ConfigServer closing down and now what?
Pinned
I just got the announcement in my news feed - https://configserver.com/announcement/
As a user / customer of ConfigServer, purchasing all of their commercial scripts & installation services since 2005 and being very reliant on their products for the past 20 years, I'm pretty floored right now.
Chirpy is the guy who made it possible for me to have a better, more efficient way, of securing my servers / sites / email functions etc.. for my small shared hosting business two decades ago. I've been so grateful for him (and Sarah) all these years... they've been there for me with each new server setup / migration, and I can honestly say I'm truly taken aback while trying to process this news, and truly nervous about what comes next.
Jonathan and Sarah - if you happen to read this - THANK YOU for everything! I would email you a direct thank you message right now, but I assume you are inundated following the announcement today.
To my fellow CSF/LFD/CMM/CMQ/CMC/OSM/MSFE/CXS reliant colleagues out there - any thoughts on what we'll need to do / where to go from here?
Trying to fathom not having the entire suite of amazing tools from ConfigServer, having to remove / replace them, etc... has my mind reeling.
-
Be aware!
Today a collegue on DA discovered that in the /etc/cron.daily the csget cron is still running. This was not removed or disabled like the update cron.
It's just version.txt but the script is still checking on the old download url too so you might want to remove it.
0 -
If you download CSF from github and install it over version 14.24, are the /etc/csf/csf.* files preserved, or do they have to be restored from a backup?
0 -
If you have CSF installed the install script detects it and does an upgrade, so nothing needs to be restored from a backup.
0 -
Thanks quietFinn!
0 -
I have/had CSF installed on my production server. Now I need to get it running on my test server and I can't seem to figure this out. I thought they were releasing this open source on github or something so we could continue to use it? What is cPanel/WHM going to do to replace this? If they're making an inhouse solution then I'd rather wait for that and use it instead.
I don't know what I should do here. I prefer to use services/scripts and the like that have integrations with cpanel/whm0 -
You can install CSF as before, just replace:
wget https://download.configserver.com/csf.tgz
with:
wget https://github.com/waytotheweb/scripts/raw/refs/heads/main/csf.tgzit will install CSF v.15.00
After installation disable auto-updates in CSF settings.1 -
I need to point out that we aren't letting this thread turn into a list of alternative forks. If you're working on something, that's great, but if everyone shared their link this thread would quickly turn into a list of advertisements for particular forks, and I don't want that to be the focus here.
1 -
Had anyone found a good alternative for msfe and OSM monitor? Immunify 360 is way to expensive and does not even stop spam for incoming emails
Regards
0 -
Hello cPRex,
There's some news from cPanel about this; csf has always been recommended by cPanel over the years.
It seems that DirectAmin has done something about it.
It also seems that Aetherinox has taken over the continuation of CSF development in a major way. eva2000 a person I consider very reliable and serious, also mentioned it.
Is anyone using Aetherinox's CSF? How do you find it? Is it reliable?
Does your CSF completely overwrite the original 15.00 or does it retain the various settings?
They've already released several releases; they're currently at 15.07.
https://github.com/Aetherinox/csf-firewall
Thanks
1 -
If you have any specific feedback about the upcoming firewall tool you can post it to the features site at https://features.cpanel.net/c/202-firewall-configuration-tool or I'm happy to copy/paste it over for you!
1 -
Thanks cPRex.
I just wanted to know if anyone is using Aetherinox's version of CSF and if it's reliable.
eva2000 centminmod wrote a very detailed and interesting report on the situation which I report in part
## Community preserves CSF through mirrors and forks
The open-source community has responded decisively to the shutdown announcement with multiple preservation efforts. The **Aetherinox/csf-firewall GitHub fork** emerges as the most promising community-maintained version, featuring enhanced capabilities including a dark theme, Docker and OpenVPN integration patches, updated IP blocklists refreshed every 6 hours, and Traefik integration with Authentik support. This fork, last updated October 24, 2025, demonstrates active development beyond the original CSF capabilities.
https://github.com/centminmod/configserver-scripts/commit/d04e80854134177512d726b5e2849546904d1444
0 -
I wouldn't have a way to know that information.
0 -
Haven't use Aetherinox CSF Firewall version in production yet. But author was responsive to my questions and concerns, see
1 -
Hi eva2000,
I understand it's best to wait for now.For those accustomed to the original version of CSF and not very experienced, it might be a bit difficult. Better to wait.I was hoping you'd get full support for CSF :), I've been following you around on various forums for many years.Keep us updated.Thanks1 -
May be BitNinja an alternative?
0 -
Hello,
Good news :)
https://features.cpanel.net/c/202-firewall-configuration-tool
We understand the impact the CSF shutdown has had on you and your business, and are aware of the concerns around running unsupported security software on your servers. In response, we are working on an official cPanel supported GPLv3 fork of CSF that is intended to receive critical security updates and fixes for the time being. We hope this provides some stability while we continue shaping what firewall security should look like inside the product long-term. We will share more details on the fork in the coming weeks, with an expected release in early 2026. (updated November 24, 2025)
4 -
Perhaps add a note in the article about removing that legacy cron job:
rm -v /etc/cron.d/csf-cron
Be careful with this. The file doesn't only manage legacy tasks that are no longer wanted. For example, if you have CSF doing RBL checks, that command will be in this file. So, the ideal solution is probably to check the contents first. Remove tasks that shouldn't be run and leave the ones that should.
0 -
FYI, I started a public tracking Github repo for Aetherinox CSF Firewall forked version that compares changes to the official CSF v15.00 GPLv3 release at https://github.com/centminmod/csf-firewall-aetherinox-tracking and direct file at aetherinox-fork-changes.md as some some folks are curious about Aetherinox fork version. Github star if you like :)
0 -
0
-
@... yep, looking forward to it :)
In meanwhile instead of disabling automatic updates this is a better alternative IMHO:
https://black.host/hc/security/csf/cant-connect-to-download-configserver-com/-1 -
As cPanel just announced they will be taking over the original fork of csf I thought I’d point something out which may affect others.
On Feb 18th cpanel will update csf with their version if:
Your server is using cPanel & WHM with the original CSF plugin.
CSF is configured to use the original ConfigServer/W2W update source.
Your server is running CSF version 14.0 or newer.
The CSF AUTO_UPDATES setting is enabled.Some hosts, like us edited the download.configserver url to prevent a security risk if by any chance the domain was repurchased by someone with untrustworthy intentions.
If you did the same you’ll need to edit it back to the original url before feb 18th if you want the cpanel version.
0 -
Hello,
Where was the February 18th date announced?I don't think I've seen any official announcement.The only press release is thisIs there any news from cPanel?Thanks0 -
This is the full auto generated email, I suspect it triggered on the latest update
Dear WHM administrator,
We're writing about ConfigServer Security & Firewall (CSF) and an important update to keep your servers protected.
Way to the Web LTD (W2W / ConfigServer), the vendor behind the CSF plugin, permanently shut down on August 31, 2025, ending all support and distribution for CSF. Before closing, W2W released the CSF code "as-is" under the GNU General Public License v3 (GPLv3), with no plans for further maintenance or support.
CSF remains widely deployed on cPanel & WHM servers and plays a critical role in server security. To maintain ecosystem security, cPanel will be publishing and maintaining a public fork of CSF focused solely on critical security and stability fixes. This fork is based on the final upstream release and will be made available in cPanel & WHM's public GitHub repository under GPLv3, consistent with the original project's license.
What this means for you
Currently, CSF installations that point to ConfigServer/W2W’s original update server at download.configserver.com cannot receive updates because that infrastructure is offline. This can leave servers without future security fixes and may also trigger update/cron errors during scheduled checks.
To restore a working update path, on February 18, 2026, we'll automatically update the CSF configuration on eligible cPanel & WHM servers to point to our update mirrors instead of the decommissioned ConfigServer/W2W source.
This configuration update applies only if all of the following are true:
Your server is using cPanel & WHM with the original CSF plugin.
CSF is configured to use the original ConfigServer/W2W update source.
Your server is running CSF version 14.0 or newer.
The CSF AUTO_UPDATES setting is enabled.
We will not make any changes if any of the following are true:Your server is already using an alternate CSF provider:
cat /etc/csf/version.txt
Versions greater than 14.24 will not be switched over, so if the provider has updated the version file, you do NOT need to take the following action:
echo '14.25' > /etc/csf/version.txt
Your server is running CSF version 13.x or older.
The CSF AUTO_UPDATES setting is disabled.
If you’re currently using CSF, it will continue to run with the same rules and configuration you already have in place. This effort is simply to ensure critical security and stability fixes from our fork can still be delivered.Manage updates yourself (optional)
You're in control of how CSF updates are handled on your servers - whether you want updates to apply automatically, on your own schedule, or from a different source. If you do not want cPanel to update your CSF configuration on February 18, 2026, follow these steps before this date to disable automatic updates and exclude the server from the change:
Navigate to ConfigServer Security & Firewall.
Select csf - ConfigServer Firewall.
Open Firewall Configuration.
Under Initial Settings, set AUTO_UPDATES to off.
Save your changes.
If you disable the AUTO_UPDATES setting before February 18, the configuration change will not be applied to your server. If you later decide you’d like updates from the cPanel-maintained fork, run /scripts/autorepair cpanel_csf_install to update the source, then re-enable the AUTO_UPDATES setting.Updates will be distributed through the same mechanism the original version used: servers with the AUTO_UPDATES setting enabled will receive patches automatically, and servers with the AUTO_UPDATES setting disabled can apply updates manually.
For more details and further updates, please review our full support article here.
If you have questions, our support team is here to help.
Best regards,
The cPanel Team
0 -
Thanks,
I missed the warning. :)
0 -
We're currently using the original 15.00 version with download.configserver removed and autoupdate turned off.
Is it enough to just turn autoupdate ON?
What exactly do I need to do to automatically update to the cPanel version?
1 -
ciao70 - if you have autoupdate on you don't need to do anything else to have this work. It's a completely automated process.
0 -
So, is it enough to simply turn on autoupdate on version 15.00?
Even though we removed the old URLs.
0 -
The email that was posted a bit ago is very specific as to how the changes are handled:
This configuration update applies only if all of the following are true:
Your server is using cPanel & WHM with the original CSF plugin.
CSF is configured to use the original ConfigServer/W2W update source.
Your server is running CSF version 14.0 or newer.
The CSF AUTO_UPDATES setting is enabled.We will not make any changes if any of the following are true:
Your server is already using an alternate CSF provider:
cat /etc/csf/version.txt
Versions greater than 14.24 will not be switched over, so if the provider has updated the version file, you do NOT need to take the following action:
echo '14.25' > /etc/csf/version.txt
Your server is running CSF version 13.x or older.
The CSF AUTO_UPDATES setting is disabled.==========================================================================
If you've manually updated the URLs to use a third-party open source provider, you wouldn't receive the update automatically. There will definitely be ways to manually switch to the cPanel-provided version.
0 -
@... - if you haven't made any manual changes, you're all set!
Remember, this is just the initial "we're switching the update target for people that haven't touched anything" release. We're not actually making any changes yet, just setting the state. There will be much more announcements and control options before this is live and running through us.
0
Post is closed for comments.
Comments
258 comments