How To Install, Configure & Commands for CSF SSH CentOS

Securing firewall

If you're fairly new at using CSF (Config Server Firewall) or even if you are not, its useful to have all the commands at hand to use should you need to make any changes.

In this guide we'll show you how to install CSF on CentOS if you haven't done so already, basic configuration and the commands used within SSH. CentOS 7 can also be used.


Download SSH client

If you're a complete beginner you'll be thinking, what is SSH and how do I access it? SSH is easy to access and requires you to have a programme such as Putty that allows you to connect.

To connect via SSH you'll need the following:

  • Your IP address or server hostname.
  • The root username.
  • The root password.

  • Installing CSF

    If you haven't got CSF but would like to install it to make your server more secure, just type in the following:

    If you are starting with a clean operating system install, you will need to install wget, which will fetch the required files.

    yum -y install wget

    After wget has been installed go to the /usr/src directory, this is where CSF (Config File Server) will be installed.

    cd /usr/src/

    Next, we will use the wget command to fetch the software so we can install it.


    We will then use the tar command to extract the tar.gz file.

    tar -xzf csf.tgzcd csfsh

    You should then have a message once its completed that Config File Server has successfully installed.

    Lets test to see if it is working properly, if you've not installed PERL you'll need to do this to check its working properly.

    yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph

    Now copy the text to see if it is fully working.

    perl /usr/local/csf/bin/

    You should have an output which looks something like this:

    Testing ip_tables/iptable_filter...OK
    Testing ipt_LOG...OK
    Testing ipt_multiport/xt_multiport...OK
    Testing ipt_REJECT...OK
    Testing ipt_state/xt_state...OK
    Testing ipt_limit/xt_limit...OK
    Testing ipt_recent...OK
    Testing xt_connlimit...OK
    Testing ipt_owner/xt_owner...OK
    Testing iptable_nat/ipt_REDIRECT...OK
    Testing iptable_nat/ipt_DNAT...OK

    RESULT: csf should function on this server.

    CSF is now installed.

    Configuring CSF

    Now that you've installed Config File Server by default its disabled so we'll need to enable this, lets go to the CSF directory.

    cd /etc/csf

    You can now view all the files within the directory using the dir command.

    We are going to edit the csf.conf file using vim or nano, you can also install one of these text editors using any of the commands:

    yum install nano or yum install vim

    Once installed type nano or vim followed by csf.conf

    nano csf.conf
    vim csf.conf

    This is the main file to make any changes to the firewall, to enable the firewall change TESTING from 1 to 0.


    Once you've completed setting the firewall rules, save and exit then restart CSF to implement the new rules.

    csf -r

    We would also recommend adding your IP to csf.ignore and csf.allow so it doesn't get blocked.

    CSF commands cheat sheet

    Command Description Example
    csf -e Enable CSF root@server[~]#csf -e
    csf -x Disable CSF root@server[~]#csf -x
    csf -s Start firewall rules root@server[~]#csf -s
    csf -f Flush & Stop firewall rules root@server[~]#csf -f
    csf -r Restart the firewall rules root@server[~]#csf -r
    csf -a [IP] [Optional comment] Allow an ip, adds to /etc/csf/allow root@server[~]#csf -a 123.456.78.9 Business IP address
    csf -td [IP] [Optional comment] Puts IP on a temporary deny list in /var/lib/csf/csf.tempban root@server[~]#csf -td 123.456.78.9 Strange traffic patterns
    csf -tr [IP] Removes the IP from the temporary IP ban or allow list root@server[~]#csf -tr 123.456.78.9
    csf -tf [IP] Flush all IPs from the temporary IP entries root@server[~]#csf -tf 123.456.78.9
    csf -d [IP] [Optional comment] Deny an IP and add to /etc/csf/csf.deny root@server[~]#csf -tf 123.456.78.9 Brute force attacker
    csf -dr [IP] Unblock an IP and removes from /etc/csf/csf.deny root@server[~]#csf -tf 123.456.78.9
    csf -df [IP] Removes and unblocks all entries in /etc/csf/csf.deny root@server[~]#csf -df
    csf -g [IP] Searches the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number) root@server[~]#csf -g
    csf -t Displays the current list of temporary allow and deny IP entries with their TTL and comments root@server[~]#csf -t

    If you are looking for secure hosting check out our DirectAdmin web hosting packages, includes free SSL for website encryption.