Using CSF and LFD

We currently manage servers for some clients which use Config Server Firewall (csf) together with the Login Failure Daemon (lfd) to maintain security.  We’re incredibly happy with the level of security they give us, and also with the depth of information provided (we didn’t realise how many hack attempts come in from China and Russia. We knew there would be a lot, but when you get an email every time a nasty computer is caught…)

Anyway.. onto some useful commands. These all assume you are logged in to the server (we use SHH over PuTTY). In all cases, xxx.xxx.xxx.xxx should be replaced by the appropriate IP address.

How to install csf on cpanel

View http://www.mysql-apache-php.com/csf-firewall.htm. I’d only be repeating their instructions.

How to install csf from the Command Line (Ubuntu)

$ apt-get install libwww-perl
$ wget http://www.configserver.com/free/csf.tgz
$ tar -zxf csf.tgz
$ cd csf
$ ./install.sh

Finding out if an IP address is blocked

csf -g xxx.xxx.xxx.xxx

If the IP address is not blocked, you’ll see the following result;

Chain       num   pkts bytes target     prot opt in     out     source               destination
No matches found for xxx.xxx.xxx.xxx in ipchains

If the IP address is currently being blocked, you’ll see a result similar to the following;

Chain       num   pkts bytes target     prot opt in     out     source               destination
LOCALINPUT  62     497 27356 DROP       all  --  !lo    *       xxx.xxx.xxx.xxx       0.0.0.0/0
LOCALOUTPUT 62       0     0 DROP       all  --  *      !lo     0.0.0.0/0            xxx.xxx.xxx.xxx

How to Block an IP address using csf

You won’t have to do this; the csf and lfd software will handle all blocking for you. All you need to worry about is unblocking valid addresses which happen to have gotten themselves blacklisted.

How to Unblock an IP address using csf

csf -dr xxx.xxx.xxx.xxx

How to Whitelist an IP address using csf

If you continually see a valid IP address being blocked, you can consider whitelisting it. Be certain to only do this on known IP addresses, as it will prevent that IP address from being blocked again in the future (unless you remove the whitelist)

csf -a xxx.xxx.xxx.xxx

Running a -g command will confirm the whitelisting by showing you a result similar to the following;

csf -g xxx.xxx.xxx.xxx
Chain       num   pkts bytes target     prot opt in     out     source               destination
LOCALINPUT  1       10  2234 ACCEPT     all  --  !lo    *       xxx.xxx.xxx.xxx        0.0.0.0/0
LOCALOUTPUT 1       10 13097 ACCEPT     all  --  *      !lo     0.0.0.0/0            xxx.xxx.xxx.xxx

Note that the Target option is set to Allow. If it was set to Drop, this IP address would be blacklisted.

Leave a comment