ConfigServer Security & Firewall CSF Commands

In my last post I have discussed about installing CSF firewall. CSF provide user interface for cPanel, webmin and directadmin control panels. These webhosting control panel users can easily manage the CSF firewall without accessing the server backend. Firewall should be managed from server backend on all other control panels and linux distributions.

All CSF firewall configuration files are in /etc/csf directory.
 

How to Allow IP address in CSF firewall

You might see connection timeout error if your ISP IP address is blocked in the server firewall. First go to whatsmyip.org website to check the ISP IP address.

Log into server via SSH as root

Run the command “csf -a [ip address]” to whitelist the IP address

In the above command you should replace “ip address” with the actual ISP IP address.

Example :

[root@server /]# csf -a 192.168.1.4
Adding 192.168.1.4 to csf.allow only while in TESTING mode (not iptables ACCEPT)
[root@server /]#

I have whitelisted the IP address “192.168.1.4” on the above linux server. All whitelisted/allowed IP addresses are saved in “/etc/csf/csf.allow” file.

[root@server /]# grep 192.168.1.4 /etc/csf/csf.allow
192.168.1.4 # Manually allowed: 192.168.1.4 Thu Mar 2 23:26:52 2017

You can also manually add an IP address to CSF whitelist by editing the ‘csf.allow’ file.

a. Open the file “csf.allow” using vi editor

vi /etc/csf/csf.allow

b. Add the Ip address in csf.allow. Save the file and exit

c. Run the command ‘csf -r’ to restart the firewall.
 

How to Block an IP address in CSF firewall

1. Log into server via SSH as ‘root’ user

2. Run the command “csf -d [ip address]” to block the IP address.

Example :

[root@server ~]# csf -d 192.168.2.5
Adding 192.168.2.5 to csf.deny and iptables DROP…
DROP all opt — in !lo out * 192.168.2.5 -> 0.0.0.0/0
LOGDROPOUT all opt — in * out !lo 0.0.0.0/0 -> 192.168.2.5

3. Restart the CSF firewall

[root@server ~]# csf -r

The IP address in the above example 192.168.2.5 will be added to csf.deny file

[root@server ~]# grep 192.168.2.5 /etc/csf/csf.deny
192.168.2.5 # Manually denied: 192.168.2.5 Sun Mar 5 05:10:26 2017

You can also add the IP address to CSF deny list by editing the file /etc/csf/csf.deny.
 

How to Enable/Disable CSF firewall

1. Login to Linux server via SSH as ‘root’

2. Type the command “csf –enable” OR “csf -e” to enable the firewall
 

 

How to update CSF and upgrade to latest version

1. Login to your Linux server as ‘root’

2. Run the command “csf -u” OR “csf –update” to update CSF and upgrade if new version is available

[root@server ~]# csf –update
csf is already at the latest version: v10.04

csf firewall on my server is already up-to-date.

3. Run the command “csf -uf” to force an update of CSF

4. The command “csf –check” will check for updates to CSF but will not upgrade to latest version.

Other useful CSF commands for Server administrators

1. Command to remove an IP address from CSF allow list (Remove an IP address from /etc/csf/csf.allow file and delete the rule)

csf –addrm [IPaddress]

OR

csf -ar [IPaddress]

2. Command to delete an IP address from CSF deny list (Remove IP from /etc/csf/csf.deny)

csf –denyrm [IPaddress]

OR

csf -dr [IPaddress]

3. Command to remove and unblock all entries in CSF deny list /etc/csf/csf.deny

csf -df [IPaddress]

OR

csf –denyf [IPaddress]

4. Command to display server ports on which there is running process

csf –ports

OR

csf -p

5. Command to list all temporary allow and deny IP with their TTL (will show IPs in temporary block and allow)

csf –temp

OR

csf -t