This is a quick and dirty cheatsheet that covers some useful ConfigServer Firewall (CSF) SSH command line commands ConfigServer Firewall (CSF).
General
Basic CSF configuration files:
- csf.conf – main configuration file for CSF
- csf.allow – allowed IP’s and CIDR addresses list on the firewall
- csf.deny – denied IP’s and CIDR addresses list on the firewall.
- csf.ignore -ignored IP’s and CIDR addresses list on the firewall.
- csf.*ignore – ignore files of users, IP’s.
All configuration files:
List of port and/or IP address assignments to direct traffic to alternative ports/IP addresses.
/etc/csf/csf.redirect
List of Reseller accounts that you want to allow access to limited csf functionality.
/etc/csf/csf.resellers
List of directories and files that you want to be alerted when they change.
/etc/csf/csf.dirwatch
List of log files for the UI System Log Watch and Search features.
/etc/csf/csf.syslogs
List of log files for the LOGSCANNER feature.
/etc/csf/csf.logfiles
List of regular expressions for the LOGSCANNER feature.
/etc/csf/csf.logignore
File contains definitions to IP BLOCK lists.
/etc/csf/csf.blocklists
List of executables (exe) command lines (cmd) and usernames (user) that lfd process tracking will ignore.
/etc/csf/csf.pignore
List of domains and partial domain that lfd process tracking will ignore based on reverse and forward DNS lookups.
/etc/csf/csf.rignore
List of files that lfd directory watching will ignore.
/etc/csf/csf.fignore
List of files that LF_SCRIPT_ALERT will ignore.
/etc/csf/csf.signore
List of usernames that are ignored during the LF_EXPLOIT.
/etc/csf/csf.suignore
List of user ID’s (UID) that are ignored by the User ID Tracking feature.
/etc/csf/csf.uidignore
List of usernames and local IP addresses that RT_LOCALRELAY_ALERT will ignore.
/etc/csf/csf.mignore
This file is to list any server configured IP addresses for which you don’t want to allow any incoming or outgoing traffic.
/etc/csf/csf.sips
The following FQDN’s will be allowed through the firewall. This is controlled by lfd which checks the DNS resolution of the FQDN and adds the ip address into the ALLOWDYNIN and ALLOWDYNOUT iptables chains.
/etc/csf/csf.dyndns
This file contains the usernames which should be allowed to log via syslog/rsyslog.
/etc/csf/csf.syslogusers
The following IP addresses will allow EXIM to advertise SMTP AUTH.
/etc/csf/csf.smtpauth
This file configures optional entries for the IP checking against RBLs within csf.
/etc/csf/csf.rblconf
Show CSF version
csf -v csf --version Check for updates but do not upgrade
csf -c csf --check Check for updates and upgrade if available
csf -u csf --update Help
csf -h csf --help Start / Stop
Enable CSF and LFD
csf -e csf --enable Disable CSF and LFD
csf -x csf --disable Restart firewall rules
csf -r csf --restart Start firewall rules
csf -s csf --start Stop (flush) firewall rules
csf -f csf --stop Permanent Allow / Deny
Check if IP is in any configuration file (deny, allow, temp block, etc.)
csf -g IP csf --grep IP grep IP /var/log/lfd.log Allow an IP (add it to /etc/csf/csf.allow)
csf -a IP csf --add IP [comment] Remove an IP from allow list (/etc/csf/csf.allow)
csf -ar IP csf --addrm IP Deny an IP (add it to /etc/csf/csf.deny)
csf -d IP csf --deny IP [comment] Unblock an IP (remove it from /etc/csf/csf.deny)
csf -dr csf --denyrm IP Temporary Allow / Deny
Add an IP to the temporary IP allow list
csf -ta IP ttl [-p port] [-d direction] [comment] csf --tempallow IP ttl [-p port] [-d direction] [comment] Add an IP to the temporary IP ban list
csf -td IP ttl [-p port] [-d direction] [comment] csf --tempdeny IP ttl [-p port] [-d direction] [comment] Remove an IP from the temporary IP ban list
csf -tr IP csf --temprm IP List all temporary allow and deny IP entries with their TTL and comment
csf -t csf --temp Flush all IPs from the temporary allow / ban lists
csf -tf csf --tempf List the IPtables configuration
List the IPv4 iptables configuration
csf -l csf --status List the IPv6 iptables configuration
csf -l6 csf --status6 Block countries
To allow/block access from countries add the country code in csf configuration file (/etc/csf/csf.conf)to allow access from a contry:
CC_ALLOW = "" to block access from a contry:
CC_DENY = "" Supported country codes:
AF,AL,DZ,AS,AD,AO,AI,AQ,AG,AR,AM,AW,AU,AT,AZ,BS,BH,BD,BB,BY,BE,BZ,BJ,BM,BT,BO,BA,BW,BV,BR,IO,BN,BG,BF,BI,KH,CM,CA,CV,KY,CF,TD,CL,CN,CX,CC,CO,KM,CG,CD,CK,CR,CI,HR,CU,CY,CZ,DK,DJ,DM,DO,TP,EC,EG,SV,GQ,ER,EE,ET,FK,FO,FJ,FI,FR,FX,GF,PF,TF,GA,GM,GE,DE,GH,GI,GR,GL,GD,GP,GU,GT,GN,GW,GY,HT,HM,VA,HN,HK,HU,IS,IN,ID,IR,IQ,IE,IL,IT,JM,JP,JO,KZ,KE,KI,KP,KR,KW,KG,LA,LV,LB,LS,LR,LY,LI,LT,LU,MO,MK,MG,MW,MY,MV,ML,MT,MH,MQ,MR,MU,YT,MX,FM,MD,MC,MN,MS,MA,MZ,MM,NA,NR,NP,NL,AN,NC,NZ,NI,NE,NG,NU,NF,MP,NO,OM,PK,PW,PA,PG,PY,PE,PH,PN,PL,PT,PR,QA,RE,RO,RU,RW,KN,LC,VC,WS,SM,ST,SA,SN,SC,SL,SG,SK,SI,SB,SO,ZA,GS,ES,LK,SH,PM,SD,SR,SJ,SZ,SE,CH,SY,TW,TJ,TZ,TH,TG,TK,TO,TT,TN,TR,TM,TC,TV,UG,UA,AE,GB,US,UM,UY,UZ,VU,VE,VN,VG,VI,WF,EH,YE,ZM,ZW Disable LFD Excesive resource usage alert
Open the CSF configuration file (/etc/csf/csf.conf) and set ‘PT_USERMEM’ to 0
[root@server #] nano /etc/csf/csf.conf
-----
# This User Process Tracking option sends an alert if any linux user process
# exceeds the memory usage set (MB). To ignore specific processes or users use
# csf.pignore
#
# Set to 0 to disable this feature
PT_USERMEM = "200"
----- Set email address for LFD alerts
There is an option in CSF configuration file to set the email address for alerts
[root@server #] nano /etc/csf/csf.conf
LF_ALERT_TO = email@pcx3.com"
----- Enable remote access for MySQL
To enable remote access from and to MySQL servers, we need to enable port 3306Enable incoming remote MySQL access for an IP
[root@server #] nano /etc/csf/csf.allow
---
tcp:in:d=3306=IP-HERE
--- Enable outgoing remote MySQL access
[root@server #] nano /etc/csf/csf.allow
---
tcp:out:d=3306:s=127.0.0.0
--- Prevent DOS attacks
One of the ways to use CSF to block a DOS attack is to use CT_LIMIT to define the number of connection from a single IP addressLimit number of connections from an IP to 50
[root@server #] nano /etc/csf/csf.conf
----
# To disable this feature, set this to 0
CT_LIMIT = "50"
---- Specify the port numbers on which to limit connections
[root@server #] nano /etc/csf/csf.conf
----
# Leave this option empty to count all ports against CT_LIMIT
CT_PORTS = "80,53,22"
---- We need your help!
Do you know a command that we haven’t included in this CSF CheatSheet?
Help us keep the VMware Config Server Firewall CheatSheet up-to-date and enrich it by sharing the CSF commands that you know with other system administrators.