Config Server Firewall / CSF is firewall application suite for Linux servers. CSF is also a Login/Intrusion Detection for applications like SSH, SMTP, IMAP, Pop3, the “su” command and many more. CSF can e.g. detect when someone is logging into the server via SSH and alarms you when this user tries to use the “su” command on the server to get higher privileges. It also checks for login authentication failures on mail servers (Exim, IMAP, Dovecot, uw-imap, Kerio), OpenSSH servers, Ftp servers (Pure-ftpd, vsftpd, Proftpd), cPanel server to replace software like fail2ban. CSF is a good security solution for hosting servers and can be integrated into the user interface (UI) of WHM/cPanel, DirectAdmin, and Webmin.

CFS dependencies

yum install wget vim perl-libwww-perl.noarch perl-Time-HiRes

Install CFS


Extract the tar.gz file and go to the csf directory, then install it:

tar -xzf csf.tgz
cd csf

Configure CSF

Before stepping into the CSF configuration process, the first thing you must know is that “CentOS 7” has a default firewall application called “firewalld”. You have to stop firewalld and remove it from the startup.

Stop the firewalld:

systemctl stop firewalld

Disable/Remove firewalld from the startup:

systemctl disable firewalld

Go to the CSF Configuration directory “/etc/csf/” and edit the file “csf.conf” with the vim editor:

cd /etc/csf/
vim csf.conf

Change “TESTING “ to “0” for applying the firewall configuration.


By default CSF allows incoming and outgoing traffic for the SSH standard port 22, if you use a different SSH port then please add your port to the configuration in line 139 “TCP_IN”.

Now start CSF and LFD with:

CentOS 5/6:

service csf start
service lfd start


systemctl start csf
systemctl start lfd

And then enable the csf and lfd services to be started at boot time:

CentOS 5/6:

chkconfig csf on
chkconfig lfd on

CentOS 7:

systemctl enable csf
systemctl enable lfd

Now you can see the list default rules of CSF with command:

csf -l

Basic CSF Commands

1. Start the firewall (enable the firewall rules):

csf -s

2. Flush/Stop the firewall rules.

csf -f

3. Reload the firewall rules.

csf -r

4. Allow an IP and add it to csf.allow.

csf -a