The End of an Era: CSF Is Officially Retired. What’s Next for cPGuard Users?

For nearly two decades, ConfigServer Security & Firewall (CSF) has been an indispensable tool for Linux administrators—a trusted first line of defence against malicious IPs. Its deep integration with cPanel/WHM, combined with a wide range of features, made it the default choice for sysadmins, especially in web hosting environments.

But times are changing. With the original developers announcing the end of CSF’s active development and releasing the code under GPLv3, its future now depends entirely on community contributions—an uncertain development path ahead. While this means CSF will continue in some form, for many administrators this marks the end of the CSF era—and raises an important question: what comes next?

cPGuard’s Journey Beyond CSF and the Next Step

At cPGuard, we have always recognised the importance of CSF. For years, we recommended CSF/LFD as the go-to Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) to complement our own security solutions.

In recent years—to reduce complexity, improve performance, and eliminate dependence—we have quietly and diligently been evolving our own platform. For some time now, cPGuard has not depended on CSF.

Core modules such as IPDB (abuse IP database), Bruteforce & Bot Blocking, Fail2Ban integration, and other features that require IP blocking have long been fully managed within cPGuard itself using iptables/ipset.

The retirement of CSF simply confirms what we had already anticipated: it’s time to take the next step.

A Fully Managed cPGuard Firewall

We are revamping the entire firewall module from scratch, moving away from the legacy iptables/ipset approach and adopting the modern NFT (Netfilter) framework. This transition is not just a technical change—it enables us to deliver a firewall that is more powerful, efficient, and future-ready for our users.

The new cPGuard Firewall introduces:

• Improved Efficiency – streamlined packet filtering with micro-loading, reducing overhead and improving performance under heavy traffic.
• Structured Management – cleaner, more organised rules and sets, making administration and troubleshooting far simpler.
• Enhanced Whitelisting & Blacklisting – redesigned for speed and accuracy, ensuring legitimate traffic is preserved while malicious IPs are blocked instantly.
• IPv6 Ready – the new system is fully IPv6 capable, with port filtering already supporting IPv6. Full IPDB IPv6 support will arrive very soon, ensuring your servers are protected in the dual-stack future.
• Simplified Administration – consistent CLI and UI commands (cpgcli fw …), giving you a reliable, straightforward way to manage your firewall.

What’s Coming in the First Release?

The initial rollout will deliver the core features you expect in a firewall:

• Whitelist & Blacklist (IP & Country) – define trusted and blocked networks with precision.
• Extended Whitelist & Blacklist Sources – import from file paths or remote URLs for efficient global management.
• Temporary Blocks (with expiry) – automatically remove bans after a set duration.
• Port Filtering – control inbound and outbound TCP/UDP traffic to close unwanted services.
• DoS / SYN-Flood Protection – safeguard servers against denial-of-service attacks.
• IPDB Integration – leverage a real-time global abuse IP database for proactive blocking.
• AI Bot Protection – block aggressive AI scraping bots.
• Fail2Ban Integration – service-level brute-force defence, serving as a modern replacement for CSF’s LFD.

When Can You Get It?

The new firewall is already in staging and scheduled for public release in early September 2025. We are currently testing across a wide range of server environments and configurations, and refining safeguards to ensure smooth continuity.

Delivery will happen automatically through the cPGuard auto-update system, and the transition should be seamless and uneventful. In the rare event of conflict with third-party firewalls, package dependencies or issues, our support team will be ready to assist immediately.

Comprehensive documentation will be provided alongside the release.

The Road Ahead

This is not just about replacing CSF—it’s about future-proofing your servers with a firewall that integrates seamlessly with the cPGuard ecosystem. We are committed to making this a community-driven development, and we’ll be listening closely to what you need.

Stay tuned for the official release announcement. The next chapter of server security starts now—with you. 🚀