CSF Firewall Setup in WHM: Securing a cPanel VPS Server
If your sites run on a cPanel/WHM VPS, plain UFW isn't the right tool for locking down the firewall — WHM ships its own purpose-built firewall, ConfigServer Security & Firewall (CSF), and running both at once is a good way to get contradictory rules and a confusing lockout at 2am. Here's how CSF actually works, how to set it up without shooting yourself in the foot, and how to get back in if you already did.
Symptom: WHM shows no active firewall, or CSF is installed but misbehaving
A few ways this shows up for people managing a cPanel/WHM VPS:
- WHM > Security Center has no firewall plugin installed at all, and the server is wide open beyond cPanel's own service ports.
- CSF is installed, but every SSH session drops after a few minutes, or WHM itself becomes unreachable shortly after a config change.
- Legitimate visitors — or you — get blocked after a handful of failed logins, and nobody can figure out which subsystem did the blocking: CSF, cPHulk, or something else.
- An app or API integration stopped working because a port it needs was never opened.
Cause: CSF is a different layer than UFW or cPHulk, and each has its own rules
On a plain Ubuntu/Debian VPS, UFW is a friendly front end for iptables and it's the whole story. On a cPanel/WHM box, that's not true — WHM assumes it owns the firewall layer, and CSF is the tool built for that: it understands cPanel's service ports out of the box, integrates with WHM's UI, and runs LFD (Login Failure Daemon), a background process that watches auth logs and temporary-bans IPs after repeated failed logins.
That's a different job from cPHulk, WHM's built-in brute-force protection, which also blocks IPs after failed logins but tracks its own separate list. Running UFW alongside CSF on the same box is where most of the confusion starts — both try to manage iptables/nftables rules, they don't know about each other, and the last one to write a rule wins. If you inherited a server with both installed, that's usually the root cause of "random" connectivity issues.
Fix: install and configure CSF properly in WHM
1. Remove UFW first if it's active
Check status and disable it before installing CSF — you want exactly one firewall managing iptables:
sudo ufw status
sudo ufw disable
2. Install CSF
Via SSH as root:
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
WHM > Plugins > ConfigServer Security & Firewall will show up once the install finishes. Getwebup's managed cPanel VPS images already have CSF installed — check WHM > Security Center first before you install a second copy.
3. Start in testing mode — this is the step that saves you
CSF installs with TESTING = "1" in csf.conf by default, which auto-disables the firewall after 5 minutes via a cron job. Leave it there while you configure ports. If you flip testing mode off too early and lock yourself out with a bad rule, you have no safety net.
4. Set the ports you actually need
In WHM > ConfigServer Security & Firewall > Firewall Configuration, the two fields that matter most are TCP_IN and TCP_OUT. The defaults cover standard cPanel services (21, 22, 25, 26, 53, 80, 443, 2082, 2083, 2086, 2087, 2095, 2096, etc.), but if you're running something extra — a custom app on port 3000, a mail client on a non-standard port, Redis exposed for a remote worker — add it here, not by editing iptables directly:
TCP_IN = "20,21,22,25,26,53,80,110,143,443,465,587,993,995,2082,2083,2086,2087,2095,2096"
Only add ports for services you're actually running. Every open port is something you now have to keep patched.
5. Whitelist your own IP before you go further
Add your office/home IP to the allow list so a bad rule can't lock you out entirely:
csf -a YOUR.IP.ADDRESS.HERE
Or via WHM > CSF > Quick Allow. This is separate from the TESTING safety net and worth doing even after testing mode is off.
6. Turn off testing mode once you've confirmed access holds
Wait until you've reloaded CSF, reconnected over SSH from a fresh session, and confirmed WHM still loads — then in csf.conf set:
TESTING = "0"
And restart:
csf -r
7. Know the core commands
| Command | What it does |
|---|---|
csf -a IP | Allow an IP permanently |
csf -d IP | Deny/block an IP permanently |
csf -dr IP | Remove an IP from the deny list (un-block) |
csf -g IP | Grep an IP across all CSF/LFD lists — use this first when someone reports being blocked |
csf -r | Restart CSF and reload rules |
csf -x / csf -e | Disable / re-enable the firewall entirely |
If you're locked out right now
Log in through your hosting provider's browser-based console (WHM/VPS control panel VNC or SSH-in-browser — Getwebup's VPS dashboard has this under Console), not SSH, since SSH is exactly what's blocked. Then run csf -g YOUR.OWN.IP to confirm you're on the deny list, and csf -dr YOUR.OWN.IP to remove yourself. If testing mode was still on and the 5-minute timer already expired, the firewall may have reset itself — check csf -l to see current rules before making further changes.
Prevention
- Never run UFW and CSF together on a cPanel/WHM server — pick CSF and disable everything else that touches iptables.
- Always leave
TESTING = "1"on until you've verified a config reload doesn't cut your own access. - Whitelist your admin IPs with
csf -aso LFD's automatic login-failure bans can't catch you on a bad password day. - Check WHM > CSF >
Alerts / Loggingafter any change — LFD emails you when it blocks something, and those emails are the fastest way to catch a misconfigured rule before it becomes a support ticket. - Review
LF_TRIGGERand the failed-login thresholds under CSF's LFD settings periodically — defaults are sane for most sites but can be too aggressive for a WordPress site with a lot of legitimate failed logins from users who forgot their password.
Frequently asked questions
Do I need both CSF and cPHulk on a cPanel VPS?
No, but you don't strictly have to disable either — they solve overlapping problems differently. CSF/LFD is more configurable and firewall-aware; cPHulk is simpler and built into WHM directly. Most admins pick one to avoid double-blocking the same IP for the same failed logins. If you're already using CSF, you can turn cPHulk off in WHM > Security Center > cPHulk Brute Force Protection to keep the blocking logic in one place.
Why did CSF lock me out right after I installed it?
Almost always a TCP_IN/TCP_OUT port you needed wasn't in the default list, or testing mode had already expired before you finished configuring. Reconnect through your provider's browser console, check csf -g on your own IP, and remove yourself from the deny list with csf -dr.
Can I use UFW instead of CSF on my cPanel VPS?
Technically you can, but it isn't recommended. WHM and its plugins expect CSF-style integration (Quick Allow/Deny buttons, LFD alerts, WHM's Security Center status). Running UFW instead means configuring cPanel's ports manually and losing that integration, and running both together causes conflicting iptables rules.
How do I open a new port for an app running on my VPS?
Add it to both TCP_IN and TCP_OUT in WHM > ConfigServer Security & Firewall > Firewall Configuration, save, then restart CSF with csf -r. Only open ports for services you're actually running — each one is a larger attack surface.
LFD keeps emailing me about blocked IPs — is that normal?
Yes, that's LFD doing its job: alerting you every time it auto-blocks an IP for too many failed logins or other suspicious activity. If the volume is overwhelming, tune the thresholds under CSF's LFD settings rather than turning off alerts entirely — the alerts are also how you'll notice a real brute-force attempt in progress.