That is the correct way. This, as they did, isn't legal
ConfigServer shutting down as of 31st of August 2025
- Thread starter gkanks
- Start date
Richard G
Verified User
Yep, so that says enough, right? Better wait to see what others do like DA or CP or otherwise Eva2000. 
CSF is now gone but the docs haven't been updated (https://docs.directadmin.com/operation-system-level/securing/csf.html). What's the best way to fix this? Out of date documentation is a very bad sign for me.
Personally I'm not sorry to see CSF go - one of the reasons I initially chose NOT to use DA for my servers (a few years ago now) was because I thought many of the CSF features were already fairly useless, because the attackers had moved on and because other more effective measures were available. They weren't doing any harm, but I thought security was depending on what I thought were obsolete defences. At the time I used ipset and fail2ban instead, but even ipset is now deprecated.
The world has moved on, I'm back now trying DA again and I like it even more without CSF. But CSF does need to be replaced with something. As far as I can tell, there's no nftables or firewalld support and that's partly deliberate because DA focuses on webserver management, is that right? Do I need to find alternative solutions or not?
Personally I'm not sorry to see CSF go - one of the reasons I initially chose NOT to use DA for my servers (a few years ago now) was because I thought many of the CSF features were already fairly useless, because the attackers had moved on and because other more effective measures were available. They weren't doing any harm, but I thought security was depending on what I thought were obsolete defences. At the time I used ipset and fail2ban instead, but even ipset is now deprecated.
The world has moved on, I'm back now trying DA again and I like it even more without CSF. But CSF does need to be replaced with something. As far as I can tell, there's no nftables or firewalld support and that's partly deliberate because DA focuses on webserver management, is that right? Do I need to find alternative solutions or not?
DrWizzle
Verified User
- Joined
- Aug 8, 2021
- Messages
- 152
Up to you what solutions you want to use, but DA uses the latest GPLv3 release 15.00 of CSF that will be maintained by the community now it’s in the public domain, so the documentation on CSF is still relevant and I’m guessing will be updated as and when features/updates/bugs are added or fixed. You can of course choose to install DA without CSF by setting the DA_SKIP_CSF env variable before you run install script.
Bash:
#export DA_SKIP_CSF=trueRichard G
Verified User
Very odd choice imho because you can decide yourself if you do or don't want to use/install CSF with Directadmin (cPanel uses the same by the way).
Also your thought about the effectiveness of CSF is really not accurate and sorry, but really makes me laugh seeing your write that you used fail2ban which has way less options and is less effective than CSF and that is a prooven fact. Lots of hosters here also changed from fail2ban to CSF/LFD even before DA had the option to install it during DA installation.
Als makes me wonder which panel you used instead.
So ipset is deprecated but you can still use fail2ban if you're used to that.
Depends on what you mean. There is not a single paid panel out there at the moment supporting iptables, nftables or firewalld. That always has been a 3rd party thing. Panels are only for making life easier configuring the applications required for webhosting.
In the past there was a lot of firewalling the admins could choose themselves like apf/bfd, fail2ban and CSF/LFD. From which APF/BFD also stopped several years ago.
We have to wait and see if DA or anybody else will start developping CSF further, or if any panel will or will not do something with nftables or firewalld or similar. Same for other paid panels.
@philmck
The secuirty is not just bruteforce protection, but it's all possible attacking like DDos, Flood, Slow down pageload.
CSF Team already have the althernative support for nftables, so it's still work in next 5-10 years ( maybe ).
And if you running on Rhel10, just turnoff IPSET, since pure nftables already fast enought.
The secuirty is not just bruteforce protection, but it's all possible attacking like DDos, Flood, Slow down pageload.
CSF Team already have the althernative support for nftables, so it's still work in next 5-10 years ( maybe ).
And if you running on Rhel10, just turnoff IPSET, since pure nftables already fast enought.
Thanks for the informative responses. Interesting that CSF may continue, I hadn't expected that. Also all control panels I've used have had some sort of firewall support, it seems essential to me and I hadn't expected that comment. I realise security is always going to be a moving target but I'm still not sure of the best way to go here.
100% agree with this, brute-forcing is yesterday's problem and blocking specific IP addresses is yesterday's solution - if you check the logs, they've already switched to a new address by the time you block it. Fail2ban is therefore gradually becoming less and less effective.
I'm prepared to pay for 3rd party solutions where necessary - I already do this to replace form CAPTCHAs, for example, and I use CloudFlare for DNS so I can use their DDoS protection if necessary.
If we agree controlling server load is the main aim here, is a server-hosted firewall even the best solution? Sometimes it takes more resources to block an attack than to ignore it. I've had bad experiences with some WAFs in the past precisely because of this. Should I be looking for hosts with external hardware firewalls instead?
DrWizzle
Verified User
- Joined
- Aug 8, 2021
- Messages
- 152
I rent servers from 2 companies that have extra DDOS protection built into their network. I also have load balancing at my disposal. Admittedly it's only 2 methods to mitigate DDOS attacks and other layers are always implemented. Security is getting better but no system is 100% free from exploitabilities, and you should always mitigate against as much as you are able.
Firewalls, Brute force protection, CAPTCHAs and port sanitation are also other methods you can add, as you know, to reduce the attack surface area.
Richard G
Verified User
How do you get to these wrong conclusions? Brute-forcing is still taking place on a daily base, not yesterday by far. Neither is blocking ip's, or even better, complete ip ranges or even ASN's. They can't keep switching ip's and more and more datacenters are taking measures against that ip hopping, like closing port 25 by default on VPS systems and servers. So at least for spammers it still works.
Next to other things. You can't rely on ip blocking, but you can't do without it either, it's a combination of things which is required.
I don't agree. Relaying mainly on that control without the rest is not enough. You can try to control your server load via tools on your server every way you want and then happens what is happening lately, loads of bots get to your sites and generate a high load that way anyway. And load balancing is not possible for a lot of us.
Controlling server load is one, but you need the combination of that and firewalling.
Captcha's... well... if you want to talk about things which are really yesterday's problem then it's Captcha's. Almost of no use at all anymore, almost all are hacked.
The others yes, but not as additional but not as "also other methods" but as main things to have against attacks, so primary, combined with a good server load.
As for DDOS, we already have that protection from our datacenter too.
DrWizzle
Verified User
- Joined
- Aug 8, 2021
- Messages
- 152
I think any datacentre worth it's salt will now offer this to customers. Extras like load balancing can also help mitigate the load of DDOS.
This is not the space for a long discussion, but "brute forcing" was never literally true in this context, it was always "try some known weak or re-used passwords". My point was that it has changed to "spray" attacks from different IP addresses, rarely more than 10 attempts from the same address in 24 hours, thus rendering standard fail2ban filters and DNS blacklists impotent. As you say, they still happen on a daily basis but they've already found most of the really weak passwords and are moving on to more sophisticated attacks like phishing. I didn't mean to imply that no protection is needed - on the contrary, I'm trying to find out what else can be done now that CSF is (maybe) gone.