CSF

This is a quick and dirty cheatsheet that covers some useful ConfigServer Firewall (CSF) SSH command line commands ConfigServer Firewall (CSF).


General

Basic CSF configuration files:

  • csf.conf  – main configuration file for CSF
  • csf.allow  – allowed IP’s and CIDR addresses list on the firewall
  • csf.deny  – denied IP’s and CIDR addresses list on the firewall.
  • csf.ignore  -ignored IP’s and CIDR addresses list on the firewall.
  • csf.*ignore  – ignore files of users, IP’s.

All configuration files:

List of port and/or IP address assignments to direct traffic to alternative ports/IP addresses.

/etc/csf/csf.redirect 

List of Reseller accounts that you want to allow access to limited csf functionality.

/etc/csf/csf.resellers 

List of directories and files that you want to be alerted when they change.

/etc/csf/csf.dirwatch 

List of log files for the UI System Log Watch and Search features.

/etc/csf/csf.syslogs 

List of log files for the LOGSCANNER feature.

/etc/csf/csf.logfiles 

List of regular expressions for the LOGSCANNER feature.

/etc/csf/csf.logignore 

File contains definitions to IP BLOCK lists.

/etc/csf/csf.blocklists 

List of executables (exe) command lines (cmd) and usernames (user) that lfd process tracking will ignore.

/etc/csf/csf.pignore 

List of domains and partial domain that lfd process tracking will ignore based on reverse and forward DNS lookups.

/etc/csf/csf.rignore 

List of files that lfd directory watching will ignore.

/etc/csf/csf.fignore 

List of files that LF_SCRIPT_ALERT will ignore.

/etc/csf/csf.signore 

List of usernames that are ignored during the LF_EXPLOIT.

/etc/csf/csf.suignore 

List of user ID’s (UID) that are ignored by the User ID Tracking feature.

/etc/csf/csf.uidignore 

List of usernames and local IP addresses that RT_LOCALRELAY_ALERT will ignore.

/etc/csf/csf.mignore 

This file is to list any server configured IP addresses for which you don’t want to allow any incoming or outgoing traffic.

/etc/csf/csf.sips 

The following FQDN’s will be allowed through the firewall. This is controlled by lfd which checks the DNS resolution of the FQDN and adds the ip address into the ALLOWDYNIN and ALLOWDYNOUT iptables chains.

/etc/csf/csf.dyndns 

This file contains the usernames which should be allowed to log via syslog/rsyslog.

/etc/csf/csf.syslogusers 

The following IP addresses will allow EXIM to advertise SMTP AUTH.

/etc/csf/csf.smtpauth 

This file configures optional entries for the IP checking against RBLs within csf.

/etc/csf/csf.rblconf 

Show CSF version

csf -v 
csf --version 

Check for updates but do not upgrade

csf -c 
csf --check 

Check for updates and upgrade if available

csf -u 
csf --update 

Help

csf -h 
csf --help 

Start / Stop

Enable CSF and LFD

csf -e 
csf --enable 

Disable CSF and LFD

csf -x 
csf --disable 

Restart firewall rules

csf -r 
csf --restart 

Start firewall rules

csf -s 
csf --start 

Stop (flush) firewall rules

csf -f 
csf --stop 

Permanent Allow / Deny

Check if IP is in any configuration file (deny, allow, temp block, etc.)

csf -g IP 
csf --grep IP 
grep IP /var/log/lfd.log 

Allow an IP (add it to /etc/csf/csf.allow)

csf -a IP 
csf --add IP [comment] 

Remove an IP from allow list (/etc/csf/csf.allow)

csf -ar IP 
csf --addrm IP 

Deny an IP (add it to /etc/csf/csf.deny)

csf -d IP 
csf --deny IP [comment] 

Unblock an IP (remove it from /etc/csf/csf.deny)

csf -dr 
csf --denyrm IP 

Temporary Allow / Deny

Add an IP to the temporary IP allow list

csf -ta IP ttl [-p port] [-d direction] [comment] 
csf --tempallow IP ttl [-p port] [-d direction] [comment] 

Add an IP to the temporary IP ban list

csf -td IP ttl [-p port] [-d direction] [comment] 
csf --tempdeny IP ttl [-p port] [-d direction] [comment] 

Remove an IP from the temporary IP ban list

csf -tr IP 
csf --temprm IP 

List all temporary allow and deny IP entries with their TTL and comment

csf -t 
csf --temp 

Flush all IPs from the temporary allow / ban lists

csf -tf 
csf --tempf 

List the IPtables configuration

List the IPv4 iptables configuration

csf -l 
csf --status 

List the IPv6 iptables configuration

csf -l6 
csf --status6 

Block countries

To allow/block access from countries add the country code in csf configuration file (/etc/csf/csf.conf)to allow access from a contry:

CC_ALLOW = "" 

to block access from a contry:

CC_DENY = "" 

Supported country codes:

AF,AL,DZ,AS,AD,AO,AI,AQ,AG,AR,AM,AW,AU,AT,AZ,BS,BH,BD,BB,BY,BE,BZ,BJ,BM,BT,BO,BA,BW,BV,BR,IO,BN,BG,BF,BI,KH,CM,CA,CV,KY,CF,TD,CL,CN,CX,CC,CO,KM,CG,CD,CK,CR,CI,HR,CU,CY,CZ,DK,DJ,DM,DO,TP,EC,EG,SV,GQ,ER,EE,ET,FK,FO,FJ,FI,FR,FX,GF,PF,TF,GA,GM,GE,DE,GH,GI,GR,GL,GD,GP,GU,GT,GN,GW,GY,HT,HM,VA,HN,HK,HU,IS,IN,ID,IR,IQ,IE,IL,IT,JM,JP,JO,KZ,KE,KI,KP,KR,KW,KG,LA,LV,LB,LS,LR,LY,LI,LT,LU,MO,MK,MG,MW,MY,MV,ML,MT,MH,MQ,MR,MU,YT,MX,FM,MD,MC,MN,MS,MA,MZ,MM,NA,NR,NP,NL,AN,NC,NZ,NI,NE,NG,NU,NF,MP,NO,OM,PK,PW,PA,PG,PY,PE,PH,PN,PL,PT,PR,QA,RE,RO,RU,RW,KN,LC,VC,WS,SM,ST,SA,SN,SC,SL,SG,SK,SI,SB,SO,ZA,GS,ES,LK,SH,PM,SD,SR,SJ,SZ,SE,CH,SY,TW,TJ,TZ,TH,TG,TK,TO,TT,TN,TR,TM,TC,TV,UG,UA,AE,GB,US,UM,UY,UZ,VU,VE,VN,VG,VI,WF,EH,YE,ZM,ZW 

Disable LFD Excesive resource usage alert

Open the CSF configuration file (/etc/csf/csf.conf) and set ‘PT_USERMEM’ to 0

[[email protected] #] nano /etc/csf/csf.conf
-----
# This User Process Tracking option sends an alert if any linux user process
# exceeds the memory usage set (MB). To ignore specific processes or users use
# csf.pignore
#
# Set to 0 to disable this feature
PT_USERMEM = "200"
----- 

Set email address for LFD alerts

There is an option in CSF configuration file to set the email address for alerts

[[email protected] #] nano /etc/csf/csf.conf
LF_ALERT_TO = [email protected]"
----- 

Enable remote access for MySQL

To enable remote access from and to MySQL servers, we need to enable port 3306Enable incoming remote MySQL access for an IP

[[email protected] #] nano /etc/csf/csf.allow
---
tcp:in:d=3306=IP-HERE 
--- 

Enable outgoing remote MySQL access

[[email protected] #] nano /etc/csf/csf.allow
---
tcp:out:d=3306:s=127.0.0.0
--- 

Prevent DOS attacks

One of the ways to use CSF to block a DOS attack is to use CT_LIMIT to define the number of connection from a single IP addressLimit number of connections from an IP to 50

[[email protected] #] nano /etc/csf/csf.conf
----
# To disable this feature, set this to 0
CT_LIMIT = "50"
---- 

Specify the port numbers on which to limit connections

[[email protected] #] nano /etc/csf/csf.conf
----
# Leave this option empty to count all ports against CT_LIMIT
CT_PORTS = "80,53,22"
---- 

We need your help!

Do you know a command that we haven’t included in this CSF CheatSheet?

Help us keep the VMware Config Server Firewall CheatSheet up-to-date and enrich it by sharing the CSF commands that you know with other system administrators.

Share your knowledge