This is a quick and dirty cheatsheet that covers some useful ConfigServer Firewall (CSF) SSH command line commands ConfigServer Firewall (CSF).

CSF configuration files:

  • csf.conf  – main configuration file for CSF
  • csf.allow  – allowed IP’s and CIDR addresses list on the firewall
  • csf.deny  – denied IP’s and CIDR addresses list on the firewall.
  • csf.ignore  -ignored IP’s and CIDR addresses list on the firewall.
  • csf.*ignore  – ignore files of users, IP’s.
Show CSF version
csf -v 
csf --version 
Check for updates but do not upgrade
csf -c 
csf --check 
Check for updates and upgrade if available
csf -u 
csf --update 
Help
csf -h 
csf --help 
Enable CSF and LFD
csf -e 
csf --enable 
Disable CSF and LFD
csf -x 
csf --disable 
Restart firewall rules
csf -r 
csf --restart 
Start firewall rules
csf -s 
csf --start 
Stop (flush) firewall rules
csf -f 
csf --stop 
Check if IP is in any configuration file (deny, allow, temp block, etc.)
csf -g IP 
csf --grep IP 
grep IP /var/log/lfd.log 
Allow an IP (add it to /etc/csf/csf.allow)
csf -a IP 
csf --add IP [comment] 
Remove an IP from allow list (/etc/csf/csf.allow)
csf -ar IP 
csf --addrm IP 
Deny an IP (add it to /etc/csf/csf.deny)
csf -d IP 
csf --deny IP [comment] 
Unblock an IP (remove it from /etc/csf/csf.deny)
csf -dr 
csf --denyrm IP 
Add an IP to the temporary IP allow list
csf -ta IP ttl [-p port] [-d direction] [comment] 
csf --tempallow IP ttl [-p port] [-d direction] [comment] 
Add an IP to the temporary IP ban list
csf -td IP ttl [-p port] [-d direction] [comment] 
csf --tempdeny IP ttl [-p port] [-d direction] [comment] 
Remove an IP from the temporary IP ban list
csf -tr IP 
csf --temprm IP 
List all temporary allow and deny IP entries with their TTL and comment
csf -t 
csf --temp 
Flush all IPs from the temporary allow / ban lists
csf -tf 
csf --tempf 
List the IPv4 iptables configuration
csf -l 
csf --status 
List the IPv6 iptables configuration
csf -l6 
csf --status6 
To allow/block access from countries add the country code in csf configuration file (/etc/csf/csf.conf)
to allow access from a contry:
CC_ALLOW = "" 
to block access from a contry:
CC_DENY = "" 
Supported country codes:
AF,AL,DZ,AS,AD,AO,AI,AQ,AG,AR,AM,AW,AU,AT,AZ,BS,BH,BD,BB,BY,BE,BZ,BJ,BM,BT,BO,BA,BW,BV,BR,IO,BN,BG,BF,BI,KH,CM,CA,CV,KY,CF,TD,CL,CN,CX,CC,CO,KM,CG,CD,CK,CR,CI,HR,CU,CY,CZ,DK,DJ,DM,DO,TP,EC,EG,SV,GQ,ER,EE,ET,FK,FO,FJ,FI,FR,FX,GF,PF,TF,GA,GM,GE,DE,GH,GI,GR,GL,GD,GP,GU,GT,GN,GW,GY,HT,HM,VA,HN,HK,HU,IS,IN,ID,IR,IQ,IE,IL,IT,JM,JP,JO,KZ,KE,KI,KP,KR,KW,KG,LA,LV,LB,LS,LR,LY,LI,LT,LU,MO,MK,MG,MW,MY,MV,ML,MT,MH,MQ,MR,MU,YT,MX,FM,MD,MC,MN,MS,MA,MZ,MM,NA,NR,NP,NL,AN,NC,NZ,NI,NE,NG,NU,NF,MP,NO,OM,PK,PW,PA,PG,PY,PE,PH,PN,PL,PT,PR,QA,RE,RO,RU,RW,KN,LC,VC,WS,SM,ST,SA,SN,SC,SL,SG,SK,SI,SB,SO,ZA,GS,ES,LK,SH,PM,SD,SR,SJ,SZ,SE,CH,SY,TW,TJ,TZ,TH,TG,TK,TO,TT,TN,TR,TM,TC,TV,UG,UA,AE,GB,US,UM,UY,UZ,VU,VE,VN,VG,VI,WF,EH,YE,ZM,ZW 
Open the CSF configuration file (/etc/csf/csf.conf) and set ‘PT_USERMEM’ to 0
[[email protected] #] nano /etc/csf/csf.conf
-----
# This User Process Tracking option sends an alert if any linux user process
# exceeds the memory usage set (MB). To ignore specific processes or users use
# csf.pignore
#
# Set to 0 to disable this feature
PT_USERMEM = "200"
----- 
There is an option in CSF configuration file to set the email address for alerts
[[email protected] #] nano /etc/csf/csf.conf
LF_ALERT_TO = [email protected]"
----- 
To enable remote access from and to MySQL servers, we need to enable port 3306
Enable incoming remote MySQL access for an IP
[[email protected] #] nano /etc/csf/csf.allow
---
tcp:in:d=3306=IP-HERE 
--- 
Enable outgoing remote MySQL access
[[email protected] #] nano /etc/csf/csf.allow
---
tcp:out:d=3306:s=127.0.0.0
--- 
One of the ways to use CSF to block a DOS attack is to use CT_LIMIT to define the number of connection from a single IP address
Limit number of connections from an IP to 50
[[email protected] #] nano /etc/csf/csf.conf
----
# To disable this feature, set this to 0
CT_LIMIT = "50"
---- 
Specify the port numbers on which to limit connections
[[email protected] #] nano /etc/csf/csf.conf
----
# Leave this option empty to count all ports against CT_LIMIT
CT_PORTS = "80,53,22"
---- 
We need your help!

Do you know a command that we haven't included in this CSF CheatSheet?

Help us keep the VMware Config Server Firewall CheatSheet up-to-date and enrich it by sharing the CSF commands that you know with other system administrators.

Categories