VPS and Dedicated Hosting: ConfigServer Security and Firewall
If you are using assistive technology and are unable to read any part of the HostMonster website, or otherwise have difficulties using the HostMonster website, please call 866-573-HOST and our customer service team will assist you.
Skip to main content

HostMonster Web Hosting Help

VPS and Dedicated Hosting: ConfigServer Security and Firewall

CSF is a firewall for VPS and Dedicated servers. CSF is not installed as part of our default images on VPS or Dedicated servers; however, it is quite a popular add-on, as it greatly simplifies tasks such as opening or closing ports. Rather than having to figure out iptables command syntax, CSF offers a GUI-based approach, integrated with WHM.

Customers can either install it themselves or request to have support install it. We may also suggest its installation. While we do not provide detailed support for the application, it is one you are likely to encounter while supporting servers, so some familiarity with its operation is recommended.


We can install CSF on request. This is done as root through the command line. The commands to do so are given below for your convenience, but you should always check the manufacturer’s site for the current version. These can be found here.

cd /usr/local/src/

wget https://download.configserver.com/csf.tgz

tar -xzf csf.tgz

cd csf

sh install.sh

You will see Installation Completed.

cd ..

rm -Rfv csf/ csf.tgz


This will install the application and create the plugin for WHM, but it will initially be set in “Testing” mode. This can be disabled by logging into WHM, going to the Plugins » ConfigServer Security & Firewall section, clicking on the csf tab, and then in the csf -- ConfigServer Firewall, clicking on the Firewall Configuration button. Testing appears at the top, as in the screenshot below, and can be set to OFF.

ConfigServer Security and Firewall
By default, the RESTRICT_SYSLOG option is disabled, which will give a warning in the CSF control panel. This should be changed, as shown below with “3” being the recommended setting.
ConfigServer Restrict Syslog
After making the updates, you need to scroll down to the bottom, press the ‘Change’ button, and you will be prompted to “Restart csf+lfd”, completing the process of enabling CSF.

After installation and activation, it is strongly recommended to disable cPHulk, as its operation can potentially conflict with CSF. This is done in WHM > Security Center » cPHulk Brute Force Protection.


By default, the initial configuration will open up a standard set of ports, as used by cPanel and associated services. If the customer has made any changes, for example, changing SSH/SFTP to run on a port other than 22, CSF’s configuration should be updated to take account of these. Support IP addresses can also be whitelisted, to help avoid potential future issues.

CSF configuration can be done in two ways, through the WHM GUI or on the command line.

Through the GUI

As mentioned above, most configuration is done through WHM > Plugins » ConfigServer Security & Firewall > csf tab > csf -- ConfigServer Firewall section > Firewall Configuration.

This offers detailed information for each section about its purpose and potential settings. The most commonly accessed section is the one which sets the open or closed ports:
ConfigServer Security and Firewall

You can add, delete or change ports, in- or out-bound, by editing the list, separating each with a comma. A range of ports to be opened can be specified by separating them with a colon, e.g. 49152:65534.
After making changes, update the configuration file using the ‘Change’ button and restart csf/lfd, as discussed above.
However, IP addresses can be blocked, unblocked or whitelisted “on the fly”, directly from the csf tab, as below. You can also search for an IP address and see if it has been blocked by CSF.
ConfigServer Quick Actions and Firewall

A little further down, you can find ‘Firewall Enable’ and ‘Firewall Disable’ options, which allow you to turn on and off CSF monitoring.

Using the Command Line

The configuration files for CSF live in /etc/csf, and can be edited manually, using your tool of choice. The main ones to know are:

  • csf.conf -- the main configuration file
  • cff.allow -- a list of IPs that should always be allowed through the firewall
  • csf.deny -- a list of IPs that should never be allowed through the firewall
  • csf.ignore -- a list of IPs that lfd should ignore and not block if detected

Note: after making changes to these by direct editing of the configuration files, it is typically necessary to reload CSF, so that the new settings get picked up. This can be done by running the following command as root:

csf -r

Useful Commands

Many functions of CSF can be carried out from the command line, saving you the need to log in to WHM. Here are some of the most common ones.

  • csf -e -- Enable CSF
  • csf -x -- Disable CSF. This is especially useful as it can be run through the HAL command line, and can help us get on to the server if support IPs have been blocked by CSF.
  • csf -s -- Start the firewall rules
  • csf -f -- Flush/Stop firewall rules
  • csf -r -- Restart or reload the firewall rules
  • csf -a [Optional comment] -- Allow IP and add to /etc/csf/csf.allow
  • csf -td [Optional comment] -- Place IP on the temporary deny list
  • csf -tr -- Remove IP from the temporary IP ban csf -tf -- Flush all IPs from the temporary IP entries
  • csf -d [Optional comment] -- Deny IP and add to /etc/csf/csf.deny
  • csf -dr -- Unblock IP and remove from /etc/csf/csf.deny
  • csf -df -- Remove and unblock all entries in /etc/csf/csf.deny
  • csf -g -- Search the iptables rules for a match (e.g. IP, CIDR, Port Number)
  • csf -t -- Displays the current list of temporary allow and deny IP entries with their TTL and comments

Common Questions

What is the difference between “allow” and “ignore”?

Allowing an IP will mean it should always be let through the firewall. Ignoring an IP means it won’t get blocked if it is detected, for example, if there are multiple failed login attempts from it. Both allowing and ignoring an IP you want to permit is the safest bet.

Can IP ranges be blocked?

Yes. This can be done through the GUI or command line, but in both cases, the range needs to be specified in CIDR format. For example, to block the range from through to, you must input it into the system as

Knowledgebase Article 80,388 views bookmark tags: configserver csf dedicated firewall security vps

Was this resource helpful?

Did this resolve your issue?

Please add any other comments or suggestions about this content:

Recommended Help Content

VPS and Dedicated servers come with all applications necessary to run a standard web and email server. The applications that come with the VPS and Dedicated servers are generally supported as-is by our support technicians.

This article will explain how-to enable FTP on a newly provisioned VPS or Dedicated cPanel server. Since FTP is an unsecured connection point to the server, cPanel has it disabled by default in version 11.86 or prior.
Knowledgebase Article 34,297 views tags: dedicated file ftp root server transfer vps

How to install Java in a dedicated server.
Knowledgebase Article 170,279 views tags: dedicated install java server yum

Related Help Content

VPS and Dedicated customers with servers running the CentOS 6 operating system will not be able to upgrade cPanel past version 86. The cPanel team will still support CentOS 6 with cPanel 86 until March 31st, 2021.
Knowledgebase Article 98,104 views tags: centos cpanel dedicated hosting private server upgrade virtual vps

How to setup name servers for multiple cPanel accounts.
Knowledgebase Article 269,266 views tags: accounts custom dedicated multi multiple nameservers server servers

This is a tutorial on how to install Git onto the server.
Knowledgebase Article 193,940 views tags: dedicated git install server yum

If you need to transfer or restore a cPanel account for your VPS or Dedicated server, there is a tool within the WHM panel to perform these tasks. This article is about transferring or restoring from another server or restoring after a re-image.
Knowledgebase Article 79,130 views tags: backup cpanel dedicated hosting restore server transfer vps

This article will explain how and when to contact SiteLock for support.
Knowledgebase Article 136,612 views tags: security sitelock support

How to protect your Dedicated Server using cPHulk
Knowledgebase Article 138,347 views tags: dedicated security whm

This article will explain some common causes for 500 errors on Dedicated or V.P.S servers.
Knowledgebase Article 123,927 views tags: dedi dedicated error server vps

How to manage the SSL used for cPanel login through the WHM
Knowledgebase Article 214,838 views tags: cpanel dedicated install login manage server ssl

This site utilizes JavaScript to function correctly. Looks like it's disabled on your browser. Please enable it for your best experience.

For instructions on enabling JavaScript, click here