Manage CSF from Command line

In this documentation, we can check CSF common commands and how to use these commands.

 

1) List all available options of csf.

csf -h

root@localhost [~]# csf -h

csf: v8.08 (cPanel)

csf(1)                                                                                                   csf(1)

NAME

csf – ConfigServer & Security Firewall

SYNOPSIS

csf [OPTIONS]

DESCRIPTION

This manual documents the csf command line options for the ConfigServer

& Security Firewall. See /etc/csf/csf.conf and /etc/csf/readme.txt for

more detailed information on how to use and configure this application.

OPTIONS

-h,  –help

Show this message

-l,  –status

List/Show the IPv4 iptables configuration

-l6, –status6

List/Show the IPv6 ip6tables configuration

 

2) Start, Stop, Restart csf.

csf -s : Start csf

csf -f : Stop csf

csf -r : Restart csf

root@localhost [~]# csf -f

Flushing chain `INPUT’

Flushing chain `FORWARD’

Flushing chain `OUTPUT’

 

root@localhost [~]# csf -s

Flushing chain `INPUT’

Flushing chain `FORWARD’

Flushing chain `OUTPUT’

 

root@localhost [~]# csf -r

Flushing chain `INPUT’

Flushing chain `FORWARD’

Flushing chain `OUTPUT’

 

3) Adding IP address to the csf.allow list. ( Whitelist an IP )

csf -a

root@localhost [~]# csf -a 123.45.67.98

Adding 123.45.67.98 to csf.allow and iptables ACCEPT…

ACCEPT  all opt — in !lo out *  123.45.67.98  -> 0.0.0.0/0

ACCEPT  all opt — in * out !lo  0.0.0.0/0  -> 123.45.67.98

root@localhost [~]#

 

4) Remove IP address from csf.allow list.

csf -ar

root@localhost [~]# csf -ar 123.45.67.98

Removing rule…

ACCEPT  all opt — in !lo out *  123.45.67.98  -> 0.0.0.0/0

ACCEPT  all opt — in * out !lo  0.0.0.0/0  -> 123.45.67.98

root@localhost [~]#

 

5) Block IP address and add the rule in csf.deny file. ( Blacklist an IP )

csf -d

root@localhost [~]# csf -d 123.45.67.98

Adding 123.45.67.98 to csf.deny and iptables DROP…

DROP  all opt — in !lo out *  123.45.67.98  -> 0.0.0.0/0

LOGDROPOUT  all opt — in * out !lo  0.0.0.0/0  -> 123.45.67.98

root@localhost [~]#

 

6) Unblock IP address.

csf -dr

root@localhost [~]# csf -dr 123.45.67.98

Removing rule…

DROP  all opt — in !lo out *  123.45.67.98  -> 0.0.0.0/0

LOGDROPOUT  all opt — in * out !lo  0.0.0.0/0  -> 123.45.67.98

root@localhost [~]#

 

7) Unblock all IP address listed in csf.deny file.

csf -df

root@localhost [~]# csf -df

DROP  all opt — in !lo out *  123.45.67.98  -> 0.0.0.0/0

LOGDROPOUT  all opt — in * out !lo  0.0.0.0/0  -> 123.45.67.98

DROP  all opt — in !lo out *  198.72.44.68  -> 0.0.0.0/0

LOGDROPOUT  all opt — in * out !lo  0.0.0.0/0  -> 198.72.44.68

csf: all entries removed from csf.deny

root@localhost [~]#

 

8) Search the iptables for a match.

csf -g

root@localhost [~]# csf -g 123.45.67.98

Chain            num   pkts bytes target     prot opt in     outsource               destination

DENYIN           1        0     0 DROP       all  —  !lo    *       123.45.67.98         0.0.0.0/0

DENYOUT          1        0     0 LOGDROPOUT  all  —  *      !lo     0.0.0.0/0            123.45.67.98

ip6tables:

Chain            num   pkts bytes target     prot opt in     outsource               destination

No matches found for 123.45.67.98 in ip6tables

 

csf.deny: 123.45.67.98 # Manually denied: 123.45.67.98 (Unknown) – Tue Dec 15 02:35:56 2015

root@localhost [~]#

 

9) Displays the temporary allow and deny list.

csf -t

root@localhost [~]# csf -t

 

A/D   IP address                               Port   Dir   Time To Live     Comment

DENY  123.45.67.98                               *    in    59m 39s          Manually added: 123.45.67.98 (Unknown)

ALLOW 198.72.44.68                               *    inout 59m 1s           Manually added: 198.72.44.68 (Unknown)

root@localhost [~]#

 

10) Remove the IP address from temporary list.

csf -tr

root@localhost [~]# csf -tr 123.45.67.98

DROP  all opt — in !lo out *  123.45.67.98  -> 0.0.0.0/0

csf: 123.45.67.98 temporary block removed

csf: 123.45.67.98 not found in temporary allows

root@localhost [~]#

 

 

11) Add IP address to the temporary deny list.

csf -td

root@localhost [~]# csf -td 123.45.67.98

DROP  all opt — in !lo out *  123.45.67.98  -> 0.0.0.0/0

csf: 123.45.67.98 blocked on port * for 3600 seconds inbound

root@localhost [~]#

 

12) Add IP address to the temporary allow list.

csf -ta

root@localhost [~]# csf -ta 198.72.44.68

ACCEPT  all opt — in !lo out *  198.72.44.68  -> 0.0.0.0/0

ACCEPT  all opt — in * out !lo  0.0.0.0/0  -> 198.72.44.68

csf: 198.72.44.68 allowed on port * for 3600 seconds in and outbound

root@localhost [~]#

 

13) Flush all IP addresses from temporary list.

csf -tf

root@localhost [~]# csf -tf

csf: There are no temporary IP bans

ACCEPT  all opt — in !lo out *  198.72.44.68  -> 0.0.0.0/0

ACCEPT  all opt — in * out !lo  0.0.0.0/0  -> 198.72.44.68

csf: 198.72.44.68 temporary allow removed

root@localhost [~]#

14) Update the csf.

csf -u

root@localhost [~]# csf -u

csf is already at the latest version: v8.08

root@localhost [~]#

 

15) Disable csf.

csf -x

root@localhost [~]# csf -x

Waiting for “tailwatchd” to restart ………waiting for “tailwatchd” to initialize ……

…finished……..

csf and lfd have been disabled

root@localhost [~]#

 

16) Enable csf.

csf -e

root@localhost [~]# csf -e

csf: FASTSTART loading DROP no logging (IPv4)

csf: FASTSTART loading DROP no logging (IPv6) …….

csf and lfd have been enabled

root@localhost [~]#

 

 

17) Show the csf version.

csf -v

root@localhost [~]# csf -v

csf: v8.08 (cPanel)

root@localhost [~]#

 

That is how we can manage CSF from Commandline.

 

If you need any further help please reach our support department.