Cheatsheet: Structure ¶

This page provides a summary of the files and folders associated with ConfigServer Security & Firewall (CSF). Use it as a reference to locate and edit specific configuration files or resources.

📁 Directory Structure¶

Directories associated with ConfigServer Filewall which house all of the files used to configure and manage CSF.

Folder	Description
`/etc/csf/`	CSF configuration files, blocklists, whitelists, etc
`/var/lib/csf/`	Runtime data, temporary files, and logs for CSF and LFD
`/var/lib/csf/ui`	Runtime data and cache for the CSF WebUI.
`/usr/local/csf/bin/`	Pre & post initialzation scripts `csfpre.sh` and `csfpost.sh`, test script `csftest.pl`, and csf uninstaller `uninstall.sh`
`/usr/local/csf/lib/`	Perl modules and static data
`/usr/local/csf/profiles/`	Pre-configured CSF setup profiles
`/usr/local/csf/tpl/`	Email alert templates
`/usr/local/include/csf/pre.d/`	Scripts to execute when CSF started. Runs before CSF configures iptables. These are triggered by `/usr/local/csf/bin/csfpre.sh`
`/usr/local/include/csf/post.d/`	Scripts to execute when CSF started. Runs after CSF configures iptables. These are triggered by `/usr/local/csf/bin/csfpost.sh`

📄 File Structure¶

Files associated with ConfigServer Firewall configuration and management.

File	Description
`/etc/csf/changelog.txt`	List of changes made to each release of CSF / LFD
`/etc/csf/cpanel.allow`	List of addresses allowed through iptables for unimpeded access to cpanel license servers
`/etc/csf/cpanel.comodo.allow`	List of Sectigo (Comodo) IPs explicitly allowed through iptables to ensure AutoSSL connections are never blocked.
`/etc/csf/cpanel.comodo.ignore`	List of Sectigo (Comodo) IPs ignored by LFD’s login/banning system to prevent them from being auto-blocked.
`/etc/csf/cpanel.allow`	List of addresses which ensure traffic from cPanel’s license servers is explicitly allowed through iptables.
`/etc/csf/cpanel.ignore`	List of addresses from cPanel’s license servers that are excluded from LFD (Login Failure Daemon) monitoring.
`/etc/csf/csf.allow`	List of IP's & CIDR addresses allowed through the firewall
`/etc/csf/csf.blocklists`	URLs for external blocklists used by CSF to block malicious IPs
`/etc/csf/csf.cloudflare`	Contains configuration elements for the `CF_ENABLE` CloudFlare feature
`/etc/csf/csf.conf`	Main configuration file
`/etc/csf/csf.deny`	IP's and CIDR addresses that should never be allowed through the firewall
`/etc/csf/csf.dirwatch`	Directories & files you want to be alerted when changed. Must specify full paths for entries
`/etc/csf/csf.dyndns`	IPs & hostnames of systems that are dynamically updated (like via a dynamic DNS service)
`/etc/csf/csf.fignore`	Files that lfd directory watching will ignore. You must specify the full path to the file
`/etc/csf/csf.ignore`	IP's & CIDR addresses that the login failure daemon should ignore and not not block if detected
`/etc/csf/csf.logfiles`	Log files for the `LOGSCANNER` feature
`/etc/csf/csf.logignore`	Regular expressions for the `LOGSCANNER` feature. If a line matches it will be ignored, otherwise it will be reported
`/etc/csf/csf.mignore`	Usernames and local IP addresses that `RT_LOCALRELAY_ALERT` will ignore
`/etc/csf/csf.pignore`	Processes LFD should ignore (for example, trusted services).
`/etc/csf/csf.rblconf`	Optional entries for the IP checking against RBLs within csf
`/etc/csf/csf.redirect`	Port and/or IP address assignments to direct traffic to alternative ports/IP addresses
`/etc/csf/csf.resellers`	Reseller accounts to allow access to limited csf functionality.
`/etc/csf/csf.rignore`	Domains & partial domain that lfd process tracking will ignore based on reverse & forward DNS lookups
`/etc/csf/csf.signore`	Files that `LF_SCRIPT_ALERT` will ignore. Specify the full path to the directory containing the script
`/etc/csf/csf.sips`	List any server configured IP addresses for which you don't want to allow any incoming or outgoing traffic
`/etc/csf/csf.smtpauth`	Will allow EXIM to advertise SMTP AUTH. One IP address per line.
`/etc/csf/csf.suignore`	Usernames that are ignored during the `LF_EXPLOIT` SUPERUSER check
`/etc/csf/csf.syslogs`	Log files for the UI System Log Watch and Search features. IF they exists they will apear in the drop-down lists
`/etc/csf/csf.syslogusers`	Usernames which should be allowed to log via syslog/rsyslog
`/etc/csf/csf.uidignore`	User ID's (UID) that are ignored by the User ID Tracking feature
`/etc/csf/downloadservers`	Servers that will be pinged to fetch updates for CSF
`/etc/csf/ui/ui.allow`	IPs allowed to access the CSF WebUI. IPs in this file bypass CSF's IP restrictions for the web ui
`/etc/csf/ui/ui.ban`	IPs that are explicitly denied access to the CSF WebUI
`/lib/systemd/system/csf.service`	Service file for csf (Login Failure Daemon)
`/lib/systemd/system/lfd.service`	Service file for lfd (ConfigServer Firewall)
`/var/lib/csf/lfd.log`	Main LFD log file recording login attempts, blocked IPs, and alerts.
`/var/lib/csf/lfd.pid`	PID file for Login Failure Daemon (LFD).

Advanced Structure¶

We have provided a very detailed tree below that make up CSF and LFD's entire structure. This assists you with locating specific files that you may need to modify. Each file or folder will contain an icon; we have provided a list below to be used as an icon lenend:

/etc/csf/¶

The files within the subfolder /etc/csf contain most of your configurable files, including the main csf.conf configuration file. This location also holds all of your allow and block lists that will be used to restrict access to your server and to your CSF web interface (if enabled).

└── etc └── csf ├── alerts -> /usr/local/csf/tpl ├── changelog.txt ├── cpanel.allow ├── cpanel.comodo.allow ├── cpanel.comodo.ignore ├── cpanel.ignore ├── csf.allow ├── csf.blocklists ├── csf.cloudflare ├── csf.conf ├── csf.deny ├── csf.dirwatch ├── csf.dyndns ├── csf.fignore ├── csf.ignore ├── csf.logfiles ├── csf.logignore ├── csf.mignore ├── csf.pignore ├── csf.pl -> /usr/sbin/csf ├── csf.rblconf ├── csf.redirect ├── csf.resellers ├── csf.rignore ├── csf.signore ├── csf.sips ├── csf.smtpauth ├── csf.suignore ├── csf.syslogs ├── csf.syslogusers ├── csftest.pl -> /usr/local/csf/bin/csftest.pl ├── csf.uidignore ├── csfwebmin.tgz -> /usr/local/csf/csfwebmin.tgz ├── downloadservers ├── install.txt ├── lfd.pl -> /usr/sbin/lfd ├── license.txt ├── messenger │ ├── en.php │ ├── index.html │ ├── index.php │ ├── index.recaptcha.html │ ├── index.recaptcha.php │ └── index.text ├── pt_deleted_action.pl -> /usr/local/csf/bin/pt_deleted_action.pl ├── readme.txt ├── regex.custom.pm -> /usr/local/csf/bin/regex.custom.pm ├── remove_apf_bfd.sh -> /usr/local/csf/bin/remove_apf_bfd.sh ├── ui │ ├── images │ │ ├── admin_icon.svg │ │ ├── bootstrap │ │ │ ├── css │ │ │ │ ├── bootstrap.min.css │ │ │ │ └── bootstrap.min.css.map │ │ │ ├── fonts │ │ │ │ ├── glyphicons-halflings-regular.eot │ │ │ │ ├── glyphicons-halflings-regular.svg │ │ │ │ ├── glyphicons-halflings-regular.ttf │ │ │ │ ├── glyphicons-halflings-regular.woff │ │ │ │ └── glyphicons-halflings-regular.woff2 │ │ │ └── js │ │ │ └── bootstrap.min.js │ │ ├── bootstrap-chosen.css │ │ ├── chosen.min.css │ │ ├── chosen.min.js │ │ ├── chosen-sprite@2x.png │ │ ├── chosen-sprite.png │ │ ├── configserver.css │ │ ├── csf-loader.gif │ │ ├── csf-logo-alt.svg │ │ ├── csf-logo.svg │ │ ├── csf_small.png │ │ ├── csf.svg │ │ ├── jquery.min.js │ │ ├── LICENSE.txt │ │ ├── loader.gif │ │ └── reseller_icon.svg │ ├── server.crt │ ├── server.key │ ├── ui.allow │ └── ui.ban ├── uninstall.sh -> /usr/local/csf/bin/uninstall.sh ├── version.txt └── webmin -> /usr/local/csf/lib/webmin

/usr/local/csf/¶

The files and subfolders of this path contain most of the functionality for CSF and LFD. For most scenarios, you should not need to modify any of the files here.

The one exception is the tpl subfolder, which contains all of the email alert templates. However, you can also find these within /etc/csf/alerts

└── usr └── local └── csf ├── bin │ ├── csfpre.sh │ └── csfpost.sh │ ├── csftest.pl │ ├── pt_deleted_action.pl │ ├── regex.custom.pm │ ├── remove_apf_bfd.sh │ └── uninstall.sh ├── csfwebmin.tgz ├── lib │ ├── ConfigServer │ │ ├── AbuseIP.pm │ │ ├── CheckIP.pm │ │ ├── CloudFlare.pm │ │ ├── Config.pm │ │ ├── cseUI.pm │ │ ├── DisplayResellerUI.pm │ │ ├── DisplayUI.pm │ │ ├── GetEthDev.pm │ │ ├── GetIPs.pm │ │ ├── KillSSH.pm │ │ ├── Logger.pm │ │ ├── LookUpIP.pm │ │ ├── Messenger.pm │ │ ├── Ports.pm │ │ ├── RBLCheck.pm │ │ ├── RBLLookup.pm │ │ ├── RegexMain.pm │ │ ├── Sanity.pm │ │ ├── Sendmail.pm │ │ ├── ServerCheck.pm │ │ ├── ServerStats.pm │ │ ├── Service.pm │ │ ├── Slurp.pm │ │ └── URLGet.pm │ ├── Crypt │ │ ├── Blowfish_PP.pm │ │ └── CBC.pm │ ├── csfajaxtail.js │ ├── csf.div │ ├── csf.help │ ├── csf.rbls │ ├── HTTP │ │ └── Tiny.pm │ ├── JSON │ │ └── Tiny.pm │ ├── Net │ │ ├── CIDR │ │ │ └── Lite.pm │ │ └── IP.pm │ ├── restricted.txt │ ├── sanity.txt │ ├── version │ │ ├── regex.pm │ │ └── vpp.pm │ ├── version.pm │ └── webmin │ └── csf │ ├── images │ │ ├── admin_icon.svg │ │ ├── bootstrap │ │ │ ├── css │ │ │ │ ├── bootstrap.min.css │ │ │ │ └── bootstrap.min.css.map │ │ │ ├── fonts │ │ │ │ ├── glyphicons-halflings-regular.eot │ │ │ │ ├── glyphicons-halflings-regular.svg │ │ │ │ ├── glyphicons-halflings-regular.ttf │ │ │ │ ├── glyphicons-halflings-regular.woff │ │ │ │ └── glyphicons-halflings-regular.woff2 │ │ │ └── js │ │ │ └── bootstrap.min.js │ │ ├── bootstrap-chosen.css │ │ ├── chosen.min.css │ │ ├── chosen.min.js │ │ ├── chosen-sprite@2x.png │ │ ├── chosen-sprite.png │ │ ├── configserver.css │ │ ├── csf-loader.gif │ │ ├── csf-logo-alt.svg │ │ ├── csf-logo.svg │ │ ├── csf_small.png │ │ ├── csf.svg │ │ ├── jquery.min.js │ │ ├── LICENSE.txt │ │ ├── loader.gif │ │ └── reseller_icon.svg │ ├── index.cgi │ └── module.info ├── profiles │ ├── block_all_perm.conf │ ├── block_all_temp.conf │ ├── disable_alerts.conf │ ├── protection_high.conf │ ├── protection_low.conf │ ├── protection_medium.conf │ └── reset_to_defaults.conf └── tpl ├── accounttracking.txt ├── alert.txt ├── apache.https.txt ├── apache.http.txt ├── apache.main.txt ├── connectiontracking.txt ├── consolealert.txt ├── cpanelalert.txt ├── exploitalert.txt ├── filealert.txt ├── forkbombalert.txt ├── integrityalert.txt ├── litespeed.https.txt ├── litespeed.http.txt ├── litespeed.main.txt ├── loadalert.txt ├── logalert.txt ├── logfloodalert.txt ├── modsecipdbalert.txt ├── netblock.txt ├── permblock.txt ├── portknocking.txt ├── portscan.txt ├── processtracking.txt ├── queuealert.txt ├── recaptcha.txt ├── relayalert.txt ├── resalert.txt ├── reselleralert.txt ├── scriptalert.txt ├── sshalert.txt ├── sualert.txt ├── sudoalert.txt ├── syslogalert.txt ├── tracking.txt ├── uialert.txt ├── uidscan.txt ├── usertracking.txt ├── watchalert.txt ├── webminalert.txt └── x-arf.txt

/usr/local/include/csf/¶

This folder contains your own custom pre and post initialization scripts for CSF. These scripts control the execution of custom Bash scripts before and after CSF applies firewall rules to your IP tables.

Drop custom bash scripts in the pre.d folder if you want to modify your iptables before CSF injects its own rules into iptables.
Drop custom bash scripts in the post.d folder if you want to modify your iptables after CSF injects its own rules into iptables.

└── usr └── local └── include └── csf └── pre.d └── custom_script.sh └── post.d └── custom_script.sh

/var/lib/csf/¶

This folder contains your csf.conf backups and also stores files generated by the integrated statistics module, including charts. While backups can be accessed directly from the CSF web interface, this folder is primarily for internal use. You generally won’t need to interact with it, and it’s important not to modify any of the files stored here.

└── var └── lib └── csf └── backup │ └── 1759876810_pre_v15_01_upgrade ├── Geo ├── lock │ └── command.lock ├── stats ├── ui ├── webmin └── zone

/usr/sbin/¶

The /usr/sbin folder contains the two most important files, which are the main CSF and LFD binary files. These files are responsible for how CSF and LFD behave and contain the core code.

└── user └── sbin ├── csf └── lfd

/lib/systemd/system¶

The /usr/sbin folder contains the CSF and LFD services which are responsible for bringing the two servces online.

└── lib └── systemd └── system ├── csf.service └── lfd.service

Patcher Files¶

The following files are associated with the ConfigServer Firewall scripts located in this repo's extras/scripts folder. These scripts add special iptable rules so that CSF can communicate with Docker & OpenVPN.

File	Description
`/usr/local/csf/bin/csfpre.sh`	Loader for pre scripts. Runs before CSF adds firewall rules.
`/usr/local/csf/bin/csfpost.sh`	Loader for post scripts. Runs after CSF adds firewall rules.
`/usr/local/include/csf/post.d/docker.sh`	Patch adds specific Docker network compatibility to CSF.
`/usr/local/include/csf/post.d/openvpn.sh`	Patch adds specific OpenVPN rules to CSF to allow VPN connections.