This is a quick and dirty cheatsheet that covers some useful ConfigServer Firewall (CSF) SSH command line commands ConfigServer Firewall (CSF).
Basic CSF configuration files:
- csf.conf – main configuration file for CSF
- csf.allow – allowed IP’s and CIDR addresses list on the firewall
- csf.deny – denied IP’s and CIDR addresses list on the firewall.
- csf.ignore -ignored IP’s and CIDR addresses list on the firewall.
- csf.*ignore – ignore files of users, IP’s.
All configuration files:
List of port and/or IP address assignments to direct traffic to alternative ports/IP addresses.
List of Reseller accounts that you want to allow access to limited csf functionality.
List of directories and files that you want to be alerted when they change.
List of log files for the UI System Log Watch and Search features.
List of log files for the LOGSCANNER feature.
List of regular expressions for the LOGSCANNER feature.
File contains definitions to IP BLOCK lists.
List of executables (exe) command lines (cmd) and usernames (user) that lfd process tracking will ignore.
List of domains and partial domain that lfd process tracking will ignore based on reverse and forward DNS lookups.
List of files that lfd directory watching will ignore.
List of files that LF_SCRIPT_ALERT will ignore.
List of usernames that are ignored during the LF_EXPLOIT.
List of user ID’s (UID) that are ignored by the User ID Tracking feature.
List of usernames and local IP addresses that RT_LOCALRELAY_ALERT will ignore.
This file is to list any server configured IP addresses for which you don’t want to allow any incoming or outgoing traffic.
The following FQDN’s will be allowed through the firewall. This is controlled by lfd which checks the DNS resolution of the FQDN and adds the ip address into the ALLOWDYNIN and ALLOWDYNOUT iptables chains.
This file contains the usernames which should be allowed to log via syslog/rsyslog.
The following IP addresses will allow EXIM to advertise SMTP AUTH.
This file configures optional entries for the IP checking against RBLs within csf.
Show CSF version
Check for updates but do not upgrade
Check for updates and upgrade if available
Start / Stop
Enable CSF and LFD
Disable CSF and LFD
Restart firewall rules
Start firewall rules
Stop (flush) firewall rules
Permanent Allow / Deny
Check if IP is in any configuration file (deny, allow, temp block, etc.)
csf -g IP
csf --grep IP
grep IP /var/log/lfd.log
Allow an IP (add it to /etc/csf/csf.allow)
csf -a IP
csf --add IP [comment]
Remove an IP from allow list (/etc/csf/csf.allow)
csf -ar IP
csf --addrm IP
Deny an IP (add it to /etc/csf/csf.deny)
csf -d IP
csf --deny IP [comment]
Unblock an IP (remove it from /etc/csf/csf.deny)
csf --denyrm IP
Temporary Allow / Deny
Add an IP to the temporary IP allow list
csf -ta IP ttl [-p port] [-d direction] [comment]
csf --tempallow IP ttl [-p port] [-d direction] [comment]
Add an IP to the temporary IP ban list
csf -td IP ttl [-p port] [-d direction] [comment]
csf --tempdeny IP ttl [-p port] [-d direction] [comment]
Remove an IP from the temporary IP ban list
csf -tr IP
csf --temprm IP
List all temporary allow and deny IP entries with their TTL and comment
Flush all IPs from the temporary allow / ban lists
List the IPtables configuration
List the IPv4 iptables configuration
List the IPv6 iptables configuration
To allow/block access from countries add the country code in csf configuration file (/etc/csf/csf.conf)to allow access from a contry:
CC_ALLOW = ""
to block access from a contry:
CC_DENY = ""
Supported country codes:
Disable LFD Excesive resource usage alert
Open the CSF configuration file (/etc/csf/csf.conf) and set ‘PT_USERMEM’ to 0
[root@server #] nano /etc/csf/csf.conf ----- # This User Process Tracking option sends an alert if any linux user process # exceeds the memory usage set (MB). To ignore specific processes or users use # csf.pignore # # Set to 0 to disable this feature PT_USERMEM = "200" -----
Set email address for LFD alerts
There is an option in CSF configuration file to set the email address for alerts
[root@server #] nano /etc/csf/csf.conf LF_ALERT_TO = email@example.com" -----
Enable remote access for MySQL
To enable remote access from and to MySQL servers, we need to enable port 3306Enable incoming remote MySQL access for an IP
[root@server #] nano /etc/csf/csf.allow --- tcp:in:d=3306=IP-HERE ---
Enable outgoing remote MySQL access
[root@server #] nano /etc/csf/csf.allow --- tcp:out:d=3306:s=127.0.0.0 ---
Prevent DOS attacks
One of the ways to use CSF to block a DOS attack is to use CT_LIMIT to define the number of connection from a single IP addressLimit number of connections from an IP to 50
[root@server #] nano /etc/csf/csf.conf ---- # To disable this feature, set this to 0 CT_LIMIT = "50" ----
Specify the port numbers on which to limit connections
[root@server #] nano /etc/csf/csf.conf ---- # Leave this option empty to count all ports against CT_LIMIT CT_PORTS = "80,53,22" ----
We need your help!
Do you know a command that we haven’t included in this CSF CheatSheet?
Help us keep the VMware Config Server Firewall CheatSheet up-to-date and enrich it by sharing the CSF commands that you know with other system administrators.