This is a quick and dirty cheatsheet that covers some useful ConfigServer Firewall (CSF) SSH command line commands ConfigServer Firewall (CSF).

  • csf.conf  – main configuration file for CSF
  • csf.allow  – allowed IP’s and CIDR addresses list on the firewall
  • csf.deny  – denied IP’s and CIDR addresses list on the firewall.
  • csf.ignore  -ignored IP’s and CIDR addresses list on the firewall.
  • csf.*ignore  – ignore files of users, IP’s.
  • List of port and/or IP address assignments to direct traffic to alternative ports/IP addresses.
    /etc/csf/csf.redirect
    
  • List of Reseller accounts that you want to allow access to limited csf functionality.
    /etc/csf/csf.resellers
    
  • List of directories and files that you want to be alerted when they change.
    /etc/csf/csf.dirwatch
    
  • List of log files for the UI System Log Watch and Search features.
    /etc/csf/csf.syslogs
    
  • List of log files for the LOGSCANNER feature.
    /etc/csf/csf.logfiles
    
  • List of regular expressions for the LOGSCANNER feature.
    /etc/csf/csf.logignore
    
  • File contains definitions to IP BLOCK lists.
    /etc/csf/csf.blocklists
    
  • List of executables (exe) command lines (cmd) and usernames (user) that lfd process tracking will ignore.
    /etc/csf/csf.pignore
    
  • List of domains and partial domain that lfd process tracking will ignore based on reverse and forward DNS lookups.
    /etc/csf/csf.rignore
    
  • List of files that lfd directory watching will ignore.
    /etc/csf/csf.fignore
    
  • List of files that LF_SCRIPT_ALERT will ignore.
    /etc/csf/csf.signore
    
  • List of usernames that are ignored during the LF_EXPLOIT.
    /etc/csf/csf.suignore
    
  • List of user ID’s (UID) that are ignored by the User ID Tracking feature.
    /etc/csf/csf.uidignore
    
  • List of usernames and local IP addresses that RT_LOCALRELAY_ALERT will ignore.
    /etc/csf/csf.mignore
    
  • This file is to list any server configured IP addresses for which you don’t want to allow any incoming or outgoing traffic.
    /etc/csf/csf.sips
    
  • The following FQDN’s will be allowed through the firewall. This is controlled by lfd which checks the DNS resolution of the FQDN and adds the ip address into the ALLOWDYNIN and ALLOWDYNOUT iptables chains.
    /etc/csf/csf.dyndns
    
  • This file contains the usernames which should be allowed to log via syslog/rsyslog.
    /etc/csf/csf.syslogusers
    
  • The following IP addresses will allow EXIM to advertise SMTP AUTH.
    /etc/csf/csf.smtpauth
    
  • This file configures optional entries for the IP checking against RBLs within csf.
    /etc/csf/csf.rblconf
    
Show CSF version
csf -v 
csf --version 
Check for updates but do not upgrade
csf -c 
csf --check 
Check for updates and upgrade if available
csf -u 
csf --update 
Help
csf -h 
csf --help 
Enable CSF and LFD
csf -e 
csf --enable 
Disable CSF and LFD
csf -x 
csf --disable 
Restart firewall rules
csf -r 
csf --restart 
Start firewall rules
csf -s 
csf --start 
Stop (flush) firewall rules
csf -f 
csf --stop 
Check if IP is in any configuration file (deny, allow, temp block, etc.)
csf -g IP 
csf --grep IP 
grep IP /var/log/lfd.log 
Allow an IP (add it to /etc/csf/csf.allow)
csf -a IP 
csf --add IP [comment] 
Remove an IP from allow list (/etc/csf/csf.allow)
csf -ar IP 
csf --addrm IP 
Deny an IP (add it to /etc/csf/csf.deny)
csf -d IP 
csf --deny IP [comment] 
Unblock an IP (remove it from /etc/csf/csf.deny)
csf -dr 
csf --denyrm IP 
Add an IP to the temporary IP allow list
csf -ta IP ttl [-p port] [-d direction] [comment] 
csf --tempallow IP ttl [-p port] [-d direction] [comment] 
Add an IP to the temporary IP ban list
csf -td IP ttl [-p port] [-d direction] [comment] 
csf --tempdeny IP ttl [-p port] [-d direction] [comment] 
Remove an IP from the temporary IP ban list
csf -tr IP 
csf --temprm IP 
List all temporary allow and deny IP entries with their TTL and comment
csf -t 
csf --temp 
Flush all IPs from the temporary allow / ban lists
csf -tf 
csf --tempf 
List the IPv4 iptables configuration
csf -l 
csf --status 
List the IPv6 iptables configuration
csf -l6 
csf --status6 
To allow/block access from countries add the country code in csf configuration file (/etc/csf/csf.conf)
to allow access from a contry:
CC_ALLOW = "" 
to block access from a contry:
CC_DENY = "" 
Supported country codes:
AF,AL,DZ,AS,AD,AO,AI,AQ,AG,AR,AM,AW,AU,AT,AZ,BS,BH,BD,BB,BY,BE,BZ,BJ,BM,BT,BO,BA,BW,BV,BR,IO,BN,BG,BF,BI,KH,CM,CA,CV,KY,CF,TD,CL,CN,CX,CC,CO,KM,CG,CD,CK,CR,CI,HR,CU,CY,CZ,DK,DJ,DM,DO,TP,EC,EG,SV,GQ,ER,EE,ET,FK,FO,FJ,FI,FR,FX,GF,PF,TF,GA,GM,GE,DE,GH,GI,GR,GL,GD,GP,GU,GT,GN,GW,GY,HT,HM,VA,HN,HK,HU,IS,IN,ID,IR,IQ,IE,IL,IT,JM,JP,JO,KZ,KE,KI,KP,KR,KW,KG,LA,LV,LB,LS,LR,LY,LI,LT,LU,MO,MK,MG,MW,MY,MV,ML,MT,MH,MQ,MR,MU,YT,MX,FM,MD,MC,MN,MS,MA,MZ,MM,NA,NR,NP,NL,AN,NC,NZ,NI,NE,NG,NU,NF,MP,NO,OM,PK,PW,PA,PG,PY,PE,PH,PN,PL,PT,PR,QA,RE,RO,RU,RW,KN,LC,VC,WS,SM,ST,SA,SN,SC,SL,SG,SK,SI,SB,SO,ZA,GS,ES,LK,SH,PM,SD,SR,SJ,SZ,SE,CH,SY,TW,TJ,TZ,TH,TG,TK,TO,TT,TN,TR,TM,TC,TV,UG,UA,AE,GB,US,UM,UY,UZ,VU,VE,VN,VG,VI,WF,EH,YE,ZM,ZW 
Open the CSF configuration file (/etc/csf/csf.conf) and set ‘PT_USERMEM’ to 0
[[email protected] #] nano /etc/csf/csf.conf
-----
# This User Process Tracking option sends an alert if any linux user process
# exceeds the memory usage set (MB). To ignore specific processes or users use
# csf.pignore
#
# Set to 0 to disable this feature
PT_USERMEM = "200"
----- 
There is an option in CSF configuration file to set the email address for alerts
[[email protected] #] nano /etc/csf/csf.conf
LF_ALERT_TO = [email protected]"
----- 
To enable remote access from and to MySQL servers, we need to enable port 3306
Enable incoming remote MySQL access for an IP
[[email protected] #] nano /etc/csf/csf.allow
---
tcp:in:d=3306=IP-HERE 
--- 
Enable outgoing remote MySQL access
[[email protected] #] nano /etc/csf/csf.allow
---
tcp:out:d=3306:s=127.0.0.0
--- 
One of the ways to use CSF to block a DOS attack is to use CT_LIMIT to define the number of connection from a single IP address
Limit number of connections from an IP to 50
[[email protected] #] nano /etc/csf/csf.conf
----
# To disable this feature, set this to 0
CT_LIMIT = "50"
---- 
Specify the port numbers on which to limit connections
[[email protected] #] nano /etc/csf/csf.conf
----
# Leave this option empty to count all ports against CT_LIMIT
CT_PORTS = "80,53,22"
---- 
We need your help!

Do you know a command that we haven't included in this CSF CheatSheet?

Help us keep the VMware Config Server Firewall CheatSheet up-to-date and enrich it by sharing the CSF commands that you know with other system administrators.