Replacing Cloudflare with a CSF Firewall

March 8, 2021 Update: From last one year, this blog is using Bunny CDN As a full-page caching solution. That said, I still use Cloudflare with other websites. I am updating this guide with additional details and tips for enhancing security for using CSF (Configure Server Firewall) [or without] Cloudflare as a reverse proxy.

November 5th, 2018 Update: I’ve updated this article (install URL and other minor fixes/improvements). I replaced Cloudflare (check out: Cloudflare Argo) KeyCDN + Local firewall and server hardening for this blog as of June 2018. However, I do support clients that use Cloudflare and still highly recommend it.

2017 Update: With the recent Cloudflare “Cloudbleed” data leak. You might consider deleting Cloudflare. This article (originally published three years ago) was updated and tested. I would keep Cloudflare. Please follow the URL included at the end of this blog post for more details on this issue. A lot of Personally Identifiable Information (PII) is stored by Cloudflare, so it is Recommended that everyone take immediate action and change passwords on all sites that are running behind Cloudflare. It’s always a good idea to change your passwords and change them frequently.

2016 Update: Cloudflare has matured and evolved a lot over the past three years. I highly recommend sticking with Cloudflare and using CSF to complement Cloudflare’s HTTP security. You will benefit from their global CDN, free SSL certificate, caching, and more. I am currently using Cloudflare’s Pro plan and also doing full page caching with CSF.

core item: Founder of Cloudflare Previously worked on Project Honey Pota , [ Update: Looks like Cloudflare removed mention of Project Honey Pot, which can be read here using the web archive ], [Update 2: Mention of Project Honey Pot is back.] You can read more about setting up the CSF+ Project Honey Pot below.

cloudflare is extraordinary when installed correctly, However, it is good to have a free option for those who prefer to control server security without a reverse proxy.

As such, this is a quick guide on how to install and configure CSF (Configure Server Firewall)its security plugin LFD (Login Failure Daemon)And how to set up IP filtering/blocking on your local server.

This guide applies to standalone CSF/LFD installs and more seapanel + Install CSF / LFD.

Installing CSF (Configure Server Firewall)

CSF is a top-notch server firewall with many configuration options and is simple enough to set up and configure that you can have it up and running in a matter of minutes.

It’s as easy as downloading the install file to your server and then installing it. You can install CSF with cPanel/WHM integration or just a regular installation.

The first few installation steps are the same whether it is a cPanel server or a non-cPanel server.

First go to the directory /usr/src,

cd /usr/src

Next, use wget To retrieve the CSF install code:


Now decompress the CSF install files and convert to newly created csf Directory:

tar zxf csf.tgz
cd csf

Okay, here’s what a cPanel server vs non-cPanel server install is different. If you are using cPanel, install with:


If not, you should install it with:


are also supported,,, install.interworx.shAnd,

Read the output of the script when it is installed. Once complete, you should see something similar to the following:

Don't forget to:
1. Configure the TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options in the csf configuration to suite your server
2. Restart csf and lfd
3. Set TESTING to 0 once you're happy with the firewall
Adding current SSH session IP address to the csf whitelist in csf.allow:
Adding x.x.x.x to csf.allow only while in TESTING 
mode (not iptables ACCEPT)
*WARNING* TESTING mode is enabled 
- do not forget to disable it in the configuration
Installation Completed

Both the CSF and the LFD have been installed (in test mode). To get CSF out of test mode, edit the configuration with your favorite editor (or via the cPanel “Firewall Configuration” option):

vi /etc/csf/csf.conf

Then change the following:




To restart CSF to enable:

csf -r

congratulation! You have just installed CSF Firewall!

CSF Command-Line Shortcuts

csf denial list

Here are some useful command line shortcuts for working with CSF.

Option              Meaning
-h, --help          Show this message
-l, --status        List/Show iptables configuration
-s, --start         Start firewall rules
-f, --stop          Flush/Stop firewall rules
-r, --restart       Restart firewall rules
-a, --add ip        Add an IP address to be whitelisted to /etc/csf.allow
-d, --deny ip       Add an IP address to be blocked to /etc/csf.deny
-dr, --denyrm ip    Remove and unblock an IP address in /etc/csf.deny
-c, --check         Checks for updates to csf+lfd but does not perform an upgrade
-g, --grep ip       Search the iptables rules for an IP match (incl. CIDR)
-t, --temp          Displays the current list of temporary IP bans and their TTL
-tr, --temprm ip    Remove an IP address from the temporary IP ban list
-td, --tempdeny ip ttl [-p port] [-d direction]
                    Add an IP address to the temporary IP ban list. ttl is how
                    long to blocks for in seconds. Optional port. Optional
                    direction of block can be one of in, out or inout. Default
                    is in
-tf, --tempf        Flush all IP addresses from the temporary IP ban list
-u, --update        Checks for updates to csf+lfd and performs an upgrade if
-x, --disable       Disable csf and lfd
-e, --enable        Enable csf and lfd if previously disabled
-v, --version       Show csf version

For example, to block an IP, you can use: csf -d IPADDRESS, You can read about and fine-tune all the settings by editing /etc/csf/csf.conf. For cPanel, you can edit WHM under the “Plugins” area. See more:

To change [or Complement] Cloudflare with CSF

cloudflare is An American web infrastructure and website security company Which provides content delivery network (CDN) services, DDoS mitigation, and distributed domain name server services. Cloudflare blocks the IP before it hits your website/server. To be clear, CSF can’t replace all of Cloudflare’s features and many capabilities. However, for many people, CSF and a good CDN work together for thousands of websites. To others, Cloudflare is a godsend. CSF and Cloudflare are similar in that they both use IP lists, like Project Honey PotThe web’s largest community tracking online fraud abuse project, and other similar organizations that provide regularly updated IP-block lists.

csf ip block lists

This feature allows CSF to download a list of IP addresses and CIDRs from time to time from published block or blacklist providers. The file that controls this is: /etc/csf/csf.blocklists, cPanel can also configure IP Blocklist using its UI.

To use a line starting with the name of the rule, uncomment it (read the instructions above csf.blocklists file), then restart CSF.

Blocklists that can be enabled include those provided by,,,,,,,, stopforumspam.comAnd,

Necessary: Some of these lists can be very long – many thousands of IP addresses – and can cause serious network and performance problems if you try to load all the IPs. Therefore, it is recommended that you set a value for “MAX”. for example:


Each URL is scanned for one IPv4/CIDR address per line, then, if found, it is blocked. (up to the maximum # of IPs you set).

here’s what my file looks like (updated March 2021),

# Do not remove or change this line as it is a safeguard for the UI editor
# Copyright 2006-2018, Way to the Web Limited
# URL: 
# Email:
# This file contains definitions to IP BLOCK lists.
# Uncomment the line starting with the rule name to use it, then restart csf
# and then lfd
# Each block list must be listed on per line: as NAME|INTERVAL|MAX|URL
#   NAME    : List name with all uppercase alphabetic characters with no
#             spaces and a maximum of 25 characters - this will be used as the
#             iptables chain name
#   INTERVAL: Refresh interval to download the list, must be a minimum of 3600
#             seconds (an hour), but 86400 (a day) should be more than enough
#   MAX     : This is the maximum number of IP addresses to use from the list,
#             a value of 0 means all IPs
#   URL     : The URL to download the list from
# Note: Some of these lists may be very long and could cause serious network
# and/or performance issues unless you are using LF_IPSET in csf, so setting a
# value for the MAX field should be considered
# After making any changes to this file you must restart csf and then lfd
# If you want to redownload a blocklist you must first delete
# /var/lib/csf/csf.block.NAME and then restart csf and then lfd
# Each URL is scanned for an IP/CIDR address per line and if found is blocked
# The downloaded list can be a zip file. The zip file MUST only contain a
# single text file of a single IP/CIDR per line
# Note: CXS_ is a reserved prefix for the blocklist name and MUST NOT be used

# Spamhaus Extended DROP List (EDROP)
# Details: 

# Recommended Block List
# Details: 

# TOR Exit Nodes List
# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: 

# BOGON list
# Details: 

# Project Honey Pot Directory of Dictionary Attacker IPs
# Details: 

# C.I. Army Malicious IP List
# Details: 

# BruteForceBlocker IP List
# Details: 

# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: 
# This first list only retrieves the IP addresses added in the last hour
# This second list retrieves all the IP addresses added in the last 48 hours
# and is usually a very large list (over 10000 entries), so be sure that you
# have the resources available to use it

# GreenSnow Hack List
# Details: 

CSF Port Flood Settings

Under this section of CSF, you will find SYN flood protection, connection boundary protection, port flood protection and outgoing UDP flood protection. Here are some suggested configurations:


SYN flooding configures iptables to provide some protection against TCP SYN packet DOS attempts. This option should only be enabled if you know you are under a SYN flood attack as it will slow down all new connections from any IP address to the server when triggered.

CONNLIMIT = "22;5,80;20,443;20"

Connection Limit Protection configures iptables to provide greater protection against DOS attacks against specific ports. It can also be used as a way to limit resource usage by IP address only for specific server services. This option limits the number of concurrent new connections per IP address that can be made on specific ports.

PORTFLOOD = "22;tcp;5;300,80;tcp;20;5,443;tcp;20;5"

Port Flood Protection configures iptables to provide protection against DoS attacks against specific ports. This option limits the number of new connections per time interval that can be made on a specific port.


Outgoing UDP Flood Protection limits outbound UDP packet flooding. These usually result from exploit scripts uploaded via vulnerable web scripts.

Read more about configuring these settings,

CSF Cloudflare Integration

this section of /etc/csf/csf.conf Provides interaction with Cloudflare Firewall. Cloudflare is a reverse proxy, and as such, attacking IP addresses would appear to be coming from Cloudflare’s own IP (or at least iptables). read to solve it Restoring Original Visitor IP: Logging Visitor IP Addresses,

Cloudflare offers a Firewall API Feature Where rules can be added to block, challenge or whitelist IP addresses.

CSF Connection Tracking

Connection tracking enables the tracking of all connections from the IP address to the server. If the total number of connections exceeds this value, the offending IP address is blocked. It can be used to help prevent some types of DOS attack. Start less aggressively when setting this up to avoid false positives. For a server that is prone to DoS attacks, this can be quite useful.

CT_LIMIT = "500"

CSF Process Tracking

Process tracking enables tracking of the user and their process and checks for any suspicious executables or open network ports. If a suspicious process is found, an alert email is sent with the relevant information. Allows you to check the process.

PT_LIMIT = "300"

CSF Port Scan Tracking

Port scan tracking tracks port blocks logged by iptables to Syslog. If an IP address generates a port block that is logged more than PS_LIMIT Inside PS_INTERVAL Seconds, the IP address will be blocked.

For example, port scan tracking can be used to prevent hackers from trying to access a standard SSH port if you’ve moved it to a port other than 22 and removed 22. TCP_IN List so that connection attempts to the old port are being logged.

PS_LIMIT = "10"

This Some Features of Config Server Firewall,


Config Server Firewall is a free and mature firewall. In addition, firewall features CSF also includes other security features, such as brute-force attack protection, DDOS, port scanning abuse, and more.

As a reminder, CSF does not improve your page load speed, reduce server load, provide a CDN, or provide many Cloudflare-specific features. Still, if for some reason you don’t want to use Cloudflare, this is an alternative firewall for you. If you decide you’re not going to use a CDN for whatever reason, you should also read my article: 25 Best CDN Providers.

For added security, you can also use additional tools or services, such as mode protection And Juice, or, instead of csf+lfd, you can use APF , bfd, there too, Imunify360, shadow daemonand others.

Leave a Comment