blackMORE Ops Learn one trick a day ….
Config Server Firewall (CSF) is a free and advanced firewall for most Linux distributions and Linux based VPS. In addition to the basic functionality of a firewall – filtering packets – CSF includes other security features, such as login/intrusion/flood detections. CSF includes UI integration for cPanel, DirectAdmin and Webmin, but this tutorial only covers the command line usage. CSF is able to recognize many attacks, such as port scans, SYN floods, and login brute force attacks on many services. It is configured to temporarily block clients who are detected to be attacking the cloud server. 
The full list of supported operating systems and features can be found on ConfigServer’s website.
Following is a CSF cheat sheet with I created from it’s help menu. Out of the commands, I use some more extensively and they are listed on top of this table.
| Command | Extended Command | Description | Example |
|---|---|---|---|
| csf -h | –help | Show this message | root@server[~]#csf -h |
| csf -r | –restart | Restart firewall rules | root@server[~]#csf -r |
| csf -d [IP.add.re.ss] [comment] | –deny ip | Deny an IP and add to /etc/csf.deny | root@server[~]#csf -d 11.22.33.44 Blocked This Guy |
| csf -dr [IP.add.re.ss] | –denyrm ip | Unblock an IP and remove from /etc/csf.deny | root@server[~]#csf -dr 22.33.44.55 |
| csf -df | –denyf | Remove and unblock all entries in /etc/csf.deny | root@server[~]#csf -df |
| csf -tr [IP.add.re.ss] | –temprm ip | Remove an IP from the temporary IP ban or allow list. | root@server[~]#csf -tr 55.66.77.88 |
| csf -td | –tempdeny ip ttl [-p port] [-d direction] | Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). | root@server[~]#csf -t |
| csf -a [IP.add.re.ss] [comment] | –add ip | Allow an IP and add to /etc/csf.allow | root@server[~]#csf -a 33.44.55.66 Home IP Address |
| csf -tf | –tempf | Flush all IPs from the temporary IP entries | root@server[~]#csf -tf |
| csf -g [IP.add.re.ss] | –grep ip | Search the iptables rules for an IP match (incl. CIDR) | root@server[~]#csf -g 44.55.66.77 |
| csf -v | –version | Show csf version | root@server[~]#csf -v |
| csf -u | –update | Check for updates to csf and upgrade if available | root@server[~]#csf -u |
| csf -l | –status | List/Show iptables configuration | |
| csf -l6 | –status6 | List/Show ip6tables configuration | |
| csf -s | –start | Start firewall rules | |
| csf -f | –stop | Flush/Stop firewall rules (Note: lfd may restart csf) | |
| csf -q | –startq | Quick restart (csf restarted by lfd) | |
| csf -sf | –startf | Force CLI restart regardless of LFDSTART setting | |
| csf -ar | –addrm ip | Remove an IP from /etc/csf.allow and delete rule | |
| csf -t | –temp | Displays the current list of temp IP entries and their TTLOptional port. Optional direction of block can be one of: in, out or inout (default:in) | |
| csf -ta | –tempallow ip, ttl [-p port] [-d direction] | Add an IP to the temp IP allow list (default:inout) | |
| csf -cp | –cping | PING all members in an lfd Cluster | |
| csf -cd | –cdeny ip | Deny an IP in a Cluster and add to /etc/csf.deny | |
| csf -ca | –callow ip | Allow an IP in a Cluster and add to /etc/csf.allow | |
| csf -cr | –crm ip | Unblock an IP in a Cluster and remove from /etc/csf.deny | |
| csf -cc | –cconfig [name] [value] | Change configuration option [name] to [value] in a Cluster | |
| csf -cf | –cfile [file] | Send [file] in a Cluster to /etc/csf/ | |
| csf -crs | –crestart | Cluster restart csf and lfd | |
| csf -w | –watch ip | Log SYN packets for an IP across iptables chains | |
| csf -m | –mail [addr} | Display Server Check in HTML or email to [addr] if present | |
| csf -lr | –logrun | Initiate Log Scanner report via lfd | |
| csf -c | –check | Check for updates to csf but do not upgrade | |
| csf -uf | Force an update of csf | ||
| csf -x | –disable | Disable csf and lfd | |
| csf -e | –enable | Enable csf and lfd if previously disabled |
Whitelisting IP Address / Subnet
In order to prevent specific IP from being blocked, even for a temporary deny, you need to list their IP address in the csf.allow file. For example:
############################################################################### # Copyright 2006-2016, Way to the Web Limited # URL: http://www.configserver.com # Email: sales@waytotheweb.com ############################################################################### # The following IP addresses will be allowed through iptables. # One IP address per line. # CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24). # Only list IP addresses, not domain names (they will be ignored) # # Advanced port+ip filtering allowed with the following format # tcp/udp|in/out|s/d=port|s/d=ip # See readme.txt for more information # # Note: IP addressess listed in this file will NOT be ignored by lfd, so they # can still be blocked. If you do not want lfd to block an IP address you must # add it to csf.ignore 77.88.99.0/21 # Manually allowed - Mon Apr 03 21:24:45 2016 66.55.44.0/20 # Manually allowed - Mon Jun 16 21:24:45 2014 44.33.22.11/32 # Home IP 11.22.33.44/24 # Local ISP
Save file and restart csf and lfd.
Hi, i just want to ask permission if it would be okay to print your cheat sheet for our reference? It would be a great help to us. Thanks.
Hi Chan,
No problem at all. Cheers,
-BMO
Putting an IP into the CSF.allow list BYPASSES all firewall rules for that IP, it effectively ALLOWS the IP through, no matter what. If you want to prevent the IP from being blocked, it needs to go into the CSF.ignore file.
From the docs: “IP addressess listed in csf.accept file will NOT be ignored by lfd, so they can still be blocked. If you do not want lfd to block an IP address you must add it to csf.ignore .”