Any better CSF alternatives for hestiaCP ..?

MAN5 · October 3, 2025, 3:19am

As CSF is best match with HestiaCP, but there will be nomore updates on CSF. So is there any other idea for alternative ?

sahsanu · October 3, 2025, 3:23am

There are a few forks out there like:

Note: I don’t use any of them.

MAN5 · October 3, 2025, 4:04am

mm. Thank you. I saw that CSF-Aetherinox github. but bit worried abt the legitmacy. Because this is isolatd firewall stack. Unable to get the same trusty as orgnl CSF stack.

Also the CSF is bit more complex to troubleshoot. So im thinking of a combination + integrating like default stacks of Fail2Ban+UFW+IpSet or IPTables/nftaables. Scripting to get updated of block/blacklist of IP/CIDRs from trusted freewares..

MAN5 · October 4, 2025, 3:29pm

Any suggestions on this script..?

This is a well-structured and robust shell script designed to enhance server security by integrating Fail2Ban, UFW/IPTables, and IPSet with a dynamic, external blocklist and email notifications. This will ignore UFW (Only if you are using HestiaCP).

Ref: https://vvcares.com/blog/csf-free-alternatives/

mayankguptadotcom · October 4, 2025, 7:00pm

I have a question - is CSF useful when the sites that i’m hosting on hestia are using Apache as webserver? Will CSF site in between Cloudflare and Nginx (Proxy) and apache?

sahsanu · October 4, 2025, 10:01pm

That script only downloads an external blocklist, creates an ipset, and adds the corresponding iptables rules. It also creates an action in Fail2Ban to ban or unban IPs, but you must manually add that action to your Fail2Ban configuration, the script doesn’t do it for you.

You can get the same result using Hestia.

MAN5 · October 5, 2025, 1:04am

Wow. Really thank you for this advise. I made changes on script to have this.

/etc/fail2ban/jail.local

[DEFAULT]action = %(action_mwl)s vv-ipset

MAN5 · October 5, 2025, 1:13am

Yes. Is no matter what panels you have installed inside your server. But must config your required ports to ALLOW via CSF.
Cloudflare: Stops the majority of web attacks at the edge.
CSF: Protects the entire server from non-web attacks (SSH, Mail) and acts as the last line of defense against direct-IP web attacks.

sahsanu · October 5, 2025, 4:53am

That default action won’t be executed if your conf already have an action defined.

I mean, in this conf the only action that will be executed when triggering ssh-iptables rules is hestia[name=SSH]

[DEFAULT]
action = %(action_mwl)s vv-ipset

[ssh-iptables]
enabled  = true
filter   = sshd
action   = hestia[name=SSH]
logpath  = /var/log/auth.log

MAN5 · October 5, 2025, 5:41am

mm. Thank you for your valuable guidence. So what is best action set i can change to ?

sahsanu · October 5, 2025, 9:02pm

If you want to use %(action_mwl)s vv-ipset for all your jails, you should update their configurations accordingly. However, keep in mind that there are usually many “attacks”, so using %(action_mwl)s could generate a lot of “spam”.

system · November 4, 2025, 9:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.