Manage CSF from Command line

By on December 15th, 2015

In this documentation, we can check CSF common commands and how to use these commands.

 

1) List all available options of csf.

csf -h

root@localhost [~]# csf -h

csf: v8.08 (cPanel)

csf(1)                                                                                                   csf(1)

NAME

csf – ConfigServer & Security Firewall

SYNOPSIS

csf [OPTIONS]

DESCRIPTION

This manual documents the csf command line options for the ConfigServer

& Security Firewall. See /etc/csf/csf.conf and /etc/csf/readme.txt for

more detailed information on how to use and configure this application.

OPTIONS

-h,  –help

Show this message

-l,  –status

List/Show the IPv4 iptables configuration

-l6, –status6

List/Show the IPv6 ip6tables configuration

 

2) Start, Stop, Restart csf.

csf -s : Start csf

csf -f : Stop csf

csf -r : Restart csf

root@localhost [~]# csf -f

Flushing chain `INPUT’

Flushing chain `FORWARD’

Flushing chain `OUTPUT’

 

root@localhost [~]# csf -s

Flushing chain `INPUT’

Flushing chain `FORWARD’

Flushing chain `OUTPUT’

 

root@localhost [~]# csf -r

Flushing chain `INPUT’

Flushing chain `FORWARD’

Flushing chain `OUTPUT’

 

3) Adding IP address to the csf.allow list. ( Whitelist an IP )

csf -a

root@localhost [~]# csf -a 123.45.67.98

Adding 123.45.67.98 to csf.allow and iptables ACCEPT…

ACCEPT  all opt — in !lo out *  123.45.67.98  -> 0.0.0.0/0

ACCEPT  all opt — in * out !lo  0.0.0.0/0  -> 123.45.67.98

root@localhost [~]#

 

4) Remove IP address from csf.allow list.

csf -ar

root@localhost [~]# csf -ar 123.45.67.98

Removing rule…

ACCEPT  all opt — in !lo out *  123.45.67.98  -> 0.0.0.0/0

ACCEPT  all opt — in * out !lo  0.0.0.0/0  -> 123.45.67.98

root@localhost [~]#

 

5) Block IP address and add the rule in csf.deny file. ( Blacklist an IP )

csf -d

root@localhost [~]# csf -d 123.45.67.98

Adding 123.45.67.98 to csf.deny and iptables DROP…

DROP  all opt — in !lo out *  123.45.67.98  -> 0.0.0.0/0

LOGDROPOUT  all opt — in * out !lo  0.0.0.0/0  -> 123.45.67.98

root@localhost [~]#

 

6) Unblock IP address.

csf -dr

root@localhost [~]# csf -dr 123.45.67.98

Removing rule…

DROP  all opt — in !lo out *  123.45.67.98  -> 0.0.0.0/0

LOGDROPOUT  all opt — in * out !lo  0.0.0.0/0  -> 123.45.67.98

root@localhost [~]#

 

7) Unblock all IP address listed in csf.deny file.

csf -df

root@localhost [~]# csf -df

DROP  all opt — in !lo out *  123.45.67.98  -> 0.0.0.0/0

LOGDROPOUT  all opt — in * out !lo  0.0.0.0/0  -> 123.45.67.98

DROP  all opt — in !lo out *  198.72.44.68  -> 0.0.0.0/0

LOGDROPOUT  all opt — in * out !lo  0.0.0.0/0  -> 198.72.44.68

csf: all entries removed from csf.deny

root@localhost [~]#

 

8) Search the iptables for a match.

csf -g

root@localhost [~]# csf -g 123.45.67.98

Chain            num   pkts bytes target     prot opt in     outsource               destination

DENYIN           1        0     0 DROP       all  —  !lo    *       123.45.67.98         0.0.0.0/0

DENYOUT          1        0     0 LOGDROPOUT  all  —  *      !lo     0.0.0.0/0            123.45.67.98

ip6tables:

Chain            num   pkts bytes target     prot opt in     outsource               destination

No matches found for 123.45.67.98 in ip6tables

 

csf.deny: 123.45.67.98 # Manually denied: 123.45.67.98 (Unknown) – Tue Dec 15 02:35:56 2015

root@localhost [~]#

 

9) Displays the temporary allow and deny list.

csf -t

root@localhost [~]# csf -t

 

A/D   IP address                               Port   Dir   Time To Live     Comment

DENY  123.45.67.98                               *    in    59m 39s          Manually added: 123.45.67.98 (Unknown)

ALLOW 198.72.44.68                               *    inout 59m 1s           Manually added: 198.72.44.68 (Unknown)

root@localhost [~]#

 

10) Remove the IP address from temporary list.

csf -tr

root@localhost [~]# csf -tr 123.45.67.98

DROP  all opt — in !lo out *  123.45.67.98  -> 0.0.0.0/0

csf: 123.45.67.98 temporary block removed

csf: 123.45.67.98 not found in temporary allows

root@localhost [~]#

 

 

11) Add IP address to the temporary deny list.

csf -td

root@localhost [~]# csf -td 123.45.67.98

DROP  all opt — in !lo out *  123.45.67.98  -> 0.0.0.0/0

csf: 123.45.67.98 blocked on port * for 3600 seconds inbound

root@localhost [~]#

 

12) Add IP address to the temporary allow list.

csf -ta

root@localhost [~]# csf -ta 198.72.44.68

ACCEPT  all opt — in !lo out *  198.72.44.68  -> 0.0.0.0/0

ACCEPT  all opt — in * out !lo  0.0.0.0/0  -> 198.72.44.68

csf: 198.72.44.68 allowed on port * for 3600 seconds in and outbound

root@localhost [~]#

 

13) Flush all IP addresses from temporary list.

csf -tf

root@localhost [~]# csf -tf

csf: There are no temporary IP bans

ACCEPT  all opt — in !lo out *  198.72.44.68  -> 0.0.0.0/0

ACCEPT  all opt — in * out !lo  0.0.0.0/0  -> 198.72.44.68

csf: 198.72.44.68 temporary allow removed

root@localhost [~]#

14) Update the csf.

csf -u

root@localhost [~]# csf -u

csf is already at the latest version: v8.08

root@localhost [~]#

 

15) Disable csf.

csf -x

root@localhost [~]# csf -x

Waiting for “tailwatchd” to restart ………waiting for “tailwatchd” to initialize ……

…finished……..

csf and lfd have been disabled

root@localhost [~]#

 

16) Enable csf.

csf -e

root@localhost [~]# csf -e

csf: FASTSTART loading DROP no logging (IPv4)

csf: FASTSTART loading DROP no logging (IPv6) …….

csf and lfd have been enabled

root@localhost [~]#

 

 

17) Show the csf version.

csf -v

root@localhost [~]# csf -v

csf: v8.08 (cPanel)

root@localhost [~]#

 

That is how we can manage CSF from Commandline.

 

If you need any further help please reach our support department.

 

 

Leave a Reply