IPSET for CPanel/WHM and CSF

techie-iconIf you use CSF (ConfigServer Firewall) on a CPanel/WHM system and you block a lot of IP addresses, performance can degrade on your server.

One way to improve performance is to install IPSET and then plug that into CSF.

It’s a simple two-step process:

1. In WHM, go to Software -> Install an RPM, wait for it to load the package list and then scroll down to find ipset. Highlight ipset and then click on the Install button.

2. Go into CSF, click on Firewall Configuration, page down to General Settings, find the LF_IPSET item and set it to 1. Click the Change button at the bottom of the page and then click the Restart CSF+LFD button.

That’s it. If you have a large IP deny list or you’re doing country bans you should find things move a little quicker on your sever now.

Note: IPSET is not yet supported in Virtuzzo containers. According to this bug report it should be available from OpenVZ 3.10+ kernels.

4 comments
  1. I have CSF installed. IPSET is also installed.

    If I run ipset list I see the following.

    Name: chain_DENY
    Type: hash:net
    Header: family inet hashsize 1024 maxelem 65536
    Size in memory: 22288
    References: 2
    Members:
    104.168.146.254
    104.219.41.47
    69.197.147.130
    … … … and so on and so on.

    If I run Check Server Security I see the following

    csf running check iptables is not configured. You need to start csf

    But CSF is running
    Firewall Status: Enabled and Running

    I also tested the IP tables
    Testing ip_tables/iptable_filter…OK
    Testing ipt_LOG…OK
    Testing ipt_multiport/xt_multiport…OK
    Testing ipt_REJECT…OK
    Testing ipt_state/xt_state…OK
    Testing ipt_limit/xt_limit…OK
    Testing ipt_recent…OK
    Testing xt_connlimit…OK
    Testing ipt_owner/xt_owner…OK
    Testing iptable_nat/ipt_REDIRECT…OK
    Testing iptable_nat/ipt_DNAT…OK

    RESULT: csf should function on this server

    Any thoughts about what is happening?

  2. Thank you it’s my own server running Cent OS with cPanel.

    It never used to display that error and from everything I can tell the firewall is still functioning properly.

    Any suggestions what I could try? (rather hoping to not have to reinstall)

  3. Hi Edward,

    If you set IPSET to off in the CSF config, does CSF start okay without issuing any error messages?

    I was just asking to be sure IPSET is what’s causing the problem here.

Leave a Reply