Replacing Cloudflare with CSF Firewall – Install Guide

Cloudflare can be useful, however its nice to have an alternative for those, like myself, who prefer to know what takes place in the background. As such, this is a quick guide on how to install and configure CSF (Firewall), its security plugin LFD (Login Failure Daemon) and how to setup similar IP filtering/blocking that’s used by CloudFlare. This guide applies to cPanel but the instructions can also be used for standalone CSF/LFD installs.

CSF is a top notch server firewall with many configuration options, but is simple enough to install and configure that you can have it running in just a few minutes.

Installing CSF (ConfigServer Firewall)

This is simple as downloading the source file to your server then installing it. CSF can be installed with cPanel/WHM integration or just regular install. The first few installation steps are the same whether it is a cPanel server or a non-cPanel server.

Create or go to a temporary directory (/tmp or /home/tmp) for example:

Next use ‘wget’ to retrieve CSF install code:

Now decompress the CSF install files and change directories to the newly created ‘csf’ directory:

Ok, here is where the cPanel server or non-cPanel server install differ…

If you’re using cPanel then use:

If not, you should install with:

Read the output of the script as it installs. Once complete, you should see something similar to the following:

Not that both CSF and LFD has been installed (in TESTING mode).

To start CSF, use:

If the service starts without error, make sure to take CSF out of testing mode by changing the setting in csf.conf. To do this, edit the configuration with your favorite editor (or via cPanel “Firewall Configuration” option):

then change…




Restart CSF to fully enable…

Congratulations! You’ve just installed CSF Firewall!

Here’s what CSF help looks like:

For example to block an IP use: csf -d IPADDRESS

You can read about and fine-tune all settings by editing /etc/csf/csf.conf.

For cPanel you can edit from WHM under the “Plugins” area.

Also see:

Using CSF as Cloudflare replacement

Cloudflare blocks a lot of IPs even before they hit your website/server. This is done via IP lists. For example  Project Honey Pot, the Web’s Largest Community Tracking Online Fraud & Abuse project. They provide regularly updated IP block lists.

CSF IP Block Lists – This feature allows csf/lfd to periodically download lists of IP addresses and CIDRs from published block or black lists. It is controlled by the file: /etc/csf/csf.blocklists. The IP Block lists can also be configured via cPanel.

Simply uncomment the line starting with the rule name to use it (read instructions at the top of the csf.blocklists file), then restart csf/lfd.

The blocklists that can be enabled include:

      • Spamhaus
      • DShield
      • TOR
      • BOGON
      • Project Honeypot
      • BruteForceBlocker
      • Emerging Threats – Russian Business Networks List
      • 30 day List
      • Autoshun Shun List
      • MaxMind GeoIP Anonymous Proxies
      • C.I. Army Malicious IP List

IMPORTANT: Some of these lists can be very long – hundreds even thousands of IP addresses – and could cause serious network and/or performance issues, so I recommend that you set a value for the MAX field.

Each URL is scanned for an IPv4/CIDR address per line and if found is blocked… up to the max # of IPs you choose.

Here’s what my file looks like:

Note the founders of Cloudflare previously worked on the Project Honey Pot. So at the very least enable that one. ;)

For added security you’ll need other tools, for example ModSecurity. Also, this does NOT make your website faster, provide CDN or any of the Cloudflare specific security features. However, if you don’t want Cloudflare in front of your server’s traffic, then this is an alternative starting point.


Replacing Cloudflare with CSF Firewall – Install Guide

2 Responses

  1. We released a bash script quite recently that automatically updates the banned ip list on Cloudflare from the behaviors and settings defined in CSF. The script is free and is open to inspection prior to implementation.

    Kind Regards

    Flarewall March 29, 2014 at 6:58 pm #
  2. We’ve been using the combination of CSF+Mod_Security+Giant custom ruleset for a few years and recently started using CloudFlare on some of our high-traffic sites.
    CloudFlare is great for speeding up the websites with it’s CDN and Minify options, but the security control is very week compared to CSF+Mod_Security. The trouble is that our tests show that some of the sites load as much as 6x faster with CloudFlare, so we don’t want to give it up!
    We are now using both.. Mod_Cloudflare allows you to see the real remote-IP’s of visitors and Mod_Security hits, but the CSF blocks still dont apply to the Coudflare enabled sites (but, still protects all the other sites on the server from that threat)..
    We also tried Flarewall to use the CloudFlare API to feed CSF blocked IP’s the CloudFlare blocklist.. The only problem with that is that free CloudFlare accounts have a limit of 200 IP blocks.. Our busiest website used that up in about 2 hours. After that, Flarewall is pointless/useless unless you manually purge your Cloudflare blocklist and start over.. or pay for a premium account..

    Randy Brown April 4, 2014 at 11:41 pm #

Leave a Reply