{"id":21898331,"url":"https://github.com/aetherinox/csf-firewall","last_synced_at":"2026-02-28T04:02:04.219Z","repository":{"id":243074967,"uuid":"811376114","full_name":"Aetherinox/csf-firewall","owner":"Aetherinox","description":"ConfigServer Security \u0026 Firewall (CSF) - Robust linux iptables/nftables firewall \u0026 free ipset blocklist service.","archived":false,"fork":false,"pushed_at":"2026-02-23T01:44:26.000Z","size":57013,"stargazers_count":287,"open_issues_count":18,"forks_count":54,"subscribers_count":31,"default_branch":"main","last_synced_at":"2026-02-23T02:15:16.277Z","etag":null,"topics":["blocklist","blocklists","configserver","configserver-firewall","configserver-security-firewall","cpanel","csf","csf-firewall","cwp","cyberpanel","directadmin","docker","firewall","interworx","ipset","ipset-lists","openvpn","vestacp","webmin","whmcs"],"latest_commit_sha":null,"homepage":"https://docs.configserver.dev","language":"Perl","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Aetherinox.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"custom":["https://buymeacoffee.com/aetherinox"],"github":["csf-firewall","aetherinox"],"patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null}},"created_at":"2024-06-06T13:29:33.000Z","updated_at":"2026-02-23T01:44:29.000Z","dependencies_parsed_at":null,"dependency_job_id":"4d0a5055-8d54-4b21-83e6-b7e621e91119","html_url":"https://github.com/Aetherinox/csf-firewall","commit_stats":null,"previous_names":["aetherinox/csf-firewall"],"tags_count":27,"template":false,"template_full_name":null,"purl":"pkg:github/Aetherinox/csf-firewall","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aetherinox%2Fcsf-firewall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aetherinox%2Fcsf-firewall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aetherinox%2Fcsf-firewall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aetherinox%2Fcsf-firewall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Aetherinox","download_url":"https://codeload.github.com/Aetherinox/csf-firewall/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aetherinox%2Fcsf-firewall/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29924719,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-27T19:37:42.220Z","status":"online","status_checked_at":"2026-02-28T02:00:07.010Z","response_time":90,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blocklist","blocklists","configserver","configserver-firewall","configserver-security-firewall","cpanel","csf","csf-firewall","cwp","cyberpanel","directadmin","docker","firewall","interworx","ipset","ipset-lists","openvpn","vestacp","webmin","whmcs"],"created_at":"2024-11-28T14:26:01.094Z","updated_at":"2026-02-28T04:02:04.182Z","avatar_url":"https://github.com/Aetherinox.png","language":"Perl","funding_links":["https://buymeacoffee.com/aetherinox","https://github.com/sponsors/csf-firewall","https://github.com/sponsors/aetherinox"],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\u003ch6\u003eNew dark theme, support for Docker, Traefik, and OpenVPN servers. Includes a \"bad actor\" blocklist.\u003c/h6\u003e\n\u003ch1\u003e♾️ ConfigServer Firewall ♾️\u003c/h1\u003e\n\n\u003cbr /\u003e\n\n\u003cp\u003e\n\nConfigServer Security \u0026 Firewall (CSF) is a popular and powerful firewall solution for Linux servers. This repo contains complete installation guides, a new dark theme, and also numerous patches for `Docker` and `OpenVPN` firewall support so that you can allow traffic between these services without interruption.\n\n\u003cbr /\u003e\n\nWe also host a group ipsets / blocklists which are updated every few hours. These sets contain various lists of IP addresses which block connections known for SSH bruteforce attempts, port knocking / scanning, research, data collection, etc. These ipsets are compatible with ConfigServer Firewall, and also any other application which supports one IP per line (pi-hole, Windows hosts, etc).\n\n\u003cbr /\u003e\n\nIpsets include lists from [AbuseIPDB](https://abuseipdb.com/) and [IPThreat](https://ipthreat.net/). For information on how to use these sets, read the section [IP Rulesets \u0026 Blocklists](#ip-sets--blocklist).\n\n\u003c/p\u003e\n\n\u003cbr /\u003e\n\n\u003cimg src=\"https://malware.expert/wp-content/uploads/2018/09/csf_firewall.png\" height=\"230\"\u003e\n\n\u003cbr /\u003e\n\u003cbr /\u003e\n\n\u003c/div\u003e\n\n\u003cdiv align=\"center\"\u003e\n\n\u003c!-- prettier-ignore-start --\u003e\n[![Version][github-version-img]][github-version-uri]\n[![Downloads][github-downloads-img]][github-downloads-uri]\n[![Size][github-size-img]][github-size-img]\n[![Last Commit][github-commit-img]][github-commit-img]\n[![Contributors][contribs-all-img]](#contributors-)\n\n[![Built with Material for MkDocs](https://img.shields.io/badge/Powered_by_Material_for_MkDocs-526CFE?style=for-the-badge\u0026logo=MaterialForMkDocs\u0026logoColor=white)](https://aetherinox.github.io/csf-firewall/)\n\u003c!-- prettier-ignore-end --\u003e\n\n\u003cbr /\u003e\n\n\u003cp float=\"left\"\u003e\n \u003cimg style=\"padding-right:15px;\" src=\"https://raw.githubusercontent.com/Aetherinox/csf-firewall/refs/heads/main/docs/images/readme/1.png\" width=\"300\" /\u003e\n \u003cimg src=\"https://raw.githubusercontent.com/Aetherinox/csf-firewall/refs/heads/main/docs/images/readme/2.png\" width=\"300\" /\u003e \n\u003c/p\u003e\n\n\u003cp float=\"left\"\u003e\n \u003cimg style=\"padding-right:15px;\" src=\"https://raw.githubusercontent.com/Aetherinox/csf-firewall/refs/heads/main/docs/images/readme/3.png\" width=\"300\" /\u003e\n \u003cimg src=\"https://raw.githubusercontent.com/Aetherinox/csf-firewall/refs/heads/main/docs/images/readme/4.png\" width=\"300\" /\u003e \n\u003c/p\u003e\n\n\u003cp float=\"left\"\u003e\n \u003cimg style=\"padding-right:15px;\" src=\"https://raw.githubusercontent.com/Aetherinox/csf-firewall/refs/heads/main/docs/images/readme/5.png\" width=\"300\" /\u003e\n \u003cimg src=\"https://raw.githubusercontent.com/Aetherinox/csf-firewall/refs/heads/main/docs/images/readme/6.png\" width=\"300\" /\u003e \n\u003c/p\u003e\n\n\u003c/div\u003e\n\n\u003cbr /\u003e\n\n---\n\n\u003cbr /\u003e\n\n- [Summary](#summary)\n- [ConfigServer Firewall Features](#configserver-firewall-features)\n- [How The Patcher Works](#how-the-patcher-works)\n- [Install ConfigServer Firewall](#install-configserver-firewall)\n - [Install Using Patcher](#install-using-patcher)\n - [Install Manually](#install-manually)\n - [Step 1: Prerequisites](#step-1-prerequisites)\n - [Step 2: Download and Install CSF](#step-2-download-and-install-csf)\n- [Testing the Firewall](#testing-the-firewall)\n- [Configuring CSF](#configuring-csf)\n- [Enabling CSF Firewall](#enabling-csf-firewall)\n- [Managing the Firewall](#managing-the-firewall)\n - [Start Firewall](#start-firewall)\n - [Stop Firewall](#stop-firewall)\n - [Restart Firewall](#restart-firewall)\n - [List Firewall Rules](#list-firewall-rules)\n - [Add IP to Allow List](#add-ip-to-allow-list)\n - [Remove IP to Allow List](#remove-ip-to-allow-list)\n - [Add IP to Deny List](#add-ip-to-deny-list)\n - [Remove IP from Deny List](#remove-ip-from-deny-list)\n - [Add Temp Block ILast Sync: $now(#add-temp-block-ip)\n - [Remove Temp Block ILast Sync: $now(#remove-temp-block-ip)\n- [Uninstalling CSF](#uninstalling-csf)\n- [Enable CSF Firewall Web UI](#enable-csf-firewall-web-ui)\n - [Step 1: Install Required Perl Modules:](#step-1-install-required-perl-modules)\n - [Step 2: Enable CSF Firewall Web UI:](#step-2-enable-csf-firewall-web-ui)\n - [Step 3: Access and Use Web UI:](#step-3-access-and-use-web-ui)\n- [Install Docker Patch](#install-docker-patch)\n - [Clone](#clone)\n - [Configure](#configure)\n - [Run Patch](#run-patch)\n - [Manual Run](#manual-run)\n - [Advanced Logs](#advanced-logs)\n- [Install OpenVPN Patch](#install-openvpn-patch)\n - [Clone](#clone-1)\n - [Configure](#configure-1)\n - [Run Patch](#run-patch-1)\n - [Manual Run](#manual-run-1)\n - [Advanced Logs](#advanced-logs-1)\n- [Install Dark Theme](#install-dark-theme)\n- [Traefik Integration with CSF WebUI](#traefik-integration-with-csf-webui)\n - [Adding Authentik Provider](#adding-authentik-provider)\n- [IP Sets / Blocklist](#ip-sets--blocklist)\n- [Download ConfigServer Firewall](#download-configserver-firewall)\n- [References for More Help](#references-for-more-help)\n- [Contributors ✨](#contributors-)\n\n\n\u003cbr /\u003e\n\n---\n\n\u003cbr /\u003e\n\n## Summary\nThis repository contains several folders:\n- 📁 `configs`\n - Ready-to-use CSF config files\n - `configs/etc/csf/csf.conf` (full version)\n - `configs/etc/csf/csf.conf.clean` (clean version)\n - `configs/etc/GeoIP.conf` GeoIP Config File for [MaxMind geo-blocking](https://www.maxmind.com/en/home)\n- 📁 `theme`\n - Dark theme for ConfigServer Firewall\n- 📁 `patches`\n - Docker patch which allows CSF and Docker to work together\n - OpenVPN integration patch\n- 📁 `blocklists` \n - List of IP addresses which have been reported for ssh brute-force attempts, port scanning, etc.\n - 100% Confidence, powered by services such as [AbuseIPDB](https://abuseipdb.com/)\n - IPs are no older than 90 days old _(updated daily)_, and also contain blocks to protect your privacy from certain online services\n - Add to `csf.blocklists`\n\n\u003cbr /\u003e\n\u003cbr /\u003e\n\nEach release posted on the [Releases Page](https://github.com/Aetherinox/csf-firewall/releases) contains several `.zip` files and a `.tgz`:\n- `csf-firewall-vxx.xx.tgz`\n - Latest official version of ConfigServer Firewall. You do not need this if you already have CSF installed on your system.\n- `csf-firewall-vx.x.x-theme-dark.zip`\n - Custom dark theme\n- `csf-firewall-vx.x.x-patches.zip`\n - The patches contained in this repository, which include the files:\n - 📄 csfpost.sh\n - 📄 csfpre.sh\n - 📄 docker.sh\n - 📄 install.sh\n - 📄 openvpn.sh\n - 📄 README.md\n - 📄 LICENSE\n\n\u003cbr /\u003e\n\u003cbr /\u003e\n\nThis guide will help you with the following:\n\n- Install CSF (ConfigServer Firewall)\n- Install CSF WebUI interface\n- Install patches\n - Docker Integration\n - OpenVPN Integration\n- Install Dark Theme\n- Traefik + CSF WebUI\n - Access CSF WebUI via domain\n - Secure domain with Authentik\n - IP Whitelist access to CSF WebUI\n\n\u003cbr /\u003e\n\n---\n\n\u003cbr /\u003e\n\n## ConfigServer Firewall Features\n\n- Straight-forward SPI iptables firewall script\n- Daemon process that checks for login authentication failures for:\n - Courier imap, Dovecot, uw-imap, Kerio\n - OpenSSH\n - cPanel, WHM, Webmail (cPanel servers only)\n - Pure-ftpd, vsftpd, Proftpd\n - Password protected web pages (htpasswd)\n - Mod_security failures (v1 and v2)\n - Suhosin failures\n - Exim SMTP AUTH\n - Custom login failures with separate log file and regular expression matching\n- POP3/IMAP login tracking to enforce logins per hour\n- SSH login notification\n- SU login notification\n- Excessive connection blocking\n- UI Integration for cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP, CyberPanel - and Webmin\n- Easy upgrade between versions from within the control panel\n- Easy upgrade between versions from shell\n- Pre-configured to work on a cPanel server with all the standard cPanel ports open\n- Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open\n- Auto-configures the SSH port if it’s non-standard on installation\n- Block traffic on unused server IP addresses – helps reduce the risk to your server\n- Alert when end-user scripts sending excessive emails per hour – for identifying spamming scripts\n- Suspicious process reporting – reports potential exploits running on the server\n- Excessive user processes reporting\n- Excessive user process usage reporting and optional termination\n- Suspicious file reporting – reports potential exploit files in /tmp and similar directories\n- Directory and file watching – reports if a watched directory or a file changes\n- Block traffic on a variety of Block Lists including DShield Block List and Spamhaus DROP List\n- BOGON packet protection\n- Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)\n- Works with multiple ethernet devices\n- Server Security Check – Performs a basic security and settings check on the server (via cPanel/- DirectAdmin/Webmin UI)\n- Allow Dynamic DNS IP addresses – always allow your IP address even if it changes whenever you connect to the internet\n- Alert sent if server load average remains high for a specified length of time\n- mod_security log reporting (if installed)\n- Email relay tracking – tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)\n- IDS (Intrusion Detection System) – the last line of detection alerts you to changes to system and application binaries\n- SYN Flood protection\n- Ping of death protection\n- Port Scan tracking and blocking\n- Permanent and Temporary (with TTL) IP blocking\n- Exploit checks\n- Account modification tracking – sends alerts if an account entry is modified, e.g. if the password is changed or the login shell\n- Shared syslog aware\n- Messenger Service – Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently\n- Country Code blocking – Allows you to deny or allow access by ISO Country Code\n- Port Flooding Detection – Per IP, per Port connection flooding detection and mitigation to help block DOS attacks\n- WHM root access notification (cPanel servers only)\n- lfd Clustering – allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes\n- Quick start csf – deferred startup by lfd for servers with large block and/or allow lists\n- Distributed Login Failure Attack detection\n- Temporary IP allows (with TTL)\n- IPv6 Support with ip6tables\n- Integrated UI – no need for a separate Control Panel or Apache to use the csf configuration\n- Integrated support for cse within the Integrated UI\n- cPanel Reseller access to per reseller configurable options Unblock, Deny, Allow and Search IP address blocks\n- System Statistics – Basic graphs showing the performance of the server, e.g. Load Averages, CPU Usage, Memory Usage, etc\n- ipset support for large IP lists\n- Integrated with the CloudFlare Firewall\n- …lots more!\n\n\u003cbr /\u003e\n\n---\n\n\u003cbr /\u003e\n\n## How The Patcher Works\nYou can read this if you want, or skip it. It outlines exactly how the patches work:\n - Download all the files in the `/patch` folder to your system.\n - Set the `install.sh` file to be executable.\n - `sudo chmod +x install.sh`\n - Run the `install.sh` script\n - `sudo ./install.sh`\n - The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:\n - ConfigServer Firewall\n - ipset package\n - iptables / ip6tables package\n - Two new files will be added:\n - `/usr/local/csf/bin/csfpre.sh`\n - `/usr/local/csf/bin/csfpost.sh`\n - The patches will then be moved onto your system in the locations:\n - `/usr/local/include/csf/post.d/docker.sh`\n - `/usr/local/include/csf/post.d/openvpn.sh`\n - The `Docker` patch will first check to ensure you have the following:\n - **Must** have Docker installed\n - This script will **NOT** install docker. You must do that.\n - **Must** have a valid docker network adapter named `docker*` or `br-*`\n - The `OpenVPN` patch will first check to ensure you have the following:\n - **Must** have OpenVPN Server installed\n - **Must** have a valid network tunnel named `tun*` (tun0, tun1, etc)\n - **Must** have an outside network adapter named either `eth*` or `enp*`\n - If any of the checks above are not true, OpenVPN patcher will skip\n - You can check your list of network adapters using any of the commands below:\n - `ip link show`\n - `ifconfig`\n - You can check if OpenVPN server is installed by using the commmand:\n - `openvpn --version`\n \n\u003cbr /\u003e\n\n - If you attempt to run the `install.sh` any time after the initial setup:\n - The script will check if ConfigServer Firewall and all prerequisites are installed.\n - **If they are not installed**; they will be installed.\n - **If they are already installed**; nothing will happen. The script does **NOT** update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.\n - The script will look at all of the files it added the first time and check the MD5 hash.\n - If the `csfpre`, `csfpost`, or patch files do not exist; they will be re-added to your system.\n - **If the patch files are different** from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy\n - **If the patch files are the same** as the ones which comes with the patcher; nothing will be done and it will skip that step.\n\n\u003cbr /\u003e\n\nWhen you start up the CSF service, the `csfpost.sh` file will loop through every patch / file added to the `post.d` folder, and run the code inside of those files. The code inside each patch contains iptable / firewall rules which allow that app to communicate between your system and the outside world.\n\n\u003cbr /\u003e\n\nEven if you were to completely wipe your iptable rules, as soon as you restart the CSF service; those rules will be added right back.\n\n\u003cbr /\u003e\n\n---\n\n\u003cbr /\u003e\n\n## Install ConfigServer Firewall\nYou can install ConfigServer Firewall and all prerequisites one of two ways:\n1. [Install Using Patcher](#install-using-patcher)\n2. [Install Manually](#install-manually)\n\n\u003cbr /\u003e\n\n### Install Using Patcher\n\nIf you would like to install ConfigServer Firewall using this repo's patcher; download the patch:\n```shell\ngit clone https://github.com/Aetherinox/csf-firewall.git\n```\n\n\u003cbr /\u003e\n\nSet the permissions for the `install.sh` file:\n```shell\nsudo chmod +x /csf-firewall/patch/install.sh\n```\n\n\u003cbr /\u003e\n\nRun the script:\n```shell\nsudo ./csf-firewall/patch/install.sh\n```\n\n\u003cbr /\u003e\n\nIf ConfigServer Firewall is not already installed on your system; you should see:\n```\n Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Docker patch will now start ...\n```\n\u003cbr /\u003e\n\n### Install Manually\nThese steps explain how to install ConfigServer Firewall manually.\n\n\u003cbr /\u003e\n\n#### Step 1: Prerequisites\n- A Linux server running CentOS, Debian, Ubuntu, or any other compatible Linux distribution. \n- Root access or a user account with sudo privileges.\n- Perl installed on your server. If Perl is not installed, you can install it by running the following commands:\n - For CentOS/RHEL:\n ```shell\n sudo yum install perl ipset\n ```\n\n - For Debian/Ubuntu:\n\n ```shell\n sudo apt-get update \n sudo apt-get install perl ipset\n ```\n\n\u003cbr /\u003e\n\n#### Step 2: Download and Install CSF\nTo download and install CSF, follow these steps:\n\n\u003cbr /\u003e\n\n- Log in to your server via SSH. \n- Download the latest version of CSF using the wget command:\n ```shell\n wget https://download.configserver.com/csf.tgz\n ```\n- Extract the downloaded archive:\n ```shell\n tar -xzf csf.tgz\n ```\n- Navigate to the extracted directory:\n ```shell\n cd csf\n ```\n- Run the installation script:\n ```shell\n sudo sh install.sh\n ```\n\n\u003cbr /\u003e\n\nCSF will now be installed on your server, along with its Web UI (ConfigServer Firewall \u0026 Security) if you have a control panel like cPanel or DirectAdmin installed.\n\n\u003cbr /\u003e\n\n---\n\n\u003cbr /\u003e\n\n## Testing the Firewall\nBefore enabling and configuring CSF, it is crucial to test whether it is compatible with your server. Run the following command to initiate the test:\n\n```shell\nsudo perl /usr/local/csf/bin/csftest.pl\n```\n\nThe test will check for any potential issues or conflicts. If the test completes successfully, you will see the message “RESULT: csf should function on this server.” If there are any problems, the test will provide information on how to resolve them.\n\n\u003cbr /\u003e\n\n---\n\n\u003cbr /\u003e\n\n## Configuring CSF\nNow that CSF is installed, you can start configuring it to suit your server’s requirements. The main configuration file for CSF is located at /etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:\n\n```shell\nsudo nano /etc/csf/csf.conf\n```\n\n\u003cbr /\u003e\n\nSome essential settings you may want to modify include:\n\n\u003e [!NOTLast Sync: $now\n\u003e When you run the patcher `install.sh`; **TESTING MODE** will automatically be disabled after everything as successfully completed.\n\n\u003cbr /\u003e\n\n- `TESTING`: Set this value to 0 to disable testing mode and activate the firewall.\n- `TCP_IN` and `TCP_OUT`: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.\n- `UDP_IN` and `UDP_OUT`: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.\n- `DENY_IP_LIMIT`: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.\n- `CT_LIMIT`: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server’s requirements.\n\n\u003cbr /\u003e\n\nThese are just a few of the numerous configuration options available in CSF. Make sure to review the configuration file and adjust the settings to suit your server’s needs. After making changes to the configuration file, save and exit the text editor.\n\n\u003cbr /\u003e\n\n---\n\n\u003cbr /\u003e\n\n## Enabling CSF Firewall\nOnce you have configured the CSF firewall, it is time to enable it. To do so, run the following command:\n\n```shell\nsudo csf -e\n```\n\nThis command will restart the CSF and LFD (Login Failure Daemon) services, applying your configuration changes and activating the firewall.\n\n\u003cbr /\u003e\n\n---\n\n\u003cbr /\u003e\n\n## Managing the Firewall\nCSF provides several commands to manage the firewall, such as:\n\n\u003cbr /\u003e\n\n### Start Firewall\n\n```shell\nsudo csf -s\n```\n\n\u003cbr /\u003e\n\n### Stop Firewall\n\n```shell\nsudo csf -f\n```\n\n\u003cbr /\u003e\n\n### Restart Firewall\n\n```shell\nsudo csf -r\n```\n\n\u003cbr /\u003e\n\n### List Firewall Rules\n\n```shell\nsudo csf -l\n```\n\n\u003cbr /\u003e\n\n### Add IP to Allow List\n\n```shell\nsudo csf -a IP_ADDRESS\n```\n\n\u003cbr /\u003e\n\n### Remove IP to Allow List\n\n```shell\nsudo csf -ar IP_ADDRESS\n```\n\n\u003cbr /\u003e\n\n### Add IP to Deny List\n\n```shell\nsudo csf -d IP_ADDRESS\n```\n\n\u003cbr /\u003e\n\n### Remove IP from Deny List\n\n```shell\nsudo csf -dr IP_ADDRESS\n```\n\n\u003cbr /\u003e\n\n### Add Temp Block IP\n\n```shell\nsudo csf -td IP_ADDRESS\n```\n\n\u003cbr /\u003e\n\n### Remove Temp Block IP\n\n```shell\nsudo csf -tr IP_ADDRESS\n```\n\n\u003cbr /\u003e\n\nThese commands can help you manage your server’s security and monitor incoming and outgoing traffic.\n\n\u003cbr /\u003e\n\n---\n\n\u003cbr /\u003e\n\n## Uninstalling CSF\nIf you decide to uninstall CSF for any reason, follow these steps:\n\n\u003cbr /\u003e\n\n1. Navigate to the CSF directory:\n ```shell\n cd /etc/csf\n ```\n2. Run the uninstallation script:\n ```shell\n sudo sh uninstall.sh\n ```\n\n\u003cbr /\u003e\n\nThe script will remove CSF and its associated files from your server.\n\n\u003cbr /\u003e\n\n---\n\n\u003cbr /\u003e\n\n## Enable CSF Firewall Web UI\nConfigServer Firewall offers a WebUI for the managing firewall from the web interface. This section explains how to install the WebUI.\n\n\u003cbr /\u003e\n\n### Step 1: Install Required Perl Modules:\nCSF UI required some of Perl modules to be installed on your system. Use the following commands to install required modules as per your operating system.\n\n\u003cbr /\u003e\n\n**Debian based systems:**\n```shell\nsudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\n```\n\n\u003cbr /\u003e\n\n**Redhat based systems:**\n```shell\nsudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\n```\n\n\u003cbr /\u003e\n\n### Step 2: Enable CSF Firewall Web UI:\nTo enable CSF web UI edit /etc/csf/csf.conf file in your favorite text editor and update the following values.\n\n```shell\nsudo vim /etc/csf/csf.conf\n```\n\n```conf\n# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\n```\n\n\u003cbr /\u003e\n\nChange the following values to your own:\n- `UI_PORT`\n- `UI_USER`\n- `UI_PASS`\n\n\u003cbr /\u003e\n\nAfter making changes, edit `/etc/csf/ui/ui.allow` configuration file and add your public IP to allow access to CSF UI. Change `YOUR_PUBLIC_IP_ADDRESS` with your public IP address.\n\n```shell\nsudo echo \"YOUR_PUBLIC_IP_ADDRESS\" \u003e\u003e /etc/csf/ui/ui.allow\n```\n\n\u003cbr /\u003e\n\nWeb UI works under lfd daemon. So restart the lfd daemon on your system using the following command.\n\n```shell\nsudo service lfd restart\n```\n\n\u003cbr /\u003e\n\nIn order to gain access to the online admin panel; you must ensure lfd and csf are running. You can check by running the commands:\n```shell ignore\nsudo service lfd status\n```\n\n\u003cbr /\u003e\n\nYou should see the `lfd` service running:\n```\n● lfd.service - ConfigServer Firewall \u0026 Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\n```\n\n\u003cbr /\u003e\n\nNext, confirm `csf` service is also running:\n```shell ignore\nsudo service csf status\n```\n\n\u003cbr /\u003e\n\nCheck the output for errors on service `csf`. You should see no errors:\n```\n● csf.service - ConfigServer Firewall \u0026 Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\n```\n\n\u003cbr /\u003e\n\nIf you see the following error when running `csf status`:\n```\ncsf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\n```\n\n\u003cbr /\u003e\n\nYou must install `ipset`:\n```shell ignore\nsudo apt-get update \nsudo apt-get install ipset\n```\n\n\u003cbr /\u003e\n\n### Step 3: Access and Use Web UI:\nNow, access CSF UI on your browser with the specified port. For this tutorial; we used 1025 port and accessed the CSF admin panel by opening our browser and going to:\n```\nhttps://127.0.0.1:1025\n```\n\n\u003cbr /\u003e\n\nWhen prompted for the username and password; the default is:\n\n| Field | Value |\n| --- | --- |\n| Username | `admin` |\n| Password | `admin` |\n\n\u003cbr /\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg style=\"width: 80%;text-align: center;\" src=\"https://github.com/user-attachments/assets/c23e9de8-69a9-4a92-810b-791c72f5793a\"\u003e\u003c/p\u003e\n\n\u003cbr /\u003e\n\nAfter successful login, you will find the screen like below.\n\n\u003cp align=\"center\"\u003e\u003cimg style=\"width: 80%;text-align: center;\" src=\"https://github.com/user-attachments/assets/2b1a0c5b-d21d-456b-a07d-69c2acdf3888\"\u003e\u003c/p\u003e\n\n\u003cbr /\u003e\n\n**Allow IP Address**: You can use below option to allow any IP quickly. This action adds the entry to the `/etc/csf/csf.allow` file.\n\n\u003cp align=\"center\"\u003e\u003cimg style=\"width: 80%;text-align: center;\" src=\"https://raw.githubusercontent.com/Aetherinox/csf-firewall/main/docs/images/csf-quick-allow.png\"\u003e\u003c/p\u003e\n\n**Deny IP Address**: You can use below option to deny any IP quickly. This action adds the entry to the `/etc/csf/csf.deny` file.\n\n\u003cp align=\"center\"\u003e\u003cimg style=\"width: 80%;text-align: center;\" src=\"https://raw.githubusercontent.com/Aetherinox/csf-firewall/main/docs/images/csf-quick-deny.png\"\u003e\u003c/p\u003e\n\n**Unblock IP Address**: You can use below option to quickly unblocked any IP which is already blocked by CSF.\n\n\u003cp align=\"center\"\u003e\u003cimg style=\"width: 80%;text-align: center;\" src=\"https://raw.githubusercontent.com/Aetherinox/csf-firewall/main/docs/images/csf-unblock-ip.png\"\u003e\u003c/p\u003e\n\n\u003cbr /\u003e\n\n---\n\n\u003cbr /\u003e\n\n## Install Docker Patch\nAfter you have installed CSF, the WebUI, and enabled both `lfd` and `csf` services; it's now time to run the docker patcher. The docker patch will check your docker configuration, and add a series of iptable rules so that docker can communicate with the outside world and users can access your containers.\n\n\u003cbr /\u003e\n\nThe docker patch does several things:\n- Allows for you to restart CSF without having to restart your docker containers.\n- Scans every container you have set up in docker and adds a whitelist firewall rule\n\n\u003cbr /\u003e\n\n### Clone\nWithin your server, change to whatever directory where you want to download everything (including patch):\n\n```shell\ncd $HOME/Documents\n```\n\n\u003cbr /\u003e\n\nClone the repo\n```shell\ngit clone https://github.com/Aetherinox/csf-firewall.git\n```\n\n\u003cbr /\u003e\n\n### Configure\nThe `/patch/docker.sh` file has a few configs you can adjust. Open it in a text editor and change the values to your preference.\n\n```bash ignore\nDOCKER_INT=\"docker0\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"false\"\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\n```\n\n\u003cbr /\u003e\n\nEach setting is defined below:\n\n| Setting | Description |\n| --- | --- |\n| `DOCKER_INT` | \u003cbr\u003emain docker network interface \u003cbr\u003e\u003cbr\u003e |\n| `CSF_FILE_ALLOW` | \u003cbr\u003ePath to your `csf.allow` file \u003cbr\u003e\u003cbr\u003e |\n| `CSF_COMMENT` | \u003cbr\u003ecomment added to each new whitelisted docker ip \u003cbr\u003e\u003cbr\u003e |\n| `DEBUG_ENABLED` | \u003cbr\u003edebugging / better logs \u003cbr\u003e\u003cbr\u003e |\n| `IP_CONTAINERS` | \u003cbr\u003elist of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall \u003cbr\u003e\u003cbr\u003e |\n\n\u003cbr /\u003e\n\n### Run Patch\nSet the permissions (if needed)\n\n```shell\nsudo chmod +x /patch/install.sh\n```\n\n\u003cbr /\u003e\n\nRun the script:\n\n```shell\ncd /patch/\nsudo ./install.sh\n```\n\n\u003cbr /\u003e\n\nOn certain distros of Linux, you may need to use the following instead to run the patcher:\n\n```shell\nsudo sh install.sh\n```\n\n\u003cbr /\u003e\n\nThe `docker.sh` file will be installed to `/usr/local/include/csf/post.d`\n\n\u003cbr /\u003e\n\n### Manual Run\nYou can manually run the `docker.sh` script. It will also allow you to specify arguments such as `--dev` to get more detailed logging as the firewall is set up. This should only be done if you know what you're doing.\n\n```shell ignore\nsudo chmod +x /patch/docker.sh\nsudo /patch/docker.sh\n```\n\n\u003cbr /\u003e\n\nYou can call arguments by running the file using:\n\n```shell ignore\nsudo /patch/docker.sh --dev\n```\n\n\u003cbr /\u003e\n\nYou can also find out what version you are running by appending `--version` to either the `install.sh` or `docker.sh` file:\n\n```shell ignore\n./patch/install.sh --version\n```\n\n\u003cbr /\u003e\n\n```shell ignore\nConfigServer Firewall Configuration - v14.22.0\nhttps://github.com/Aetherinox/csf-firewall\nUbuntu | 24.04\n```\n\n\u003cbr /\u003e\n\n```shell ignore\nsudo /patch/docker.sh --version\n```\n\n\u003cbr /\u003e\n\n```shell ignore\nConfigServer Firewall Docker Patch - v14.22.0\nhttps://github.com/Aetherinox/csf-firewall\nUbuntu | 24.04\n```\n\n\u003cbr /\u003e\n\n### Advanced Logs\nThis script includes debugging prints / logs. To view these, restart `csf.service` by running the following command in terminal:\n```shell ignore\nsudo csf -r\n```\n\n\u003cbr /\u003e\n\nAll steps performed by the script will be displayed in terminal:\n```shell ignore\n + POSTROUTING Adding IPs from primary IP list\n + 172.17.0.0/16\n + RULE: -t nat -A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE\n + RULE: -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE\n\n ---------------------------------------------------------------------------------------------------\n\n + BRIDGES Configuring network bridges\n\n BRIDGE e8a57188323a \n DOCKER INTERFACE docker0 \n SUBNET 172.17.0.0/16 \n + RULE: -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE\n + RULE: -t nat -A DOCKER -i docker0 -j RETURN\n + RULE: -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2\n + RULE: -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP\n```\n\n\u003cbr /\u003e\n\n---\n\n\u003cbr /\u003e\n\n## Install OpenVPN Patch\nThis repo includes an OpenVPN patch which automatically sets up ConfigServer Firewall to accept connections from your OpenVPN server; while still restricting other incoming and outgoing connections you may not want going through.\n\n\u003cbr /\u003e\n\n### Clone\nWithin your server, change to whatever directory where you want to download everything (including patch):\n\n```shell\ncd $HOME/Documents\n```\n\n\u003cbr /\u003e\n\nClone the repo\n```shell\ngit clone https://github.com/Aetherinox/csf-firewall.git\n```\n\n\u003cbr /\u003e\n\n### Configure\nThe `/patch/openvpn.sh` file has a few configs you can adjust. Open it in a text editor and change the values to your preference.\n\n```bash ignore\nETH_ADAPTER=$(ip route | grep default | sed -e \"s/^.*dev.//\" -e \"s/.proto.*//\")\nTUN_ADAPTER=$(ip -br l | awk '$1 ~ \"^tun[0-9]\" { print $1}')\nIP_PUBLIC=$(curl ipinfo.io/ip)\nDEBUG_ENABLED=\"false\"\nIP_POOL=(\n '10.8.0.0/24'\n)\n```\n\n\u003cbr /\u003e\n\nEach setting is defined below:\n\n| Setting | Description |\n| --- | --- |\n| `ETH_ADAPTER` | \u003cbr\u003eprimary network adapter on host machine \u003cbr\u003e\u003cbr\u003e |\n| `TUN_ADAPTER` | \u003cbr\u003eopenvpn tunnel adapter, usually `tun0` \u003cbr\u003e\u003cbr\u003e |\n| `IP_PUBLIC` | \u003cbr\u003eserver's public ip address \u003cbr\u003e\u003cbr\u003e |\n| `DEBUG_ENABLED` | \u003cbr\u003edebugging / better logs \u003cbr\u003e\u003cbr\u003e |\n| `IP_POOL` | \u003cbr\u003eopenvpn ip pool \u003cbr\u003e\u003cbr\u003e |\n\n\u003cbr /\u003e\n\nThe script tries to automatically detect the values specified above, however, you can manually specify your own values. \n\n\u003cbr /\u003e\n\nAs an example, instead of automatically detecting your server's public IP address or ethernet adapters, you can specify your own by changing the following:\n\n```bash ignore\n# old code\nETH_ADAPTER=$(ip route | grep default | sed -e \"s/^.*dev.//\" -e \"s/.proto.*//\")\nTUN_ADAPTER=$(ip -br l | awk '$1 ~ \"^tun[0-9]\" { print $1}')\nIP_PUBLIC=$(curl ipinfo.io/ip)\n\n# manually specified ip\nETH_ADAPTER=\"eth0\"\nTUN_ADAPTER=\"tun0\"\nIP_PUBLIC=\"216.55.100.5\"\n```\n\n\u003cbr /\u003e\n\n### Run Patch\nSet the permissions:\n\n```shell\nsudo chmod +x /patch/install.sh\n```\n\n\u003cbr /\u003e\n\nRun the script:\n\n```shell\ncd /patch/\nsudo ./install.sh\n```\n\n\u003cbr /\u003e\n\nOn certain distros of Linux, you may need to use the following instead to run the patcher:\n\n```shell\nsudo sh install.sh\n```\n\n\u003cbr /\u003e\n\nThe `openvpn.sh` file will be installed to `/usr/local/include/csf/post.d`\n\n\u003cbr /\u003e\n\n### Manual Run\nYou can manually run the `openvpn.sh` script. It will also allow you to specify arguments such as `--dev` to get more detailed logging as the firewall is set up. This should only be done if you know what you're doing.\n\n```shell ignore\nsudo chmod +x /patch/openvpn.sh\nsudo /patch/openvpn.sh\n```\n\n\u003cbr /\u003e\n\nYou can call arguments by running the file using:\n```shell ignore\nsudo /patch/openvpn.sh --dev\n```\n\n\u003cbr /\u003e\n\nYou can also find out what version you are running by appending `--version` to either the `install.sh` or `openvpn.sh` file:\n\n```shell ignore\n./patch/install.sh --version\n```\n\n\u003cbr /\u003e\n\n```shell ignore\nConfigServer Firewall Configuration - v2.0.0.0\nhttps://github.com/Aetherinox/csf-firewall\nUbuntu | 24.04\n```\n\n\u003cbr /\u003e\n\n```shell ignore\nsudo /patch/openvpn.sh --version\n```\n\n\u003cbr /\u003e\n\n```shell ignore\nConfigServer Firewall OpenVPN Patch - v2.0.0.0\nhttps://github.com/Aetherinox/csf-firewall\nUbuntu | 24.04\n```\n\n\u003cbr /\u003e\n\n### Advanced Logs\nThis script includes debugging prints / logs. To view these, restart `csf.service` by running the following command in terminal:\n```shell ignore\nsudo csf -ra\n```\n\n\u003cbr /\u003e\n\nAll steps performed by the script will be displayed in terminal:\n```shell ignore\n + OPENVPN Adding OpenVPN Rules\n\n + RULE -A INPUT -i tun+ -j ACCEPT \n + RULE -A FORWARD -i tun+ -j ACCEPT \n + RULE -A FORWARD -o tun0 -j ACCEPT\n + RULE -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE\n + RULE -A FORWARD -i tun+ -o enp0s3 -m state --state RELATED,ESTABLISHED -j ACCEPT\n + RULE -A FORWARD -i enp0s3 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT\n + RULE -t nat -A POSTROUTING -j SNAT --to-source XX.XXX.XXX.XXX\n + RULE -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp0s3 -j MASQUERADE\n```\n\n\u003cbr /\u003e\n\n---\n\n\u003cbr /\u003e\n\n## Install Dark Theme\nThe dark theme is an unofficial theme not available in the official install of ConfigServer firewall. You may use the files provided in this repository to switch your copy of CSF over to the dark theme.\n\n\u003cbr /\u003e\n\n\u003cp align=\"center\"\u003e\n \u003cimg style=\"padding-right:15px;\" src=\"https://raw.githubusercontent.com/Aetherinox/csf-firewall/refs/heads/main/docs/images/readme/7.gif\" width=\"400\" /\u003e\n \u003cimg src=\"https://raw.githubusercontent.com/Aetherinox/csf-firewall/refs/heads/main/docs/images/readme/8.gif\" width=\"400\" /\u003e \n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg style=\"width: 80%;text-align: center;\" src=\"https://raw.githubusercontent.com/Aetherinox/csf-firewall/refs/heads/main/docs/images/readme/9.png\"\u003e\u003c/p\u003e\n\n\u003cbr /\u003e\n\nHead over to the [Releases](https://github.com/Aetherinox/csf-firewall/releases) page and download the dark theme zip file:\n\n- `*-theme-dark.zip`\n\n\u003cbr /\u003e\n\nExtract the files from the zip to the same paths as they are shown in the zip. You should have the following files:\n\n- `/etc/csf/ui/images/*.css`\n- `/usr/local/csf/lib/ConfigServer/*.pm`\n- `/usr/sbin/lfd`\n\n\u003cbr /\u003e\n\n---\n\n\u003cbr /\u003e\n\n## Traefik Integration with CSF WebUI\nTo integrate the CSF WebUI into Docker and Traefik so that you can access it via a domain and secure it:\n\n\u003cbr /\u003e\n\nOpen `/etc/csf/csf.conf` and change the `UI_IP`. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.\n\nFind\n```shell ignore\nUI_IP = \"\"\n```\n\n\u003cbr /\u003e\n\nChange the IP to your Docker network subnet. You MUST use the format below, which is `::IPv6:IPv4`\n```shell ignore\nUI_IP = \"::ffff:172.17.0.1\"\n```\n\n\u003cbr /\u003e\n\nThe above change will ensure that your CSF WebUI is **not** accessible via your public IP address. We're going to allow access to it via your domain name, but add some Traefik middleware so that you must authenticate before you can access the WebUI.\n\n\u003cbr /\u003e\n\nNext, we can add CSF through Docker and Traefik so that it's accessible via `csf.domain.com`. Open up your Traefik's `dynamic.yml` and add the following:\n\n```yml\nhttp:\n routers:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.domain.com`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.domain.com`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"domain.com\"\n sans:\n - \"*.domain.com\"\n```\n\n\u003cbr /\u003e\n\nA full example of the Traefik routers and middleware can be found at:\n\n- https://aetherinox.github.io/csf-firewall/csf/tutorials/traefik/\n\n\u003cbr /\u003e\n\nAt the bottom of the same file, we must now add a new **loadBalancer** rule under `http` -\u003e `services`. Change the `ip` and `port` if you have different values:\n\n```yml\nhttp:\n routers:\n [CODE FROM ABOVLast Sync: $now\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\n```\n\n\u003cbr /\u003e\n\nWith the example above, we are also going to add a few middlewares:\n- [Authentik](https://goauthentik.io/)\n- [IP Whitelist](https://doc.traefik.io/traefik/middlewares/http/ipwhitelist/)\n- [Geographical Location Blocking](https://plugins.traefik.io/plugins/62947302108ecc83915d7781/LICENSE)\n\n\u003cbr /\u003e\n\nBy applying the above middlewares, we can restrict what IP addresses can access your CSF WebUI, as well as add Authentik's authentication system so that you must authenticate first before getting into the CSF WebUI. These are all optional, and you can apply whatever middlewares you deem fit.\n\n\u003cbr /\u003e\n\nYou must configure the above middleware if you have not added it to Traefik yet. This guide does not go into how to add middleware to Traefik, that information can be found at:\n- https://doc.traefik.io/traefik/middlewares/overview/\n\n\u003cbr /\u003e\n\nOnce you configure these changes in Traefik, you can restart your Traefik docker container. The command for that depends on how you set up the container. If you used `docker-compose.yml`, you can `cd` into the folder with the `docker-compose.yml` file and then execute:\n```shell\ndocker compose down \u0026\u0026 docker compose up -d\n```\n\n\u003cbr /\u003e\n\n### Adding Authentik Provider\nIf you are adding [Authentik](https://goauthentik.io/) as middleware in the steps above; the last thing you must do is log in to your Authentik admin panel and add a new **Provider** so that we can access the CSF WebUI via your domain.\n\n\u003cbr /\u003e\n\nOnce you sign into the Authentik admin panel, go to the left-side navigation, select **Applications** -\u003e **Providers**. Then at the top of the new page, click **Create**.\n\n\u003cbr /\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg style=\"width: 40%;text-align: center;\" src=\"https://github.com/user-attachments/assets/8fe1dfc8-bbdc-4c8c-bc5a-be5b103e7404\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg style=\"width: 80%;text-align: center;\" src=\"https://github.com/user-attachments/assets/82e3f027-b058-4b3c-86db-bdc4505a4e4e\"\u003e\u003c/p\u003e\n\n\u003cbr /\u003e\n\nFor the **provider**, select `Proxy Provider`.\n\n\u003cbr /\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg style=\"width: 80%;text-align: center;\" src=\"https://github.com/user-attachments/assets/086ae998-964f-45e3-8606-ae8a36ecf82c\"\u003e\u003c/p\u003e\n\n\u003cbr /\u003e\n\nAdd the following provider values:\n- Name: `CSF ForwardAuth`\n- Authentication Flow: `default-source-authentication (Welcome to authentik!)`\n- Authorization Flow: `default-provider-authorization-implicit-consent (Authorize Application)`\n\n\u003cbr /\u003e\n\nSelect **Forward Auth (single application)**:\n- External Host: `https://csf.domain.com`\n\n\u003cbr /\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg style=\"width: 80%;text-align: center;\" src=\"https://github.com/user-attachments/assets/b1d6258a-f53e-4225-a4e9-9f9b5b69b191\"\u003e\u003c/p\u003e\n\n\u003cbr /\u003e\n\nOnce finished, click **Create**. Then on the left-side menu, select **Applications** -\u003e **Applications**. Then at the top of the new page, click **Create**.\n\n\u003cbr /\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg style=\"width: 40%;text-align: center;\" src=\"https://github.com/user-attachments/assets/405fb566-0384-4345-8f07-ad52b9af9358\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg style=\"width: 80%;text-align: center;\" src=\"https://github.com/user-attachments/assets/82e3f027-b058-4b3c-86db-bdc4505a4e4e\"\u003e\u003c/p\u003e\n\n\u003cbr /\u003e\n\nAdd the following parameters:\n- Name: `CSF (ConfigServer Firewall)`\n- Slug: `csf`\n- Group: `Administrative`\n- Provider: `CSF ForwardAuth`\n- Backchannel Providers: `None`\n- Policy Engine Mode: `any`\n\n\u003cbr /\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg style=\"width: 80%;text-align: center;\" src=\"https://github.com/user-attachments/assets/11425a7a-f049-4434-a232-3ea2847145d7\"\u003e\u003c/p\u003e\n\n\u003cbr /\u003e\n\nSave, and then on the left-side menu, select **Applications** -\u003e **Outposts**:\n\n\u003cbr /\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg style=\"width: 40%;text-align: center;\" src=\"https://github.com/user-attachments/assets/cb975af4-d167-44c5-8587-b366aa591716\"\u003e\u003c/p\u003e\n\n\u003cbr /\u003e\n\nFind your **Outpost** and edit it.\n\n\u003cp align=\"center\"\u003e\u003cimg style=\"width: 80%;text-align: center;\" src=\"https://github.com/user-attachments/assets/a349423f-6db5-431d-888e-8ba658053b2c\"\u003e\u003c/p\u003e\n\n\u003cbr /\u003e\n\nMove `CSF (ConfigServer Firewall)` to the right side **Selected Applications** box.\n\n\u003cbr /\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg style=\"width: 80%;text-align: center;\" src=\"https://github.com/user-attachments/assets/b4b882d4-8f41-4af9-b788-cef649a48d24\"\u003e\u003c/p\u003e\n\n\u003cbr /\u003e\n\nYou should be able to access `csf.domain.com` and be prompted now to authenticate with Authentik.\n\n\u003cbr /\u003e\n\n---\n\n\u003cbr /\u003e\n\n## IP Sets / Blocklist\nThis repository contains a set of ipsets which are automatically updated every `6 hours`. You may add these sets to your ConfigServer Firewall `/etc/csf/csf.blocklists` with the following new line:\n\n```\ncsf|86400|0|https://raw.githubusercontent.com/Aetherinox/csf-firewall/main/blocklists/01_master.ipset\n```\n\n\u003cbr /\u003e\n\n| Set | Description | Importance | View |\n| --- | --- | --- | --- |\n| \u003csub\u003e`01_master.ipset`\u003c/sub\u003e | \u003csub\u003eAbusive IP addresses which have been reported for port scanning and SSH bruteforcing. HIGHLY recommended. \u003cbr\u003e Includes [AbuseIPDB](https://www.abuseipdb.com/), [IPThreat](https://ipthreat.net/), [CinsScore](https://cinsscore.com), [GreensNow](https://blocklist.greensnow.co/greensnow.txt)\u003c/sub\u003e | ⭐⭐⭐⭐⭐ | [view](https://raw.githubusercontent.com/Aetherinox/csf-firewall/main/blocklists/01_master.ipset) |\n| \u003csub\u003e`01_highrisk.ipset`\u003c/sub\u003e | \u003csub\u003eIPs with highest risk to your network and have a possibility that the activity which comes from them are going to be fraudulent.\u003c/sub\u003e | ⭐⭐⭐⭐ | [view](https://raw.githubusercontent.com/Aetherinox/csf-firewall/main/blocklists/01_highrisk.ipset) |\n| \u003csub\u003e`02_privacy_general.ipset`\u003c/sub\u003e | \u003csub\u003eServers which scan ports for data collection and research purposes. List includes [Censys](https://censys.io), [Shodan](https://www.shodan.io/), [Project25499](https://blogproject25499.wordpress.com/), [InternetArchive](https://archive.org/) \u003c/sub\u003e | ⭐⭐⭐⭐ | [view](https://raw.githubusercontent.com/Aetherinox/csf-firewall/main/blocklists/02_privacy_general.ipset) |\n| \u003csub\u003e`02_privacy_amazon_aws.ipset`\u003c/sub\u003e | \u003csub\u003eAmazon AWS\u003c/sub\u003e | ⭐⭐ | [view](https://raw.githubusercontent.com/Aetherinox/csf-firewall/main/02_privacy_amazon_aws.ipset) |\n| \u003csub\u003e`02_privacy_amazon_ec2.ipset`\u003c/sub\u003e | \u003csub\u003eAmazon EC2\u003c/sub\u003e | ⭐⭐ | [view](https://raw.githubusercontent.com/Aetherinox/csf-firewall/main/02_privacy_amazon_ec2.ipset) |\n| \u003csub\u003e`02_privacy_bing.ipset`\u003c/sub\u003e | \u003csub\u003eBing Crawlers\u003c/sub\u003e | ⭐⭐ | [view](https://raw.githubusercontent.com/Aetherinox/csf-firewall/main/02_privacy_bing.ipset) |\n| \u003csub\u003e`02_privacy_cloudfront.ipset`\u003c/sub\u003e | \u003csub\u003eCloudfront CDN\u003c/sub\u003e | ⭐ | [view](https://raw.githubusercontent.com/Aetherinox/csf-firewall/main/02_privacy_cloudfront.ipset) |\n| \u003csub\u003e`02_privacy_fastly.ipset`\u003c/sub\u003e | \u003csub\u003eFastly CDN\u003c/sub\u003e | ⭐ | [view](https://raw.githubusercontent.com/Aetherinox/csf-firewall/main/02_privacy_fastly.ipset) |\n| \u003csub\u003e`02_privacy_google.ipset`\u003c/sub\u003e | \u003csub\u003eGoogle Crawlers\u003c/sub\u003e | ⭐⭐ | [view](https://raw.githubusercontent.com/Aetherinox/csf-firewall/main/02_privacy_google.ipset) |\n| \u003csub\u003e`03_spam_forums.ipset`\u003c/sub\u003e | \u003csub\u003eList of known forum / blog spammers and bots\u003c/sub\u003e | ⭐⭐ | [view](https://raw.githubusercontent.com/Aetherinox/csf-firewall/main/03_spam_forums.ipset) |\n| \u003csub\u003e`03_spam_spamhaus.ipset`\u003c/sub\u003e | \u003csub\u003eBad actor IP addresses registered with Spamhaus\u003c/sub\u003e | ⭐⭐⭐⭐ | [view](https://raw.githubusercontent.com/Aetherinox/csf-firewall/main/03_spam_spamhaus.ipset) |\n\n\u003cbr /\u003e\n\n---\n\n\u003cbr /\u003e\n\n## Download ConfigServer Firewall\nThe latest version of csf can be downloaded from:\n- https://download.configserver.com/csf.tgz\n\n\u003cbr /\u003e\n\n---\n\n\u003cbr /\u003e\n\n## References for More Help\nIf you need additional help apart from this guide to configure CSF; use the following pages for more help:\n- Chapter 1: [How to Install and Configure CSF Firewall on Linux](https://tecadmin.net/install-csf-firewall-on-linux/)\n- Chapter 2: [How to Enable CSF Firewall Web UI](https://tecadmin.net/how-to-enable-csf-firewall-web-ui/)\n\n\u003cbr /\u003e\n\n---\n\n\u003cbr /\u003e\n\n## Contributors ✨\nWe are always looking for contributors. If you feel that you can provide something useful to Gistr, then we'd love to review your suggestion. Before submitting your contribution, please review the following resources:\n\n- [Pull Request Procedure](.github/PULL_REQUEST_TEMPLATE.md)\n- [Contributor Policy](CONTRIBUTING.md)\n\n\u003cbr /\u003e\n\nWant to help but can't write code?\n- Review [active questions by our community](https://github.com/Aetherinox/csf-firewall/labels/help%20wanted) and answer the ones you know.\n\n\u003cbr /\u003e\n\n![Alt](https://repobeats.axiom.co/api/embed/a968656a3592fa904ffbcc3abd666aa2d40b8648.svg \"Repobeats analytics image\")\n\n\u003cbr /\u003e\n\nThe following people have helped get this project going:\n\n\u003cbr /\u003e\n\n\u003cdiv align=\"center\"\u003e\n\n\u003c!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section --\u003e\n[![Contributors][contribs-all-img]](#contributors-)\n\u003c!-- ALL-CONTRIBUTORS-BADGE:END --\u003e\n\n\u003c!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section --\u003e\n\u003c!-- prettier-ignore-start --\u003e\n\u003c!-- markdownlint-disable --\u003e\n\u003ctable\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd align=\"center\" valign=\"top\"\u003e\u003ca href=\"https://gitlab.com/Aetherinox\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/118329232?v=4?s=40\" width=\"80px;\" alt=\"Aetherinox\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eAetherinox\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"https://github.com/Aetherinox/csf-firewall/commits?author=Aetherinox\" title=\"Code\"\u003e💻\u003c/a\u003e \u003ca href=\"#projectManagement-Aetherinox\" title=\"Project Management\"\u003e📆\u003c/a\u003e \u003ca href=\"#fundingFinding-Aetherinox\" title=\"Funding Finding\"\u003e🔍\u003c/a\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003c/div\u003e\n\u003c!-- markdownlint-restore --\u003e\n\u003c!-- prettier-ignore-end --\u003e\n\u003c!-- ALL-CONTRIBUTORS-LIST:END --\u003e\n\n\u003cbr /\u003e\n\u003cbr /\u003e\n\n\u003c!-- prettier-ignore-start --\u003e\n\u003c!-- markdownlint-disable --\u003e\n\n\u003c!-- BADGE \u003e GENERAL --\u003e\n [general-npmjs-uri]: https://npmjs.com\n [general-nodejs-uri]: https://nodejs.org\n [general-npmtrends-uri]: http://npmtrends.com/csf-firewall\n\n\u003c!-- BADGE \u003e VERSION \u003e GITHUB --\u003e\n [github-version-img]: https://img.shields.io/github/v/tag/Aetherinox/csf-firewall?logo=GitHub\u0026label=Version\u0026color=ba5225\n [github-version-uri]: https://github.com/Aetherinox/csf-firewall/releases\n\n\u003c!-- BADGE \u003e VERSION \u003e NPMJS --\u003e\n [npm-version-img]: https://img.shields.io/npm/v/csf-firewall?logo=npm\u0026label=Version\u0026color=ba5225\n [npm-version-uri]: https://npmjs.com/package/csf-firewall\n\n\u003c!-- BADGE \u003e VERSION \u003e PYPI --\u003e\n [pypi-version-img]: https://img.shields.io/pypi/v/csf-firewall-plugin\n [pypi-version-uri]: https://pypi.org/project/csf-firewall-plugin/\n\n\u003c!-- BADGE \u003e LICENSE \u003e MIT --\u003e\n [license-mit-img]: https://img.shields.io/badge/MIT-FFF?logo=creativecommons\u0026logoColor=FFFFFF\u0026label=License\u0026color=9d29a0\n [license-mit-uri]: https://github.com/Aetherinox/csf-firewall/blob/main/LICENSE\n\n\u003c!-- BADGE \u003e GITHUB \u003e DOWNLOAD COUNT --\u003e\n [github-downloads-img]: https://img.shields.io/github/downloads/Aetherinox/csf-firewall/total?logo=github\u0026logoColor=FFFFFF\u0026label=Downloads\u0026color=376892\n [github-downloads-uri]: https://github.com/Aetherinox/csf-firewall/releases\n\n\u003c!-- BADGE \u003e NPMJS \u003e DOWNLOAD COUNT --\u003e\n [npmjs-downloads-img]: https://img.shields.io/npm/dw/%40aetherinox%2Fcsf-firewall?logo=npm\u0026\u0026label=Downloads\u0026color=376892\n [npmjs-downloads-uri]: https://npmjs.com/package/csf-firewall\n\n\u003c!-- BADGE \u003e GITHUB \u003e DOWNLOAD SIZE --\u003e\n [github-size-img]: https://img.shields.io/github/repo-size/Aetherinox/csf-firewall?logo=github\u0026label=Size\u0026color=59702a\n [github-size-uri]: https://github.com/Aetherinox/csf-firewall/releases\n\n\u003c!-- BADGE \u003e NPMJS \u003e DOWNLOAD SIZE --\u003e\n [npmjs-size-img]: https://img.shields.io/npm/unpacked-size/csf-firewall/latest?logo=npm\u0026label=Size\u0026color=59702a\n [npmjs-size-uri]: https://npmjs.com/package/csf-firewall\n\n\u003c!-- BADGE \u003e CODECOV \u003e COVERAGE --\u003e\n [codecov-coverage-img]: https://img.shields.io/codecov/c/github/Aetherinox/csf-firewall?token=MPAVASGIOG\u0026logo=codecov\u0026logoColor=FFFFFF\u0026label=Coverage\u0026color=354b9e\n [codecov-coverage-uri]: https://codecov.io/github/Aetherinox/csf-firewall\n\n\u003c!-- BADGE \u003e ALL CONTRIBUTORS --\u003e\n [contribs-all-img]: https://img.shields.io/github/all-contributors/Aetherinox/csf-firewall?logo=contributorcovenant\u0026color=de1f6f\u0026label=contributors\n [contribs-all-uri]: https://github.com/all-contributors/all-contributors\n\n\u003c!-- BADGE \u003e GITHUB \u003e BUILD \u003e NPM --\u003e\n [github-build-img]: https://img.shields.io/github/actions/workflow/status/Aetherinox/csf-firewall/npm-release.yml?logo=github\u0026logoColor=FFFFFF\u0026label=Build\u0026color=%23278b30\n [github-build-uri]: https://github.com/Aetherinox/csf-firewall/actions/workflows/npm-release.yml\n\n\u003c!-- BADGE \u003e GITHUB \u003e BUILD \u003e Pypi --\u003e\n [github-build-pypi-img]: https://img.shields.io/github/actions/workflow/status/Aetherinox/csf-firewall/release-pypi.yml?logo=github\u0026logoColor=FFFFFF\u0026label=Build\u0026color=%23278b30\n [github-build-pypi-uri]: https://github.com/Aetherinox/csf-firewall/actions/workflows/pypi-release.yml\n\n\u003c!-- BADGE \u003e GITHUB \u003e TESTS --\u003e\n [github-tests-img]: https://img.shields.io/github/actions/workflow/status/Aetherinox/csf-firewall/npm-tests.yml?logo=github\u0026label=Tests\u0026color=2c6488\n [github-tests-uri]: https://github.com/Aetherinox/csf-firewall/actions/workflows/npm-tests.yml\n\n\u003c!-- BADGE \u003e GITHUB \u003e COMMIT --\u003e\n [github-commit-img]: https://img.shields.io/github/last-commit/Aetherinox/csf-firewall?logo=conventionalcommits\u0026logoColor=FFFFFF\u0026label=Last%20Commit\u0026color=313131\n [github-commit-uri]: https://github.com/Aetherinox/csf-firewall/commits/main/\n\n\u003c!-- prettier-ignore-end --\u003e\n\u003c!-- markdownlint-restore --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faetherinox%2Fcsf-firewall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faetherinox%2Fcsf-firewall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faetherinox%2Fcsf-firewall/lists"}