Uninstall CSF ¶
This section of the guide explains how to uninstall ConfigServer Firewall and the LFD daemon from your server entirely.
Uninstall¶
- If you have decided that you'd like to part ways with CSF, uninstalling the application is extremely easy as it only requires you to run the uninstall script. Pick one of the two options listed below:
-
Runs
uninstall.shuses shebang interpreter requires executable+xpermission -
Runs
uninstall.shusesshshell executable permission not required
Dependencies & packages not removed
Running the CSF uninstaller will not remove extra dependencies such as perl, ipset, or gd-library. You must uninstall these yourself.
This will perform a series of actions including:
- Stop and unregister the services
csf.serviceandlfd.service - Delete the service files within
/usr/lib/systemd/system/ - Reload the systemctl daemon
- Delete binaries stored in
/usr/sbin/ - Delete main folder
/etc/csf - Delete pre and post scripts from
/usr/local/csfand/usr/local/include/csf - Delete temp allow/ban lists from
/var/lib/csf - Delete man pages from
/usr/local/man/ - Delete initialzation scripts in
/sbin/chkconfigand/etc/init.d/ - Delete logs stored in
/etc/logrotate.d/ - Delete WHM / cPanel integration scripts from
/usr/local/cpanel/whostmgr/and/usr/local/cpanel/Cpanel/ - Delete Interworx integration scripts from
/usr/local/interworx/plugins/ - Delete CWP integration scripts from
/usr/local/cwpsrv/ - Delete CyberPanel integration scripts from
/usr/local/CyberCP/and/home/cyberpanel/plugins - Delete VestaCP integration scripts from
/usr/local/vesta - Delete DirectAdmin integration scripts from
/usr/local/directadmin/data/admin/services.status - Delete crons registered in
/etc/cron.d/
Clean Iptables¶
Uninstalling CSF does not clean up your existing iptables. These rulles will still sit in iptables until you do one of two things:
- Restart your server
- Manually wipe your iptables
If you would like to clean your iptables and remove any existing firewall rules from your server, you can run the following commands in order:
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
An optional step is to verify that your iptables chains are not restricting incoming or outgoing connections. You can modify the state of your chains using the commands below.
Danger! This will leave your server exposed
Setting all three primary iptable chains to ACCEPT will remove all firewall protection from your server. Only do this if you fully understand the risks and truly intend to leave your server unprotected.
Even if you’ve removed CSF from your system, you still have the option of using iptables as a standalone firewall.
You can now confirm if your iptables are empty and your chains have the default policy ACCEPT:
You should see the following:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 6508 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
No IP addresses should be listed under each chain, and you should see policy: ACCEPT to the right of each chain name.
Docker Users¶
If you are running docker on your server and you remove CSF; you may notice that your docker containers are no longer accessible. You may also receive errors in your terminal if you attempt to start up or shut down any of your containers, such as the following:
docker: Error response from daemon: driver failed programming
external connectivity on endpoint portainer1 (XXX):
(iptables failed: iptables --wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.2 --dport 9000 -j ACCEPT:
iptables: No chain/target/match by that name.
- To correct these errors, ensure you complete the steps:
Restart Service¶
After you have completed all other steps, simply give your docker service a restart.