Is Your Server Firewall Disabling Itself? How to Keep CSF Running After a Reboot
You’ve meticulously configured your server, installed ConfigServer Security & Firewall (CSF), and locked down your ports. Everything is secure. But then, after a routine system reboot, you discover a critical problem: the firewall isn’t running, leaving your server exposed to the open internet.
This is a surprisingly common issue that can undermine your entire security posture. A firewall that doesn’t automatically restart after a shutdown is a major vulnerability. Fortunately, the fix is straightforward and essential for any server administrator.
Here’s what’s happening and exactly how to ensure your CSF firewall remains active and vigilant, even after a reboot.
The Root Cause: Understanding CSF’s Built-in Safety Feature
The primary reason CSF may not start automatically is due to its default “Testing Mode.” When you first install CSF, it is configured to run in this mode as a safety precaution.
Testing Mode is designed to prevent you from accidentally locking yourself out of your own server. If you were to apply a faulty rule that blocks your IP address, this mode ensures the firewall will automatically shut down after a few minutes, allowing you to regain access and fix the mistake.
While incredibly useful during initial setup, this feature has a significant side effect: while TESTING is enabled, the firewall service is intentionally prevented from being permanently enabled at boot. The system assumes you are still in a testing phase and won’t make the firewall’s operation persistent.
The Solution: A Two-Step Process for Persistent Firewall Protection
To ensure CSF is always running, you need to perform two key actions: officially disable Testing Mode and then enable the firewall service to launch on system startup.
Step 1: Disable Testing Mode in the Configuration
First, you must signal to CSF that your configuration is stable and you’re ready for permanent protection.
- Access your server via SSH with root privileges.
- Open the main CSF configuration file using a text editor like
nanoorvim:
nano /etc/csf/csf.conf - Look for the line that says
TESTING = "1". - Change the value from “1” (On) to “0” (Off). The line should now read:
TESTING = "0" - Save the file and exit the editor.
Security Tip: Before you make this change, it is absolutely critical to double-check your firewall rules. Ensure that your own IP address is whitelisted and that essential ports (like your SSH port) are open. Once Testing Mode is off, a bad rule could permanently lock you out.
Step 2: Enable the Firewall Service at Boot
With Testing Mode disabled, you can now instruct the system’s service manager to launch the firewall automatically every time the server starts. The command depends on the operating system your server uses.
The service that controls CSF is called lfd (Login Failure Daemon), which is the primary process for the firewall.
For modern systems using systemd (CentOS 7+, Debian 8+, Ubuntu 16.04+):
Run the following command to enable the service:
sudo systemctl enable lfd
This command creates the necessary links for the lfd service to be started during the boot sequence.
For older systems using SysVinit (CentOS 6, older Debian/Ubuntu):
Use the chkconfig utility to enable the service:
sudo chkconfig lfd on
Step 3: Restart and Verify
To apply all changes without needing a full server reboot, simply restart the CSF and LFD services:
csf -r
This command will restart both the firewall and the daemon. You can then verify that the lfd service is active and enabled by running:
systemctl status lfd
You should see output indicating the service is “active (running)” and “enabled.” This confirms that your firewall is not only protecting your server now but will continue to do so automatically after every future restart.
Final Thoughts on Proactive Security
A firewall is your server’s first line of defense, but it’s only effective when it’s active. Taking these simple steps to disable Testing Mode and enable the lfd service is not just a configuration tweak—it’s a fundamental step in securing your server. By ensuring CSF persists through reboots, you close a significant security gap and gain peace of mind knowing your digital assets are consistently protected.
Source: https://linuxblog.io/configserver-firewall-csf-after-shutdown/
