scans, or unusual mail activity.

CSF related system logs can be viewed with:

tail -f /var/log/messages

Or on some systems:

tail -f /var/log/syslog

Step 8: Whitelist Your Management IP

Open the allow file:

nano /etc/csf/csf.allow

Add your IP:

1.2.3.4 # My office IP

Save and reload:

csf -r

Step 9: Make Sure LFD Is Running

LFD is responsible for automatic attack detection.

Check the process:

ps aux | grep lfd

Or via systemd:

systemctl status lfd

If it is not running:

systemctl start lfd
systemctl enable lfd

Step 10: Simulate an Attack to Test Protection

From another machine, intentionally enter the wrong SSH password multiple times. After exceeding the configured limit, that IP should be blocked.

Watch the log:

tail -f /var/log/lfd.log

You should see your test IP being blocked, confirming CSF is actively protecting the server.

CSF is a highly practical tool

CSF is a highly practical tool if you want strong operating system level protection without manually writing complex iptables rules. With just a few installation steps and basic tuning, you can block most common brute force attempts, port scans, and suspicious access to your server.

More importantly, by watching CSF and LFD logs, you gain real insight into how your server is being attacked every day. That knowledge is extremely valuable for anyone managing VPS or Linux systems long term.