Bug Report: CSF Configuration Not Persisting After CyberPanel Upgrade

Bug Report: CSF Configuration Not Persisting After CyberPanel Upgrade

Summary:

After upgrading CyberPanel, the CSF (ConfigServer Security & Firewall) module under Security > CSF does not retain user configurations. The firewall settings reset to default, causing loss of custom rules—especially custom SSH port changes. This results in repeatedly having to reconfigure the firewall and, at times, being locked out of SSH.

Steps to Reproduce:

  1. Log in to CyberPanel and go to Security > CSF.
  2. Edit and save custom firewall rules (e.g., change the SSH port, allow/disallow custom ports).
  3. Upgrade CyberPanel to a new version.
  4. Return to Security > CSF and check the firewall configuration.

Expected Result:

  • Custom CSF settings (including allowed/blocked ports and SSH port changes) are preserved after CyberPanel upgrades.

Actual Result:

  • After upgrade, CSF reverts to default settings.
  • Custom rules and port changes are lost.
  • Have to manually re-enter or re-add custom ports and settings.
  • On several occasions, this has locked me out of SSH when my custom port was lost from the allowed list, even if I enter it manually in ConfigServer Security & Firewall (Cyberpanel → Security → Firewall) config file.

Environment:

  • **CyberPanel Version: 2.4.2
  • **OS:**AlmaLinux 9
  • CSF Version: [ csf v14.24]
  • Panel Upgrade Method: [via SSH]

Notes:

  • This has happened on multiple upgrades.
  • Especially affects users who use non-default SSH ports for security.

Suggested Solution:

  • Ensure that CyberPanel upgrade scripts do not overwrite or reset user-customized CSF configuration files.
  • Add a backup/restore step for CSF config during panel upgrade.
  • Warn users if custom CSF settings may be lost on upgrade.

Workaround:

  • Manually back up /etc/csf/csf.conf and other CSF config files before every upgrade and restore them after.

Thank you for your attention, this issue can lead to accidental server lockouts and downtime.

Thank you for reporting this issue. I’ve identified and fixed the bug that was causing CSF configurations to be reset during CyberPanel upgrades.

What was the problem:
The upgrade script was restoring the CSF configuration files before installing CSF, which meant that the installation process was overwriting the restored configurations with default values.

The fix:
I’ve corrected the order of operations in the upgrade process:

  1. Before: Backup → Remove CSF → Restore files → Install CSF (overwrites restored files)
  2. After: Backup → Remove CSF → Install CSF → Restore files → Restart CSF

Changes made in /usr/local/CyberCP/plogical/upgrade.py:

  • Moved the restore_files() call to execute after CSF installation completes
  • Added csf -r command to restart CSF with the restored configuration
  • Improved error handling to log any issues during file restoration

The fix ensures that your custom CSF configurations (csf.allow, csf.deny, csf.conf, csf.ignore, etc.) are properly preserved during CyberPanel upgrades.

This fix is now in the v2.4.2 branch. Your CSF configurations will be maintained across future upgrades.


The fix backs up and restores these CSF files:

  • /etc/csf/csf.allow
  • /etc/csf/csf.deny
  • /etc/csf/csf.conf
  • /etc/csf/csf.ignore
  • /etc/csf/csf.rignore
  • /etc/csf/csf.blocklists
  • /etc/csf/csf.dyndns