Config Server Firewall (or CSF) is a free and advanced firewall for most Linux distributions and Linux based VPS. In addition to the basic functionality of a firewall – filtering packets – CSF includes other security features, such as login/intrusion/flood detection.
Useful CSF SSH Command Line Commands.
Command Description Example
csf -s Start the firewall rules #csf -s
csf -f Flush/Stop firewall rules #csf -f
csf -r Restart the firewall rules #csf -r
csf -a [IP.add.re.ss] Allow an IP and add to #csf -a 187.33.3.3 Home IP Address
/etc/csf/csf.allow
csf -tr [IP.add.re.ss] Remove an IP from the #csf -tr 66.192.23.1
temporary IP ban or allow list.
csf -tf Flush all IPs from the #csf -tf
temporary IP entries
csf -d [IP.add.re.ss] Deny an IP and add to #csf -d 66.192.23.1
/etc/csf/csf.deny
csf -dr [IP.add.re.ss] Unblock an IP and remove #csf -dr 66.192.23.1
from /etc/csf/csf.deny
csf -df Remove and unblock all entries #csf -df
in /etc/csf/csf.deny
csf -g [IP.add.re.ss] Search the iptables and ip6tables #csf -g 66.192.23.1
rules for a match.
csf -t Displays the current list of temporary #csf -t
allow and deny IP entries with their
TTL and comment
Whitelisting an IP Address
In order to prevent specific IP from being blocked, even for a temporary deny, you need to list their IP address in the files csf.ignore and csf.allow. The first step is to enable IGNORE_ALLOW in csf.conf. The value for IGNORE_ALLOW will appear as “0”, you will need to adjust it to “1” and restart csf and lfd.
This will allow lfd to reference csf.ignore. If you add an IP address to csf.ignore, the IP address will no longer be checked by lfd and failed login attempts will not trigger temporary denies.
Some useful tweak settings on CSF Configuration File
IP Limit in Permanent “Deny” File
DENY_IP_LIMIT = “200”
A higher number here will obviously screen out more IP addresses in csf.deny.
IP Limit in Temporary “Deny” File
DENY_TEMP_IP_LIMIT = “100”
Similar to DENY_IP_LIMIT, the DENY_TEMP_IP_LIMIT represents the maximum number of IPs that can be stored in the temporary ban list.
SMTP Blocking
SMTP_BLOCK = “0”
When set to “1″, SMTP_BLOCK does not completely block outbound SMTP, but it does block it for most users. This will prevent malicious scripts and compromised users from making outbound connections from unauthorized mail clients on the server. SMTP_BLOCK doesn’t stop those scripts from running, but it does stop them from functioning. Mail sent through the proper channels will still be delivered normally.
Allowing SMTP on localhost
SMTP_ALLOWLOCAL = “1”
Custom Mail Port Designation
SMTP_PORTS = “25,465,587”
Allowing SMTP Access to Users/Groups
SMTP_ALLOWUSER = “”
SMTP_ALLOWGROUP = “mail,mailman”
SYN Flood Protection
SYNFLOOD = “0”
SYNFLOOD_RATE = “100/s”
SYNFLOOD_BURST = “150”
Per the documentation, you should only enable SYN flood protection (SYNFLOOD= “1″) if you are currently under a SYN flood attack.
Concurrent Connections Limit
CONNLIMIT = “22;5,80;20”
PORTFLOOD = “22;tcp;5;300,80;tcp;20;5
These options allow you to add customized DoS protection. CONNLIMIT handles the number of concurrent connections, and in this example, we’re limiting port 22 to 5 connections and port 80 to 20 connections.
Dropping v. Rejecting Packets
DROP = “DROP”
This configuration allows you to either DROP or REJECT packets. REJECT tells the sender that the packet has been blocked by the firewall. DROP just drops the packet and does not send a response. I like DROP better for regular use, but REJECT might be more helpful if you need to diagnose a connectivity issue.
Logging Dropped Connections
DROP_LOGGING = “1”
This option logs dropped connections to syslog. I don’t see any reason to turn this off unless your hard drive is getting full.
SPAMHAUSE Blocklist
LF_SPAMHAUS = “0”
This option enables the SPAMHAUS blocklist. Specify the number of seconds between refreshes. Recommended setting is 86400 (1 day).
Blocking TOR Exit IP Addresses
LF_TOR = “0”
Enabling this option will block TOR exit IP addresses. If you are not familiar with TOR, it is a completely anonymous proxy network. This could block some legitimate users who are trying to protect their anonymity, so I would recommend only turning this on if you are already under attack from a TOR exit address.
Blocking Bogon Addresses
LF_BOGON = “0”
LF_BOGON_URL = “http://www.cymru.com/Documents/bogon-bn-agg.txt”
LF_BOGON_SKIP = “”
Blocking bogon addresses (addresses that should not be possible) is usually a good decision. To enable, set the number of seconds between refreshes. I recommend enabling this option and setting the refresh at 86400 (1 day). If you do so, be sure to add your private network adapters to the skip list.
Country-Specific Access to Your Server
CC_DENY = “”
CC_ALLOW = “”
With these options, you can block or allow entire countries from accessing your server. To do so, enter the country codes in a comma separated list.
CC_ALLOW_FILTER = “”
Alternatively, you can set your server to exclusively accept traffic from a list of country codes. All other countries not listed will have their traffic dropped.
Blocking Login Failures
LF_TRIGGER = “0”
This enables blocking of login failures (per service). There are a lot of great customization options in this section.
Scanning Directories for Malicious Files
LF_DIRWATCH = “300”
This feature scans /tmp and /dev/shm for potentially malicious files and alerts you to their presence based on the interval you designate. You can also have CSF automatically quarantine malicious files with this option:
LF_DIRWATCH_DISABLE = “0”
Distributed Attack Protection
LF_DISTATTACK = “0”
By enabling this option, you activate additional protection against distributed attacks.
Blocking Based on Abusive Email Usage
LT_POP3D = “0”
LT_IMAPD = “0”
If a user checks email too many times per hour (more than the non-zero value specified), the user’s IP address is blocked.
Blocking IP Addresses Based on Number of Connections
CT_LIMIT = “0”
This feature tracks connections and blocks the IP if the number of connections is too high. Use caution because if you enable this option and set this value too low, it will block legitimate traffic.
Application-Level Protection
PT_LIMIT = “60”
This feature provides application level protection against malicious scripts that take a long time to execute.
Blocking Port Scanners
PS_INTERVAL = “300”
PS_LIMIT = “10”
——————————->