We currently manage servers for some clients which use Config Server Firewall (csf) together with the Login Failure Daemon (lfd) to maintain security. We’re incredibly happy with the level of security they give us, and also with the depth of information provided (we didn’t realise how many hack attempts come in from China and Russia. We knew there would be a lot, but when you get an email every time a nasty computer is caught…)
Anyway.. onto some useful commands. These all assume you are logged in to the server (we use SHH over PuTTY). In all cases, xxx.xxx.xxx.xxx should be replaced by the appropriate IP address.
How to install csf on cpanel
View http://www.mysql-apache-php.com/csf-firewall.htm. I’d only be repeating their instructions.
How to install csf from the Command Line (Ubuntu)
$ apt-get install libwww-perl
$ wget http://www.configserver.com/free/csf.tgz
$ tar -zxf csf.tgz
$ cd csf
Finding out if an IP address is blocked
csf -g xxx.xxx.xxx.xxx
If the IP address is not blocked, you’ll see the following result;
Chain num pkts bytes target prot opt in out source destination No matches found for xxx.xxx.xxx.xxx in ipchains
If the IP address is currently being blocked, you’ll see a result similar to the following;
Chain num pkts bytes target prot opt in out source destination LOCALINPUT 62 497 27356 DROP all -- !lo * xxx.xxx.xxx.xxx 0.0.0.0/0 LOCALOUTPUT 62 0 0 DROP all -- * !lo 0.0.0.0/0 xxx.xxx.xxx.xxx
How to Block an IP address using csf
You won’t have to do this; the csf and lfd software will handle all blocking for you. All you need to worry about is unblocking valid addresses which happen to have gotten themselves blacklisted.
How to Unblock an IP address using csf
csf -dr xxx.xxx.xxx.xxx
How to Whitelist an IP address using csf
If you continually see a valid IP address being blocked, you can consider whitelisting it. Be certain to only do this on known IP addresses, as it will prevent that IP address from being blocked again in the future (unless you remove the whitelist)
csf -a xxx.xxx.xxx.xxx
Running a -g command will confirm the whitelisting by showing you a result similar to the following;
csf -g xxx.xxx.xxx.xxx
Chain num pkts bytes target prot opt in out source destination LOCALINPUT 1 10 2234 ACCEPT all -- !lo * xxx.xxx.xxx.xxx 0.0.0.0/0 LOCALOUTPUT 1 10 13097 ACCEPT all -- * !lo 0.0.0.0/0 xxx.xxx.xxx.xxx
Note that the Target option is set to Allow. If it was set to Drop, this IP address would be blacklisted.