How to work with the CSF plugin

ConfigServer provides the free WHM plugin CSF, which allows you to modify your iptables rules within WHM. It is a stateful packet inspection (SPI) firewall, login and intrusion detection mechanism, and general security application for Linux servers.

We strongly recommend having this plugin installed and enabled in order to have at least a minimal required level of protection against brute-force, DDoS and other kinds of attacks. For the full list of features, check the official page.


You can only install CSF via the Command Line Interface e.g., SSH access. In CLI when logged in as a root, run the following commands:

cd /usr/src
rm -fv csf.tgz
tar -xzf csf.tgz
cd csf

You should see the Installation Completed message in the end:

csf 1

Now in order to enable CSF, proceed to WHM > Plugins section > ConfigServer Security & Firewall.

Right after the installation the Test mode will be enabled which means that the firewall is not fully active yet:

csf 2

In order to enable it, you must confirm the current configuration via the Firewall Configuration menu:

csf 3

Set the TESTING field at the very top to 0:

csf 4

Once done, click Change in the very bottom of the page:

csf 5

After that, restart CSF by clicking on Restart csf+lfd:

csf 6

You should now see the Firewall Status: Enabled and Running message:

csf 7

Managing firewall rules

CSF has a lot of various features, we will discuss the most common used ones.

Manually blocking IP addresses

In order to block an IP address from accessing the server use the Quick Deny option:

csf 8

We suggest adding comments to all manual blocks in order to ease the troubleshooting process of firewall-related issues in the future.

Manually whitelisting IP addresses

If you want to whitelist any IP address on the server to prevent it from being blocked, use the Quick Allow option:

csf 9
csf 10

NOTE: You can also whitelist/blacklist full networks in the correct CIDR format. For example, adding to the allow list will whitelist all IPs starting from till

Checking IP status in the firewall

If you suspect that some IP address is blocked in the firewall, you can check it in the Search IP field:

csf 11

Any allowing or blocking rules for this IP address will be shown if such exists.
For example, the block we have set earlier looks like this:

csf 12

NOTE: You can instantly unblock an IP address at the same page by clicking on the padlock icon next to it.

Opening ports

In order to open a TCP or UDP port on your server go to Firewall configuration and locate TPC_IN/OUT and UDP_IN/OUT lines, after that add the port to the corresponding field after the comma.

For example, if you want to open port 3306 for inbound connections to your MySQL database, just add 3306 to TPC_IN field:

csf 13

Click Change at the bottom of the page and restart CSF for the changes to take effect.

Disabling email notifications

In order to disable email notifications, go to Firewall configuration and turn off the following options: LF_SSH_EMAIL_ALERT, LF_SU_EMAIL_ALERT, LF_WEBMIN_EMAIL_ALERT, LF_CONSOLE_EMAIL_ALERT, LF_CPANEL_ALERT:

csf emails 1

Click Change at the bottom of the page and restart CSF for the changes to take effect. It is also possible to do the same by editing etc/csf/csf.conf file through SSH. Just add the following lines to the file, save and restart csf:


For more information about other CSF features feel free to check the official usage guide.

That’s it!