How to increase DENY IP limit in CSF firewall

How to increase DENY IP limit in CSF firewall


In CSF firewall, old IP addresses will be automatically removed from /etc/csf/csf.deny file when the ‘DENY_IP_LIMIT ‘ is reached. An example is given below :

root@server [~]# csf -d

csf: DENY_IP_LIMIT (200), the following IP’s were removed from /etc/csf/csf.deny

In the above example you can see that DENY_IP_LIMIT is 200 so the oldest IP in csf.deny was removed when you tried to add a new IP to deny list.

Do the below steps to increase deny IP limit in CSF firewall. Setting DENY limit to a very high value will slow down network and website. Make sure there is sufficient resources on the server before you increase this value.

1. Log into linux server via SSH as root

2. First take a backup of the CSF configuration file.

cp -a /etc/csf/csf.conf /etc/csf/csf.conf.original

3. Edit CSF configuration using vi editor

vi /etc/csf/csf.conf

Change the below lines

DENY_IP_LIMIT = “200” to DENY_IP_LIMIT = “500”


4. Save the CSF configuration file

5. Run the below command to restart the firewall

csf -r

The changes in csf configuration file will not reflect without restarting the firewall.

csf deny ip limit

csf deny ip limit

Increasing the DENY_IP_LIMIT and DENY_TEMP_IP_LIMIT is very helpful when the server is under attack from different IP address (DOS attack). CSF will be able to hold more IP address in csf.deny file when you increase the value. Increasing DENY_IP_LIMIT to a very high value is not recommended because this will slow down your server.

Setting DENY_IP_LIMIT to 0 will disable limiting and it is not recommended.