ConfigServer closing down and now what?
Pinned
I just got the announcement in my news feed - https://configserver.com/announcement/
As a user / customer of ConfigServer, purchasing all of their commercial scripts & installation services since 2005 and being very reliant on their products for the past 20 years, I'm pretty floored right now.
Chirpy is the guy who made it possible for me to have a better, more efficient way, of securing my servers / sites / email functions etc.. for my small shared hosting business two decades ago. I've been so grateful for him (and Sarah) all these years... they've been there for me with each new server setup / migration, and I can honestly say I'm truly taken aback while trying to process this news, and truly nervous about what comes next.
Jonathan and Sarah - if you happen to read this - THANK YOU for everything! I would email you a direct thank you message right now, but I assume you are inundated following the announcement today.
To my fellow CSF/LFD/CMM/CMQ/CMC/OSM/MSFE/CXS reliant colleagues out there - any thoughts on what we'll need to do / where to go from here?
Trying to fathom not having the entire suite of amazing tools from ConfigServer, having to remove / replace them, etc... has my mind reeling.
-
Thanks for everything, upgraded to 15 now! ciao70 times change and I hated giving up my business for a real job - All the best for your future, and thanks for all the support and your brilliant tools that let me sleep at night.
0 -
upgraded to 15 now!
I've upgraded csf to the latest version...
csf -u
But it says:
[root@srv02 ~]# csf -u
csf is already at the latest version: v14.24How did you upgrade to 15?
Thanks
0 -
Hi,
check out Eva2000's guide
https://github.com/centminmod/configserver-scripts/blob/main/README-gpl-csf.md
Migration Guide
1 -
Hi,
check out Eva2000's guide
https://github.com/centminmod/configserver-scripts/blob/main/README-gpl-csf.md
Thank you!
Edit: I had to turn 'AUTO_UPDATES = Off' in /etc/csf/csf.conf 'Firewall Configuration' to disable it too, or you get "Oops: Unable to download: No Host option provided" email via daily cron!
0 -
I also got rid of the following:
In /etc/cron.d
cxs-cron -> /etc/cxs/cxs-cron # symlink
cxsdb-cronIn /etc/cron.daily:
csget
cxsdaily.sh -> /etc/cxs/cxsdaily.sh # symlink0 -
Looks like site and domain are shutdown now too https://download.configserver.com/csf/ is no more
0 -
how to update to the latest 15 version?
How to install it on new servers from Github?0 -
As mentioned above, check out Eva2000's guide:
https://github.com/centminmod/configserver-scripts/blob/main/README-gpl-csf.md
0 -
Thank yo uso much! i missed it because i was very curious about the new CSF. Thanks!
0 -
I tried the first two steps, backing up the old version, and it couldn't find this file:
cp /usr/local/csf/version.txt /usr/local/csf/version-backup.txt
Which while it's not likely a major issue, makes me concerned to proceed if other files aren't quite where they should be. Anyone else had this, but then a perfect zero problem install?
1 -
Achmed A There is nothing new, just updates are disabled.
BobHoliday Yeah that's correct, that file is non existing so don't worry about it.
1 -
While downloads is gone, the main site is still online: https://configserver.com/announcement/
1 -
Is there any point in updating to the open source version? Is there actually a security issue with the last update from CSF? What does cPanel recommend doing - and is there going to be any announcement update?
0 -
The wording for my error message was alittle different than what was on frenziedfox post.
Mine read "Oops: Unable to download: Can't connect to download.configserver.com:443 (Connection refused)"
So i guess that means that i too need to edit the "/etc/csf/csf.conf" config file and disable auto updates?
Actually you can disable auto update in the initial settings of csf :)
I will have to look to see how to disable cs explorer and cs modsec auto updates or maybe its hard coded in the code, i dont know yet :)
For explorer, in /var/cpanel/apps/cse.conf it shows
upgradecall=/usr/local/cpanel/whostmgr/docroot/cgi/configserver/cse/upgrade.sh
But there is no dir like that, the closest i can get is /whostmgr/ there is no docroot dir
For modsecurity /var/cpanel/apps/cmc.cont it shows
upgradecall=/usr/local/cpanel/whostmgr/docroot/cgi/configserver/cmc/upgrade.sh
Again same issue, /docroot does not exist
0 -
So i guess that means that i too need to edit the "/etc/csf/csf.conf" config file and disable auto updates?
You basically answered it, but yes, set AUTO_UPDATE to 0 and then restart CSF. That will remove the update cron.
0 -
If you are running CXS and have the Configserver mod_security vendor added, during nightly UPCP you are going to see the following, which will result in each of your servers sending you an email indicating cPanel and WHM Update Failure:
[2025-09-02 03:32:24 -0400] - Processing command `/usr/local/cpanel/scripts/modsec_vendor update --auto`
[2025-09-02 03:32:25 -0400] [/usr/local/cpanel/scripts/modsec_vendor] The system failed to update the vendor from the URL “https://download.configserver.com/waf/meta_configserver.yamlâ€: The system could not download the file “https://download.configserver.com/waf/meta_configserver.yamlâ€: curl: (7) Failed to connect to download.configserver.com port 443: Connection refused
[2025-09-02 03:32:25 -0400] [/usr/local/cpanel/scripts/modsec_vendor]
[2025-09-02 03:32:25 -0400] E [/usr/local/cpanel/scripts/modsec_vendor] The “/usr/local/cpanel/scripts/modsec_vendor update --auto†command (process 1198879) reported error number 1 when it ended.
[2025-09-02 03:32:25 -0400] The Administrator will be notified to review this output when this script completes0 -
go to WHM -> Security Center -> ModSecurity Vendors
and turn ConfigServer Updates OFF1 -
Thanks, @quietFinn. I should have known that. I'm sure there will be others who have forgotten that bit of info too though, so it's good to have posted it and gotten the solution from you.
M
0 -
mtindor thanks, but i dont have it listed under vendors, i never added it. :)
@quietFinn I dont have ConfigServer Updates in my WHM -> Security Center -> ModSecurity Vendors
What i am trying to do is disable the auto check when i open cs explorer or cs modsecurity. When i open those apps it auto checks for latest version and im wanting to disable that. My first thought was to change this line in the cs explorer config file
from
upgradecall=/usr/local/cpanel/whostmgr/docroot/cgi/configserver/cse/upgrade.sh
to
upgradecall=''
I was also thinking of leaving the upgradecall the same but changing the filename it calls and creating a empty upgrade.sh file(which i assume is a text file with the sh extension)
I searched for the file name and this is everything it found.
File: [Home]/var/cpanel/plugins/monitoring-agent/upgrade.sh
File: [Home]/usr/local/cpanel/whostmgr/docroot/cgi/configserver/csf/upgrade.sh
File: [Home]/usr/local/cpanel/whostmgr/docroot/cgi/configserver/cse/upgrade.sh
File: [Home]/usr/local/cpanel/whostmgr/docroot/cgi/configserver/cmc/upgrade.sh
File: [Home]/home/virtfs/USERNAME/var/cpanel/plugins/monitoring-agent/upgrade.sh
File: [Home]/home/virtfs/USERNAME/usr/local/cpanel/whostmgr/docroot/cgi/configserver/csf/upgrade.sh
File: [Home]/home/virtfs/USERNAME/usr/local/cpanel/whostmgr/docroot/cgi/configserver/cse/upgrade.sh
File: [Home]/home/virtfs/USERNAME/usr/local/cpanel/whostmgr/docroot/cgi/configserver/cmc/upgrade.shWhy dont i have the docroot dir? hmmmm!
Found it, there is a whostmgr and a Whostmgr dir, i was looking in Whostmgr by mistake
I think its on line 676 in /usr/local/cpanel/whostmgr/docroot/cgi/configserver/cse.cgi
unless (-e "/usr/local/cpanel/whostmgr/docroot/cgi/csenocheck") {
my ($status, $text) = &urlget("https://$downloadserver/cse/cseversion.txt");
my $actv = $text;
my $up = 0;
if ($actv ne "") {
if ($actv =~ /^[\d\.]*$/) {
if ($actv > $myv) {
print "<tr><form action='$script' method='post'><td><input type='hidden' name='do' value='upgrade'><input type='submit' class='btn btn-default' value='Upgrade cse'></td><td width='100%'><b>A new version of cse (v$actv) is available. Upgrading will retain your settings<br><a href='https://$downloadserver/cse/CHANGELOG.txt' target='_blank'>View ChangeLog</a></b></td></form></tr>\n";
} else {
print "<tr><td colspan='2'>You are running the latest version of cse.<br>An Upgrade button will appear here if a new version becomes available</td></tr>\n";
}
$up = 1;
}
}The variable name is $downloadserver which is set in the top section of the file. There are 14 occurances so ill keep checking.
UPDATE: ok not sure which way to do this, i think there are 4 options here.
1. Edit the config file and set the update variable to ''
2. Edit the cgi file code setting the variable for $downloadserver to something else but this would also include option 3 below (if not there will be 404 for the file name)
3. Change the cgi file code to reflect another filename that is called by the $downloadserver value.
4. Change the if statements in the cgi file, reverse them so that it is always false and never calls home.
One way or the other i think this might take some major mod to the cgi file.
0 -
So if CSF is GPL'd, then I should not have to switch to anything. correct?
0 -
Not unless you are going to move to RHEL 10 or alike, or something similar where CSF is not working.
0 -
Any solution you can recommend to replace MSFE and OSM? Since they were commercial software, I think they won't be open sourced. Any alternatives?
Thanks!
0 -
Fernando Barajas I would like to test magicspam ...
0 -
Hi cPRex
Can you pinned the discussion? :)
Thanks
0 -
Done!
0 -
Thanks :)
0 -
Hopefully some updates such as
- ASN blocking as an option in addition to existing whole CC blocks
- using ipinfo data (free) rather than maxmind
- probably a lot more suggestions but they removed their forum (probably accessible via waybackmachine)
if someone with the skills takes it on.
0 -
This already exists. if you set CC_SRC = "2" it will use free sources. In CC_DENY you can put AS## and it will block the AS.
0 -
Here's a nice update from the I360 team!
0 -
Immunify360 does not provide a Mailscanner frontend alternative
0
Post is closed for comments.
Comments
258 comments