VestaCP has a built-in default firewall with iptables and fail2ban. You will find it when you run VestaCP with Linux operating systems including RHEL and CentOS. However, we can exclude iptables and fail2ban in the VestaCP installation command script (ADVANCED INSTALL SETTINGS). Instead, we can replace iptables and fail2ban with CSF Firewall (ConfigServer Security & Firewall) + LFD (Login Failure Daemon).
As I know that CSF has officially supported VestaCP as an optional firewall and provides a user interface (UI) since version 13.05 was released to the public. Although CSF says that they only support VestaCP that runs on CentOS 7, but I have tried it works very well on VestaCP with Debian 8/9 and Ubuntu LTS Server (16.04 – 18.04). Look at the CSF changelog below.
13.05 - Added official CentOS Web Panel (CWP) integration and CWP panel specific configuration. See /etc/csf/readme.txt for more information (only tested on CentOS v7) Added official VestaCP integration and VestaCP specific configuration (only tested on CentOS v7) SEE: https://download.configserver.com/csf/changelog.txt
It’s easy to install and configure CSF Firewall on VestaCP, both with RHEL/CentOS and Debian/Ubuntu. Now, follow this guide to install CSF Firewall on your VestaCP.
1.) Download and Install CSF Firewall
$ cd /usr/local/src $ wget https://download.configserver.com/csf.tgz $ tar -xzf csf.tgz $ cd csf $ sh install.sh
2.) OK… CSF Firewall has been installed on your VestaCP server. Now let’s test your CSF Firewall installation.
$ perl /usr/local/csf/bin/csftest.pl
3.) Next, configure your CSF Firewall settings and make sure to disable testing mode, so CSF can work properly on your VestaCP server. You can configure it via Nano Editor or login to your VestaCP and scroll to the CSF menu (top right), like the image you can see above.
$ nano /etc/csf/csf.conf
Set Testing Mode from “1” to “0”
$ TESTING = "0"
Set RESTRICT_SYSLOG from “0” to “3”
$ RESTRICT_SYSLOG = "3"
4.) If you have a custom port, be sure to always add that port to CSF IPv4 Port Settings and IPv6 Port Settings.
5.) Now, restart CSF & LFD
$ csf -r or service csf restart $ lfd -r or service lfd restart
CONCLUSION
Installing CSF Firewall + LFD on VestaCP is very easy to do. Of course, CSF Firewall clearly has more complete and more comprehensive features compared to iptables and fail2ban which is the default VestaCP firewall. However, iptables and CSF Firewall can run together on VestaCP without any problems. You can still have iptables firewall installed on your VestaCP without the need to uninstall it, even though you have also installed CSF Firewall.
We are a bunch of people who are still continue to learn Linux servers. Only high passion keeps pushing us to learn everything.