Advanced configuration for the CSF to protect VPS

To configure the CSF, you just edit the content file csf in folder/etc/csf


Then reload the CSF in order to apply the changes:


Installing CSF Firewall
Step 1: Configure the ports

First let’s define what port you will use and close all the remaining to augment the Security server.

By default, the port is open:

TCP_IN = “20, 21, 22, 25, 53, 80, 110, 143, 443, 465.587 .993 .995”
TCP_OUT = “20, 21, 22, 25, 53, 80.110 .113 .443”
UDP_IN = “20, 21.53”
UDP_OUT = “20, 21, 53.113 .123”

List service is using the port on:

Port 20: FTP data transfer
Port 21 FTP control
Port 22: Secure shell (SSH)
Port 25: Simple mail transfer protocol (SMTP)
Port 53: Domain name system (DNS)
Port 80: Hypertext transfer protocol (HTTP)
Port 110: Post office protocol v3 (POP3)
Port 113: Authentication service/identification protocol
Port 123: Network time protocol (NTP)
Port 143: Internet message access protocol (IMAP)
Port 443: Hypertext transfer protocol over SSL/TLS (HTTPS)
Port 465: URL Rendesvous Directory for SSM (Cisco)
Port 587: E-mail message submission (SMTP)
Port 993: Internet message access protocol over SSL (IMAPS)
Port 995: Post office protocol 3 over TLS/SSL (POP3S)

Once you’ve understood the meaning and then, please select the port need only. Below is the configuration of the port you need to open when using the service:

-On all servers:

TCP_IN: 22.53
TCP_OUT: 22 80.113, 53, .443
UPD_IN: 53
UPD_OUT: 53.113 .123


TCP_IN: 80.443

If not using HTTPS can remove port 443

-FTP server:

TCP_IN: 20.21
TCP_OUT: 20.21
UPD_IN: 20.21
UPD_OUT: 20.21

-Mail server:

TCP_IN: 25.110 .143 .587 .993 .995
TCP_OUT: 25.110

MySQL-server (if you need remote access)

TCP_IN: 3306
TCP_OUT: 3306

Note: If you are using IPv6, need to configure TCP6_IN, TCP6_OUT, UPD6_IN, and UPD6_OUT are similar to the IPv4 port. Further reference list of TCP and UDP port on the wiki.
Step 2: Configure

Besides use port, CSF has a lot more options in the configuration file. Some common options you should know:

ICMP_IN allow the ping to your server, set = 0 to reject this request.

ICMP_IN_LIMIT limits the number of ping request come from one IP address in the given time. Usually you do not need to modify this default value (1/s)

DENY_IP_LIMIT limits the number of IP was block by CSF, if IP number exceeds this limit, then the old IP will unblock. Should keep the number just right by if you store too IP can decrease system performance.

DENY_TEMP_IP_LIMIT is the same as above, but for the interim IP.

LF_DAEMON error detection enabled login.

PACKET_FILTER filter invalid packets.

SYNFLOOD, SUNFLOOD_RATE and SYNFLOOD_BURST activate protection against SYN flood attacks.

CONNLIMIT limits the number of consecutive connection on port 1. For example:

CONNLIMIT = “22; 5; 443 20;”

allow a maximum of 5 consecutive connection to port 22 and 20 connections to port 443

PORTFLOOD limits the number of connections in each time period on 1 port. For example

PORTFLOOD = “22; tcp; 5; 250”

will limit the block IP addresses if as created more than 5 connections on port 22 using TCP within 250s. The block will be automatically deleted after later 250s since the last packet sent. You can add more port separated by commas

port1; protocol1; connection_count1; time1, time2 port2 protocol2; connection_count2;;

There are also a lot of other CSF parameters you can adjust Add. The default value is pretty good and could combat the flood attack, port scans or tune in to pass server.

If you wish, you can read the comments in the file/etc/csf/csf.conf or refer to the official guide from the CSF.

Finally, the changes to take effect you must restart the CSF with the command:


Leave a Reply

Your email address will not be published.