ConfigServer Security & Firewall (csf) is one of the famous and advanced software firewall for Linux operating system.
It is very famous and running on 1000000+ servers, that prevents unnecessary attacks.
Especially csf is used in cPanel servers to prevents web based attacks, Brute-force attacks and DDOS.
It is used as a Packet Inspection Firewall (SPI), Login and Intrusion detection for the Linux systems.
It’s designed to use iptables in back-end to perform all kind of tasks.
CSF comes with a service called Login Failure Daemon (LFD), that runs every X seconds and periodically scans the latest log file entries for login attempts and block those IPs, if it’s continually fail within a short period of time.
If you are looking for other security related articles, here to go.
- How To Protect Server Against Brute Force Attacks With Fail2ban On Linux
- How to Install and Configure Linux Malware Detect (LMD) on Linux
After the successful installation of CSF you need to disable the TESTING mode to work the CSF properly on your system. To do so, run the following command.
# sed 's/TESTING = "1"/TESTING = "0"/g' /etc/csf/csf.conf
How to Start csf Firewall rules in Linux?
Run the following command to Start the firewall rules.
# csf -s or # csf --start
How to Enable csf Firewall in Linux?
Run the following command to Enable csf and lfd daemon.
# csf -e or # csf --enable DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:67 DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:67 LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0 LOCALINPUT all opt in !lo out * ::/0 -> ::/0 Starting lfd: Done csf and lfd have been enabled
How to Restart csf Firewall rules in Linux?
Run the following command to Restart the firewall rules.
# csf -r or # csf --restart DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 ACCEPT tcp opt -- in * out !lo 0.0.0.0/0 -> 83.170.64.2 tcp dpt:53 Restarting bandmin acctboth chains for cPanel acctboth all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0 LOCALINPUT all opt in !lo out * ::/0 -> ::/0
How to Stop csf Firewall rules in Linux?
Run the following command to Stop the firewall rules.
# csf -f or # csf --stop Stopping lfd: Done Flushing chain `INPUT' Flushing chain `FORWARD' Deleting chain `LOGDROPOUT' Deleting chain `acctboth' Restarting bandmin acctboth chains for cPanel Deleting chain `LOGDROPOUT' csf and lfd have been disabled
How to Add IP Address in csf Allow List?
If you would like to allow some of the know IPs in csf firewall then you need to add those IP addresses into csf allow list.
# csf -a 103.14.120.108 Adding 103.14.120.108 to csf.allow and iptables ACCEPT... ACCEPT all opt -- in !lo out * 103.14.120.108 -> 0.0.0.0/0 ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 103.14.120.108
How to Add IP Address in csf Deny List?
If you want to deny some of the suspicious IPs in csf firewall then you need to add those IP addresses into csf deny list.
# csf -d 103.14.120.108 Adding 103.14.120.108 to csf.deny and iptables DROP... DROP all opt -- in !lo out * 103.14.120.108 -> 0.0.0.0/0 DROP all opt -- in * out !lo 0.0.0.0/0 -> 103.14.120.108
How to Check the Added IP Addresses in the csf Allow & Deny List?
Run the following commands, if you would like to know the list of IP addresses were added in allowed and denied file.
Print the IPs list from csf allow list.
# less /etc/csf/csf.allow . .
Print the specific IP from csf allow list.
# grep 103.14.120.108 /etc/csf/csf.allow 103.14.120.108 # Manually allowed - Sat Dec 21 09:07:05 2018
Print the IPs list from csf deny list.
# less /etc/csf/csf.deny . .
Print the specific IP from csf deny list.
# grep 103.14.120.108 /etc/csf/csf.deny 103.14.120.108 # Manually denied - Sat Dec 21 09:05:05 2018
Print the IPs list from csf temporary ban list.
# less /etc/csf/csf.tempban . .
Print the specific IP from csf temporary ban list.
# grep 103.14.120.108 /etc/csf/csf.tempban 103.14.120.108 # Manually allowed - Sat Dec 21 09:10:05 2018
How to Add IP Address in csf Deny List?
If you want to deny some of the suspicious IPs in csf firewall then you need to add those IP addresses into csf deny list.
# csf -d 103.14.120.108 Adding 103.14.120.108 to csf.deny and iptables DROP... DROP all opt -- in !lo out * 103.14.120.108 -> 0.0.0.0/0 DROP all opt -- in * out !lo 0.0.0.0/0 -> 103.14.120.108
How to Remove/Unblock/Unlock Specific IP Address from csf Temporary Ban List?
If you want to remove specific IP address from csf temporary ban list, run the following command.
# csf -tr 103.14.120.108 DROP all opt -- in !lo out * 103.14.120.108 -> 0.0.0.0/0 csf: 103.14.120.108 temporary block removed csf: There are no temporary IP allows
How to Remove/Unblock/Unlock All IP Address from csf Temporary Ban List?
If you want to remove All IP address from csf temporary ban list, run the following command.
# csf -tf DROP all opt -- in !lo out * 83.170.117.45 -> 0.0.0.0/0 csf: 83.170.117.45 temporary block removed csf: There are no temporary IP allows
How to Remove/Unblock/Unlock Specific IP Address from csf Allow List?
If you want to remove specific IP address from csf allow list, run the following command.
# csf -ar 103.14.120.108 Removing rule... ACCEPT all opt -- in !lo out * 103.14.120.108 -> 0.0.0.0/0 ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 103.14.120.108
How to Remove/Unblock/Unlock Specific IP Address from csf Deny List?
If you want to remove specific IP address from csf deny list, run the following command.
# csf -dr 103.14.120.108 Removing rule... DROP all opt -- in !lo out * 103.14.120.108 -> 0.0.0.0/0 DROP all opt -- in * out !lo 0.0.0.0/0 -> 103.14.120.108
How to Remove/Unblock/Unlock All IP Address from csf Deny List?
If you want to remove All IP address from csf deny list, run the following command.
# csf -df DROP all opt -- in !lo out * 41.82.96.194 -> 0.0.0.0/0 DROP all opt -- in * out !lo 0.0.0.0/0 -> 41.82.96.194 DROP all opt -- in !lo out * 74.208.180.134 -> 0.0.0.0/0 DROP all opt -- in * out !lo 0.0.0.0/0 -> 74.208.180.134 csf: all entries removed from csf.deny
How to Add IP Address in csf Ignore List?
If you want to ignore some of the know IPs from all lfd checks then you need to add those IP addresses into csf ignore list. Make a note, one IP address per line.
There is no option to perform this action through csf command. Hence, we need to add it manually.
# echo "103.14.120.108" >> /etc/csf/csf.ignore # tail -5 /etc/csf/csf.ignore 103.14.120.108
Important csf Configuration Files
You should know the following csf configuration files so, that you can make necessary changes on it.
csf.conf - The main configuration file, it has helpful comments explaining what each option does. csf.allow - A list of IP's and CIDR addresses that should always be allowed through the firewall csf.deny - A list of IP's and CIDR addresses that should never be allowed through the firewall csf.ignore - A list of IP's and CIDR addresses that lfd should ignore and not not block if detected csf.*ignore - Various ignore files that list files, users, IP's that lfd should ignore. See each file for their specific purpose and tax.
How to Upgrade csf to Latest Available Release?
Run the following command to update latest available csf.
# csf -u Upgrading csf from v12.11 to 13.05... Retrieving new csf package... ...5% ...50% ...55% ...100% Unpacking new csf package... Selecting installer... Running csf cPanel installer Installing csf and lfd Check we're running as root Checking Perl modules...mode of `os.pl' changed to 0700 (rwx------) Using configuration defaults ok . . Stopping lfd: [ OK ] Starting lfd: [ OK ] ...All done.
Other csf Useful Commands
Other csf Useful Commands.
# csf -c, --check : Check for updates to csf but do not upgrade (Dry run option) # csf -u, --update : Check for updates to csf and upgrade if available # csf -v, --version : Show installed csf version # man csf, csf -h, csf --help : To check the csf command line options