Search Our Database

How to whitelist and blacklist IP using ConfigServer and Firewall (CSF) via Command Line

Last updated on |
under
Firewall, Linux, Networking & Security
|
by

Introduction

This is a guide to help you on whitelist/blacklist an IP in your server by using CSF. Before that, a little bit of introduction on CSF.

ConfigServer and Firewall (CSF) is a free firewall software that can be installed to provide better security in your server. There are UI integration for control panel such as cPanel and Directadmin, but we will focus on the command line in this guide.

With CSF, you can perform:

  1. Restricting public access to certain services in the server
  2. Preventing DDoS attacks
  3. Whitelisting and blacklisting IPs

One of the services that comes with CSF is called Login Failure Daemon (LFD). The purposes of LFD is to observe user’s activity for multiple failure login attempts, which is commonly seen in Brute Force attacks. Meaning if CSF notice that there’s multiple failed login attempts made by a specific IP, the CSF will proceed to temporarily block the IP from further accessing the IP. The ban on the IP will automatically expired, however you can also manually remove the IP from being blocked.

 

Prerequisites

  • Ensure you have root or appropriate administrative access to your server.
  • CSF must be installed and functioning correctly.
  • Familiarity with SSH and command-line interface operations is required.

 

Overview of CSF Commands

Below is the table to show important CSF commands that you should know:

Command Description
csf -e Enabling CSF
csf -x Disabling CSF
csf -g [IP_ADDRESS] Search the iptables and ip6tables rules if the IP is being allowed or blocked
csf -a [IP_ADDRESS] Whitelisting an IP and add it in /etc/csf/csf.allow
csf -d [IP_ADDRESS] Blacklisting an IP and add it in the /etc/csf/csf.deny
csf -tr [IP_ADDRESS] Remove an IP from /etc/csf/csf.allow or temporary IP ban
csf -dr [IP_ADDRESS] Unblock an IP and remove it from /etc/csf/csf.deny

 

Now that you have an idea of what CSF is and commands that you can run, let’s begin!

 

Instructions

First, login to your server via SSH.

Checking if the IP address is being blocked

Checking if the IP address is being blocked

  • Run the command below:
csf -g [IP_ADDRESS]
  • You would see the result below if an IP is not being block:
[root@ips1 ~]# csf -g 192.8.213.5
Table Chain num pkts bytes target prot opt in out source destination
No matches found for 192.8.213.5 in iptables

ip6tables:

Table Chain num pkts bytes target prot opt in out source destination
No matches found for 192.8.213.5 in ip6tables
  • You would see below if an IP is being block:
[root@ips1 ~]# csf -g [IP_ADDRESS] 

Table Chain num pkts bytes target prot opt in out source destination 

filter DENYIN 3 0 0 DROP all -- !lo * [IP_ADDRESS] 0.0.0.0/0 

filter DENYOUT 3 9 1224 LOGDROPOUT all -- * !lo 0.0.0.0/0 [IP_ADDRESS] 

ip6tables: Table Chain num pkts bytes target prot opt in out source destination No matches found for [IP_ADDRESS] in ip6tables 

csf.deny: [IP_ADDRESS] # lfd: (sshd) Failed SSH login from [IP_ADDRESS] (MY/Malaysia/-): 5 in the last 3600 secs - Thu Dec 22 04:43:38 2022
Whitelisting an IP

Whitelisting an IP

  • In order to whitelist an IP, you just need to run the command below:
csf -a [IP_ADDRESS]
  • You will see the result below once you run it:
[root@ips1 ~]# csf -a [IP_ADDRESS] 
Removing [IP_ADDRESS] from csf.deny... 
Removing rule... 
DROP all opt -- in !lo out * [IP_ADDRESS] -> 0.0.0.0/0 
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> [IP_ADDRESS] 
Adding [IP_ADDRESS] to csf.allow and iptables ACCEPT... 
ACCEPT all opt -- in !lo out * [IP_ADDRESS] -> 0.0.0.0/0 
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> [IP_ADDRESS]
WARNING: Please take note that we do not recommend to whitelist an IP because if there were an actual Brute Force attempts that occurring from the IP, CSF will ignore it. You can run below command to remove it from the Whitelist:

 csf -tr [IP_ADDRESS]

Blacklisting an IP

Blacklisting an IP

  • In order to whitelist an IP, you just need to run the command below:
csf -d [IP_ADDRESS]
  • You will see the result below once you run it:
[root@ips1 ~]# csf -d [IP_ADDRESS] 
Adding [IP_ADDRESS] to csf.deny and iptables DROP... 
DROP all opt -- in !lo out * [IP_ADDRESS] -> 0.0.0.0/0 
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> [IP_ADDRESS]

 

Conclusion

In this guide, the steps to whitelist and blacklist an IP using ConfigServer and Firewall (CSF) were outlined, covering the commands necessary to check, allow, or deny specific IP addresses on your server. Properly managing these settings helps to secure your server by controlling access and preventing unauthorized activities like Brute Force attacks. Remember to use the whitelisting and blacklisting features with caution to avoid potential security risks.

For additional assistance or if you encounter any issues, please contact our support team at support@ipserverone.com.

Related Article

Related Posts