How to configure Messenger in CSF? Part 1

(On unmanaged/core managed servers)

What is CSF?

In this article, we will provide a detailed explanation of how to configure and customize the messaging feature in CSF on an unmanaged or centrally managed server. Let's start by defining exactly what CSF or ConfigServer Firewall is and what it does.

Is CSF open source?Stateful Packet Inspection(oSPI) firewall, login/intrusion detection and security application for Linux servers?. It is a secure, straightforward, flexible and easy-to-configure platform with additional controls included to ensure smooth operation. CSF can be used on any generic Linux operating system. The CSF installation includes preconfigured settings and control panel UI for cPanel, DirectAdmin, and Webmin?.

Additionally, CSF is paired with LFD (the login failure daemon).

The LFD ?process runs continuously and periodically (every Such attempts are often called “brute force attacks” and the daemon process quickly responds to such patterns and quickly blocks the offending IPs. Other similar products run every x minutes via cron and as such often miss intrusion attempts until after they have finished. Our demon eliminates those long waits and makes it much more effective in completing its task.

What is CSF Messenger?

CSF messenger is a feature that displays a specific warning page to a user if they are blocked on the firewall similar to the one seen below, CSF also provides the user with the blocked IP address, so that when they contact the owner or server administrator to unblock the IP, they will have all the information they need to provide to whitelist the IP, if applicable.

This feature is very flexible, especially if you have clients who frequently get blocked from a site due to being blocked by the firewall. Most of those users may assume that there is something wrong with the server or the site and assume that it is down for everyone, when in reality it is simply inaccessible to them. This gives users peace of mind knowing that they are simply blocked by the firewall, from which they can easily be removed. This attribute also has the potential to save lost business by providing an additional layer of protection against potential attackers or malicious parties.


You can further customize this aspect by enabling the reCAPTCHA option. The reCAPTCHA functionality is a CAPTCHA-like method designed to verify that the computer user is a human being. If the user successfully finishes the captcha challenge, they can be unlocked. We have included instructions for implementing this option below.

Use- Please note that if a malicious person is blocked, they will also have the option to unblock themselves by successfully completing the captcha challenge. Additionally, when the ReCaptcha option is enabled, by default, you also receive an email alert when someone successfully unblocks your IP address. Additionally, the server must also be running Apache v2.4 and using cPanel's EasyApache v4. The Messenger user MUST also have a specific directory structure that the script provides.


Deploying via the command line on an unmanaged/kernel-managed server.

This single line command:

  • CSF configuration file backup
  • update CSF to latest version
  • make the necessary changes to the configuration file
  • then restart CSF services to enable messaging feature
    (You will need to log in as root or have sudo access)
root@host:~# cp /etc/csf/csf.conf{,.backup} && csf -u && sed -i 's/MESSENGER = "0"/MESSENGER = "1"/g' /etc/csf/csf.conf ; sed -i 's/MESSENGERV2 = "0"/MESSENGERV2 = "1"/g' /etc/csf/csf.conf ; sed -i 's/MESSENGER_HTTPS_IN = ""/MESSENGER_HTTPS_IN = "443"/g' /etc/csf/csf.conf ; useradd csf -s /bin/false ; csf -ra

To test this feature, we recommend using a different device that is NOT connected to the same network as the PC you are setting this up on. Once you are online with your other device operating on a different network, you will need to recover your public IP. You can do this by simply going toip.CodePre.comOnce you have your IP address, you will need to add it to the deny list in CSF

(Using my test IP in the example below)

root@host:~# csf -d

If you do not have an additional device or means to try an alternative IP, it may be temporarily blocked for the next X seconds. In the example below, the IP will be temporarily blocked for 30 seconds.

root@host:~# csf -td 30

Once blocked, try to access your domain, you will see a page similar to the following.


To unblock the alternate IP, use this command.

root@host:~# csf -dr

Enable reCAPTCHA option: command line in non-cPanel

Use: This processREQUIRESa Gmail account to continue.

First, you will need to create the reCAPTCHA site key and secret key. To do this, go toGoogle recaptcha siteand then click the “Admin Console” button at the top right of the page.


Once you are logged into your Gmail account, you will be directed to a page titled “Register a new site.” For the site tag, you can put whatever entry you want to reference the keys you are about to create, for example, “CSF Messenger.” Next, select the type of reCAPTCHA method you would like to implement. We prefer the “reCAPTCHA v2 checkbox” option, but any of them will work. For the domain entry, type the hostname of your server

Be sure to click the plus sign to the left of the domain you typed to add it. Then, check the box next to accept TOS (if you agree to them) and press submit.


The next page will display the site key in the first box and the secret key in the second box. You'll need to have those keys on hand because you'll need them to set up the reCAPTCHA option within CSF next.


Next, to facilitate the next step, run the command given below. It will ask you for the site key and secret key that you received earlier and then make the necessary changes for you and finally restart CSF to implement the changes. If you happen to make a mistake, simply press 'ctrl+c' to break/stop the command, or you can wait until CSF finishes rebooting and then run the command again.

root@host:~# cat echo "What is the Site Key?:" ; read skey ; echo "What is the Secret Key?:" ; read secret ; sed -i '/RECAPTCHA_SITEKEY = "/cRECAPTCHA_SITEKEY = "'$skey'"' /etc/csf/csf.conf ; sed -i '/RECAPTCHA_SECRET = "/cRECAPTCHA_SECRET = "'$secret'"' /etc/csf/csf.conf ; csf -ra

Next, we will need to replace the default CSF Messenger index.php with the modified code with the reCAPTCHA information. To achieve this, run the following command.

root@host:~# cat /etc/csf/messenger/index.recaptcha.php > /home/csf/public_html/index.php

Finally, follow the same steps above to set up a firewall test block of your IP to test the reCAPTCHA auto-unblock feature.

Use: The unlock function may take a few seconds to complete. In our tests, we had to wait up to 10 seconds at times before the IP was unblocked. (The average wait time for us was less than 3 seconds on average.)

If you want to customize the appearance, functionality or information on the lock page where the files are located; /home/csf/public_html/, specifically /home/csf/public_html/index.php.

We'd love for you to join us!

Are you constantly looking for new security features to further improve the security of your site or server? If so, Liquid Web has experts ready to help you implement features like this and many others.

Call us at 800.580.4985 or open achator ticket us to speak with one of our experienced support team members to learn more ways to protect your site or server!

Related Posts