Update (12 Oct 2025): CSF v15.01 is out and auto-updates are back. Read more about it.
The shutdown of ConfigServer Ltd. in August 2025 left CSF (ConfigServer Security & Firewall) installations without a working update source.
By default, CSF tries to download updates from download.configserver.com, which no longer exists. As a result, administrators are seeing this error:
Oops: Unable to download: Can't connect to download.configserver.com:443 (Connection refused)This guide explains how to resolve the issue, configure custom update servers, and ensure long-term continuity using a reputable fork of CSF.
Why This Error Happens
- CSF relies on predefined update servers for fetching new versions.
- The default endpoint (
download.configserver.com) was shut down. - If no alternate servers are configured, CSF cannot update and throws this error.
Quick Workarounds
Option 1 — Disable Auto-Updates
If you want to stop error spam until a permanent fix is applied:
Edit CSF configuration:
nano /etc/csf/csf.confSet:
AUTO_UPDATES = "0"Restart services:
systemctl restart csf lfdThis halts auto-update attempts.
Option 2 — Use /etc/csf/downloadservers
The supported way to change CSF update servers is to define them in:
/etc/csf/downloadserversCreate or edit the file:
nano /etc/csf/downloadserversAdd one or more mirrors (one per line) Example:
download1.csf.example.com
download2.csf.example.comSave and exit.
Restart CSF:
csf -rCSF will randomly pick a server from this list when checking for updates.
Option 3 — Patch config.pm as a Fallback
If /etc/csf/downloadservers is missing or empty, CSF falls back to the hardcoded server in:
/usr/local/csf/lib/ConfigServer/config.pmEdit the file:
nano /usr/local/csf/lib/ConfigServer/config.pmFind this section at the end of the file:
## start getdownloadserver
sub getdownloadserver {
my @servers;
my $downloadservers = "/etc/csf/downloadservers";
my $chosen;
if (-e $downloadservers) {
foreach my $line (slurp($downloadservers)) {
$line =~ s/$cleanreg//g;
if ($line =~ /^download/) {push @servers, $line}
}
$chosen = $servers[rand @servers];
}
if ($chosen eq "") {$chosen = "download.configserver.com"}
return $chosen;
}
## end getdownloadserverReplace with a working source (Example):
if ($chosen eq "") {$chosen = "download1.csf.example.com"}Save and restart:
csf -rLong-Term Solution: Switch to a Maintained Fork
Since upstream CSF is abandoned, a community-backed fork is the best path forward.
Aetherinox / csf-firewall
- Drop-in compatible with existing CSF configs and commands.
- Regularly maintained on GitHub: Aetherinox/csf-firewall
- Enhancements include:
- Docker & OpenVPN integration patches
- Dark-theme UI support
- Updated ipset blocklists (AbuseIPDB, IPThreat, etc.)
This fork can be used both as a replacement firewall and as an update source in /etc/csf/downloadservers.
Verification
After applying any fix, verify that CSF is healthy:
csf -e # Ensure CSF is enabled
csf -l # List active firewall rules
lfd status # Confirm LFD daemon is runningBest Practices
- Always backup
/etc/csf/before making changes. - Keep
/etc/csf/downloadserversupdated with multiple sources. - Patch
config.pmwith a fallback mirror to prevent outages. - Consider migrating to forks like Aetherinox/csf-firewall for future security updates.
- For enterprise deployments, manage CSF configs with Ansible or Puppet to ensure consistency across servers.
Recap
| Issue | Fix |
|---|---|
| Error: “No Host option provided” | Define custom update servers in /etc/csf/downloadservers |
| Update server dead | Patch fallback in /usr/local/csf/lib/ConfigServer/config.pm |
| Long-term maintenance | Switch to Aetherinox/csf-firewall fork |
🔐 With these changes, you can keep CSF functioning as a drop-in firewall while preparing for a smooth transition to a community-maintained fork.
