How to install and configure CSF on Plesk Servers
By default, and just like cPanel Servers, Plesk does not come packaged with a firewall. A Firewall is essential to keep your Plesk server secure. CSF is a free firewall that can be installed on your Plesk server as an alternative to the Plesk Firewall. With a little configuration, CSF will work as well as paid alternatives like the Juggernaut Security and Firewall extension.
Since cPanel increased the cost of licenses, more and more people have turned to Plesk and other control panels like DirectAdmin to keep costs down. Paying for extensions in your Plesk server can soon mean that the monthly cost of your subscription increases by a lot.
Install CSF Plesk Server
To install CSF on your Plesk server download the files and unzip them
cd /usr/src rm -fv csf.tgz wget https://download.configserver.com/csf.tgz tar -xzf csf.tgz cd csf sh install.sh
CSF is not configured automatically when installed on a Plesk server like it is on a cPanel server so we need to make some configuration changes. Open up the configuration file and make the following changes.
Edit the basic settings and ports section to allow the ports required by Plesk.
TESTING = "0" RESTRICT_SYSLOG = "3" Allow incoming TCP ports TCP_IN = "20,21,25,53,80,106,110,111,143,443,465,587,865,873,993,995,8443,8880" Allow outgoing TCP ports TCP_OUT = "20,21,22,25,80,110,443,43,873,8443" Allow incoming UDP ports UDP_IN = "53,111,123,230,631,859,862,2109,5353" Allow outgoing UDP ports To allow outgoing traceroute add 33434:33523 to this list UDP_OUT = "20,21,53,113,123,2109"
In the same file, set the correct Email SMTP ports and users. You can use CNTRL+W to search for these sections.
LF_DAEMON = “1” SMTP_BLOCK = “1” SMTP_ALLOWLOCAL = “1” SMTP_PORTS = “25,587” SMTP_ALLOWUSER = “qmaild,qmaill,qmailp,qmailq,qmailr,qmails” SMTP_ALLOWGROUP = “qmail,nofiles,mail,mailman”
Set Notification Settings
In the same file use CNTRL+W to search for these sections and set the correct email addresses.
LF_ALERT_TO = “email@example.com” LF_ALERT_FROM = “firstname.lastname@example.org”
Whitelist Plesk Users and Processes
In the /etc/csf/csf.pignore file add the following code to whitelist the required users and processes. Just append this to the bottom of the file.
user:admin exe:/var/qmail/bin/qmail-smtpd exe:/usr/bin/imapd exe:/var/qmail/bin/qmail-queue exe:/usr/bin/pop3d exe:/var/qmail/bin/qmail-send cmd:qmail-send cmd:/usr/bin/pop3d Maildir cmd:/var/qmail/bin/qmail-queue cmd:/var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true cmd:/usr/bin/imapd Maildir exe:/var/qmail/bin/qmail-rspawn cmd:qmail-rspawn exe:/var/qmail/bin/qmail-clean cmd:qmail-clean exe:/usr/sbin/clamd cmd:clamd exe:/var/qmail/bin/splogger cmd:splogger qmail exe:/var/qmail/bin/qmail-remote.moved user:qmaill user:popuser user:qmaild user:qmails user:qmailr user:qmailq user:qscand exe:/usr/sbin/avahi-daemon user:avahi exe:/usr/local/sbin/zabbix_agentd cmd:/usr/local/sbin/zabbix_agentd user:zabbix exe:/usr/bin/sw-engine-cgi cmd:/usr/bin/sw-engine-cgi user:sso exe:/usr/sbin/sw-cp-serverd cmd:/usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config user:sw-cp-server exe:/usr/bin/sw-engine-cgi cmd:/usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaadm user:psaadm exe:/usr/libexec/mysqld cmd:/usr/libexec/mysqld –basedir=/usr –datadir=/var/lib/mysql –user=mysql –pid-file=/var/run/mysqld/mysqld.pid –skip-external-locking –socket=/var/lib/mysql/mysql.sock user:mysql exe:/usr/libexec/hald-addon-acpi exe:/usr/sbin/hald cmd:hald user:haldaemon exe:/usr/bin/postgres user:postgres exe:/sbin/portmap cmd:portmap user:rpc exe:/usr/bin/xfs cmd:xfs -droppriv -daemon user:xfs exe:/usr/bin/python cmd:/usr/bin/python pexe: /usr/lib/mailman/bin/qrunner –runner=VirginRunner:0:1 -s user:mailman exe:/usr/java/jdk1.6.0_20/bin/java user:tomcat
The list is extensive but we have tried to include all services even if you might not need them at the moment. This saves having to edit the CSF configuration at a later time. Now you are ready to start CSF.
systemctl enable csf systemctl enable lfd systemctl start csf systemctl start lfd
You have now configured CSF and LFD to work with your Plesk server. You can control CSF from the command line. Our guide on useful CSF commands should help you manage your firewall effectively.