What CSF Does Well
ConfigServer Security & Firewall (CSF) is the de facto firewall for cPanel servers. It handles:
- Login failure detection (lfd): Monitors /var/log for failed logins and temporarily bans IPs that exceed thresholds
- Connection tracking: Limits concurrent connections per IP to prevent basic resource exhaustion
- Port management: Opens only the ports cPanel needs (80, 443, 21, 25, 110, 143, 993, 995, 2082, 2083, 2086, 2087, etc.)
- SYN flood protection: Basic SYN rate limiting via
SYNFLOODsettings - Country blocking: Block or allow traffic by country using MaxMind GeoIP
CSF is a solid host-based firewall. Every cPanel server should run it. But it was designed for brute-force protection and access control, not for detecting and mitigating volumetric DDoS attacks.
Where CSF Falls Short on DDoS
CSF's SYN flood protection (SYNFLOOD = 1) applies a global rate limit. When a real SYN flood hits, CSF's approach drops ALL SYN packets above the threshold, including legitimate visitors trying to reach your websites. There is no distinction between attack traffic and real users.
CSF's connection tracking (CT_LIMIT) blocks IPs that open too many connections. But a distributed DDoS comes from thousands of IPs, each opening just a few connections. No single IP exceeds the limit, so CSF does not trigger.
CSF has no concept of:
- Traffic baselines (what is "normal" for this server)
- Attack classification (is this a SYN flood, UDP amplification, or HTTP flood)
- PCAP forensics (packet capture for evidence and analysis)
- Upstream mitigation (BGP FlowSpec, cloud scrubbing)
- Dynamic threshold adjustment based on traffic patterns
How Flowtriq and CSF Coexist
ftagent and CSF run on the same server without conflict. The key: they use separate iptables chains.
iptables chains on a cPanel server: INPUT - CSF manages this chain OUTPUT - CSF manages this chain FORWARD - CSF manages this chain LOCALINPUT - CSF's custom chain for input rules LOCALOUTPUT - CSF's custom chain for output rules FTAGENT - Flowtriq's chain for DDoS mitigation rules
ftagent never touches CSF's chains. CSF never touches the FTAGENT chain. During an attack, ftagent inserts rules into its own chain. CSF continues operating normally. When the attack ends, ftagent removes its rules. CSF is unaffected throughout.
Setup
Step 1: Install ftagent (CSF stays as-is)
pip install ftagent sudo ftagent --setup
No changes to CSF configuration required. Do not modify csf.conf, do not add ftagent IPs to allow lists, do not change any CSF settings.
Step 2: Configure service ports
Register the ports that cPanel uses so the agent knows what is legitimate:
Service Ports: 80/tcp, 443/tcp - Web traffic (Apache/LiteSpeed) 21/tcp - FTP 25/tcp, 465/tcp - SMTP 110/tcp, 995/tcp - POP3 143/tcp, 993/tcp - IMAP 2082/tcp, 2083/tcp - cPanel client 2086/tcp, 2087/tcp - WHM admin 22/tcp - SSH
Step 3: Verify coexistence
# Check that both are running: csf -s # CSF status ftagent --status # ftagent status # Verify iptables chains are separate: iptables -L -n | grep -E "Chain (LOCALINPUT|FTAGENT)"
How They Work Together During an Attack
- Attack starts: 400K PPS UDP flood targeting the server
- ftagent detects: Within 1 second, baseline deviation triggers an incident
- ftagent mitigates: Deploys DROP rules in the FTAGENT chain for attack traffic patterns
- CSF continues: Login monitoring, connection tracking, and port management all function normally
- If needed: ftagent escalates to BGP FlowSpec or cloud scrubbing for upstream filtering
- Attack ends: ftagent removes its rules. CSF is unaffected.
FAQ
Should I disable CSF's SYNFLOOD setting?
You can leave it enabled. CSF's SYN flood protection provides a basic safety net. Flowtriq's detection and response is more precise, but having both layers does not cause conflicts.
Does ftagent work with cPanel on CloudLinux?
Yes. CloudLinux uses CentOS/AlmaLinux as its base. ftagent installs the same way as on any RHEL-based system.
What about LiteSpeed Web Server?
ftagent monitors at the kernel level, below the web server. It works identically with Apache, LiteSpeed, Nginx, or any other web server running on the cPanel machine.
Add DDoS detection to your cPanel server. Keep CSF for what it does well. Add Flowtriq for volumetric detection and automated mitigation. They work together without conflicts. Start your free 14-day trial.