All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Latest CSF Alternative (just released) by cPGuard.
Most of us saw the news that CSF is officially retired. For years it’s been the default firewall solution across the industry, leaving a lot of admins and providers looking for the next best CSF alternative.
cPGuard just introduced their own firewall to fill that role -- moving away from the legacy iptables/ipset approach and building fully on nftables instead, with migration support for existing CSF configs. Looks solid so far.
We’ve had excellent experiences with cPGuard overall, so we’ll be testing this new firewall and rolling it out on our shared hosting servers over the coming weeks.
More info here: https://www.opsshield.com/blog/csf-retired-meet-the-new-cpguard-firewall/
Now that it’s been nearly a month since ConfigServer officially shut down -- what is everyone else doing? Sticking with CSF on its last release, or planning to move on to something newer? My personal thought is that while you can technically keep running CSF, it’s probably due for replacement anyway, especially with nftables being the more modern and future-ready approach.
Comments
@dustinc Their sys requirements shows 'Debian 10/11', is that your findings also?
Hi @ipguru – Out of curiosity, where are you seeing that? Looks like the docs show a wide variety of OS support, not just Debian 10/11: https://opsshield.com/help/cpguard/system-requirements/
We’ve been running cPGuard for years on CloudLinux OS 7 and 8, and more recently on CloudLinux OS 9 as part of our next-gen hosting platform deployments: https://blog.racknerd.com/racknerd-unveils-next-generation-shared-reseller-hosting-platform-powered-by-ryzen-nvme-and-cloudlinux-9/ — all without issues.
Interesting, what I saw was most of the way down the page at https://www.opsshield.com/cpguard-pricing.html
Thanks for the clarification.
Ah gotcha, I see what you mean. Yeah, I couldn’t imagine them limiting things strictly to Debian. cPanel (which I’d guess the vast majority of cPGuard users are running) has always been more RHEL-based, and only fairly recently added Ubuntu support — which honestly, you don’t see too often in production with cPanel anyway.
Great to see paid alternatives to CSF with Immunify and cPGuard, though what made CSF Firewall great besides ease of use was that it was free
Even on bulk $7/month per server pricing, for 100,000 servers would be $700,000 per month LOL
For my Centmin Mod users, in the short-term, setup my own CSF Firewall download mirror with restored download/version check support https://github.com/centminmod/configserver-scripts/blob/main/README-gpl-csf.md and the ability to use other 3rd party mirrors in future. In the last 4 weeks, served 1.5 million requests from the CSF Firewall mirror
I still hope that someone will take over CSF Firewall development. However, for my specific use case, one of many ideas is also to work on a CSF-like wrapper to direct full nftables support, called csfa for Centmin Mod.
Hi @eva2000 -- nice work, and those mirror stats definitely speak for themselves! 1.5 million requests in just 4 weeks is pretty wild
nftables does feel like the natural progression here, and your csfa wrapper idea makes a lot of sense for those who want to stick with a CSF like workflow while moving onto something more modern. If we can help with sponsoring any servers or infrastructure for your projects -- definitely something we’d be interested in contributing to, and even featuring on our blog or the RackNerdTV YouTube Channel for more visibility. I’m sure a lot of our VPS customers would find value in something like this.
P.S. I noticed you shared example output from csfa, though earlier you mentioned its still an idea. Is this something you’ve already released, or still actively working on?
OPSSHIELD LLP is based in Ernakulam, Kerala, India.
No.
I’m switching to ufw since all my servers are on Ubuntu anyway.
I’m also using fail2ban as a replacement for the lfd daemon.
Yeah, csfa is being developed and extensively tested privately right now for each feature/command via automated GitHub Workflow actions on AlmaLinux 10 for now, and trying to stick with CSF-like workflow/commands for familiarity. However, csfa isn't released publicly as it's still work in progress. Thanks for offer for sponsoring, for now I'm good.
Nice, ufw is a good way to go. Are you running a web hosting control panel on those servers or just managing your stack directly via command line?
AlmaLinux 10 is solid, been playing around with it recently too. Keep us posted once csfa is released — would love to check it out, and I’m sure the community here would as well 👊
I wonder what made you so afraid of the location!!!
He is a known racist.
I see..let him live with that then
Also just noticed Imunify360 has their own take on a CSF replacement/migrator: https://blog.imunify360.com/configserver-eol
In the context of shared hosting providers (multi-tenant setups), it seems like with CSF being discontinued, firewalls are moving more towards integrated solutions -- for example, Imunify360 and cPGuard both bundle in malware scanning, WAF, and now their own firewall that ties into the rest of their toolset, rather than just being a standalone firewall like CSF was.
Has anyone here tested the Imunify360 CSF migrator yet?
Hello, I would like to double the bandwidth.
Invoice ID: 18343697
Thanks!
LOL.
Unfortunately the same goes with 50-70% of Google or any other big tech major company, where are you living?
iptables YYDS
I really like the CSF/LFD, so I hope someone (or a reliable group) will continue the development, since the latest code is available for free on GitHub. I can't imagine there is no potential (a reliable group can't find contributors, 'donaters' to a project like this). At this point still working great for me (CSF), but the future is 'unstable' without updates, security patches. Luckily we have many free alternatives: Shorewall, OSSEC, fail2ban, UFW, etc.
Hi @titus -- CSF/LFD has definitely been a long-time favorite for many, and for good reason (lightweight, effective, and very configurable). It’s been a staple on countless systems, for decades.
I agree that it would be great to see an active group or developer continue it (perhaps with a pivot to nftables), especially now that the source is public. With the right contributors, it could live on strong for many years.