ConfigServer Security & Firewall CSF Commands
ConfigServer Security & Firewall CSF Commands
Firewall should be managed from server backend on all other control panels and linux distributions.
All CSF firewall configuration files are in /etc/csf directory.
How to Allow IP address in CSF firewall
You might see connection timeout error if your ISP IP address is blocked in the server firewall. First go to whatsmyip.org website to check the ISP IP address.
1. Log into server via SSH as root
2. Run the command “csf -a [ip address]” to whitelist the IP address
In the above command you should replace “ip address” with the actual ISP IP address.
Example :
[root@server /]# csf -a 192.168.1.4
Adding 192.168.1.4 to csf.allow only while in TESTING mode (not iptables ACCEPT)
[root@server /]#
I have whitelisted the IP address “192.168.1.4” on the above linux server. All whitelisted/allowed IP addresses are saved in “/etc/csf/csf.allow” file.
[root@server /]# grep 192.168.1.4 /etc/csf/csf.allow
192.168.1.4 # Manually allowed: 192.168.1.4 Thu Mar 2 23:26:52 2017
You can also manually add an IP address to CSF whitelist by editing the ‘csf.allow’ file.
a. Open the file “csf.allow” using vi editor
vi /etc/csf/csf.allow
b. Add the Ip address in csf.allow. Save the file and exit
c. Run the command ‘csf -r’ to restart the firewall.
How to Block an IP address in CSF firewall
1. Log into server via SSH as ‘root’ user
2. Run the command “csf -d [ip address]” to block the IP address.
Example :
[root@server ~]# csf -d 192.168.2.5
Adding 192.168.2.5 to csf.deny and iptables DROP…
DROP all opt — in !lo out * 192.168.2.5 -> 0.0.0.0/0
LOGDROPOUT all opt — in * out !lo 0.0.0.0/0 -> 192.168.2.5
3. Restart the CSF firewall
[root@server ~]# csf -r
The IP address in the above example 192.168.2.5 will be added to csf.deny file
[root@server ~]# grep 192.168.2.5 /etc/csf/csf.deny
192.168.2.5 # Manually denied: 192.168.2.5 Sun Mar 5 05:10:26 2017
You can also add the IP address to CSF deny list by editing the file /etc/csf/csf.deny.
How to Enable/Disable CSF firewall
1. Login to Linux server via SSH as ‘root’
2. Type the command “csf --enable” OR “csf -e” to enable the firewall
csf and lfd have been enabled
[root@server ~]# csf --enable
csf and lfd are not disabled! (CSF and Lfd is already enabled on this server)
csf and lfd have been disabled
[root@server ~]# csf -x
csf and lfd have been disabled, use ‘csf -e’ to enable
How to update CSF and upgrade to latest version
1. Login to your Linux server as ‘root’
2. Run the command “csf -u” OR “csf --update” to update CSF and upgrade if new version is available
[root@server ~]# csf --update
csf is already at the latest version: v10.04
csf firewall on my server is already up-to-date.
3. Run the command “csf -uf” to force an update of CSF
4. The command “csf –check” will check for updates to CSF but will not upgrade to latest version.
Other useful CSF commands for Server administrators
1. Command to remove an IP address from CSF allow list (Remove an IP address from /etc/csf/csf.allow file and delete the rule)
csf --addrm [IPaddress]
OR
csf -ar [IPaddress]
2. Command to delete an IP address from CSF deny list (Remove IP from /etc/csf/csf.deny)
csf --denyrm [IPaddress]
OR
csf -dr [IPaddress]
3. Command to remove and unblock all entries in CSF deny list /etc/csf/csf.deny
csf -df [IPaddress]
OR
csf --denyf [IPaddress]
4. Command to display server ports on which there is running process
csf --ports
OR
csf -p
5. Command to list all temporary allow and deny IP with their TTL (will show IPs in temporary block and allow)
csf --temp
OR
csf -t