Config Server Firewall is the firewall framework that is most widely used to protect Linux servers.
CSF has a wide variety of options for controlling the Linux firewall from the control panel and from the command line. The CSF installation includes cPanel, DirectAdmin and Webmin preconfigured settings and control panel UIs.
Usage and installation of CSF is quite simple.
Working principle of Config Server Firewall
As with most iptables firewall setups, the concept with CSF is to block all and then let only those connections you want through. This is achieved by DROPPING all ties on all protocols in and out of the server in iptables. Then allow traffic from existing links in and out. Then open the ports separately for both TCP and UDP in and out.
The installation steps for CSF on the Linux server have already been addressed. Click here to install CSF on CentOS and customize it.
After you have successfully enabled CSF, you need to disable TESTING mode to function properly with CSF on your server.
[root@server #] vim /etc/csf/csf.conf Then change the value of 'TESTING' from 1 to 0
csf -e Or csf --enable
csf -x Or csf --disable
csf -r Or csf --restart
csf -s Or csf --start
csf -f Or csf --stop
csf -l Or csf --status
csf -l6 Or csf --status6
You must have some ideas about the following configuration files for using some other csf commands.
csf.conf : Configuration file for controlling CSF. csf.allow : Allowed IP’s and CIDR addresses list on the firewall. csf.deny : Denied IP’s and CIDR addresses list on the firewall. csf.ignore : Ignored IP’s and CIDR addresses list on the firewall. csf.*ignore : The list of various ignore files of users, IP’s.
csf -a ip [comment] Or csf --add ip [comment]
You can add your comments in the square bracket. See the example below:
[root@server ~]# csf -a 6x.8xx.1x2.8x [My server] Adding 6x.8xx.1x2.8x to csf.allow and iptables ACCEPT... ACCEPT all opt -- in !lo out * 6x.8xx.1x2.8x -> 0.0.0.0/0 ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 6x.8xx.1x2.8x
6x.8xx.1×2.8x – is the IP address and ‘My server’ inside the square bracket is the comment. You can check the /etc/csf/csf.allow file for more details:
[root@server ~]# grep 6x.8xx.1x2.8x /etc/csf/csf.allow ------ 6x.8xx.1x2.8x # [My server] - Thu Dec 19 23:16:27 2013 ------
csf -ar Or csf --addrm ip
csf -d Or csf --deny ip [comment]
csf -dr Or csf --denyrm ip
csf -df Or csf --denyf
csf -g Or csf --grep ip
Example:
[root@server ~]# csf -g 6x.8xx.1x2.8x Chain num pkts bytes target prot opt in out source destination ALLOWIN 1 0 0 ACCEPT all -- !lo * 6x.8xx.1x2.8x 0.0.0.0/0 ALLOWOUT 1 0 0 ACCEPT all -- * !lo 0.0.0.0/0 6x.8xx.1x2.8x
Temporary allow or deny of IP: The following csf commands are using to allow or deny an IP address temporary from our server.
csf -t Or csf --temp
csf -ta ip ttl [-p port] [-d direction] [comment] Or csf --tempallow ip ttl [-p port] [-d direction] [comment]
Where ttl is the time to live in seconds(Default value: 3600)
Example:
[root@server ~]# csf -ta 66.8x.1xx.xx ACCEPT all opt -- in !lo out * 66.8x.1xx.xx -> 0.0.0.0/0 ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 66.8x.1xx.xx csf: 66.8x.1xx.xx allowed on port * for 3600 seconds in and outbound
csf -td ip ttl [-p port] [-d direction] [comment] Or csf --tempdeny ip ttl [-p port] [-d direction] [comment]
Example:
[root@server ~]# csf -td 66.8x.1xx.xx DROP all opt -- in !lo out * 66.8x.1xx.xx -> 0.0.0.0/0 csf: 66.8x.1xx.xx blocked on port * for 3600 seconds inbound
csf -tr Or csf --temprm ip
csf -tf Or csf --tempf
csf -v Or csf --version : Show csf version csf -c Or csf --check : Check for updates to csf but do not upgrade csf -u Or csf --update : Check for updates to csf and upgrade if available csf -h Or csf --help : For help
links for further Knowledge:: #install nslookup#Migrating CPanel To DirectAdmin…
This guide will walk you through installing and configuring your VestaCP control panel on a dedicated server or virtual private… Read More
Step:1 Connect to the SolusVM Master server via SSH Step:2 Change directory to /vz/template/cache directory cd /vz/template/cache/ Step:3 Download pre-created… Read More
Apache Tomcat 9 is an open-source Java Servlet, JavaServer Pages, Java Expression Language, and Java WebSocket implementation. It is currently… Read More
Outsourced web hosting support services provide small businesses with a variety of alternatives for managing their websites. Modest business owners… Read More
If you are looking for a quality web hosting provider, keep the following points in mind while Choosing a web… Read More
Guidelines for Increasing the Speed of Your Website After you've tested your website's performance, you can begin improving it. There… Read More