If you're fairly new at using CSF (Config Server Firewall) or even if you are not, its useful to have all the commands at hand to use should you need to make any changes.
In this guide we'll show you how to install CSF if you haven't done so already, basic configuration and the commands used within SSH. CentOS 7 can also be used.
Download SSH client
If you're a complete beginner you'll be thinking, what is SSH and how do I access it? SSH is easy to access and requires you to have a programme such as Putty that allows you to connect.
To connect via SSH you'll need the following:
If you haven't got CSF but would like to install it to make your server more secure, just type in the following:
If you are starting with a clean operating system install, you will need to install wget, which will fetch the required files.
yum -y install wget
After wget has been installed go to the /usr/src directory, this is where CSF (Config File Server) will be installed.
Next, we will use the wget command to fetch the software so we can install it.
We will then use the
tar command to extract the tar.gz file.
tar -xzf csf.tgzcd csfsh install.sh
You should then have a message once its completed that Config File Server has successfully installed.
Lets test to see if it is working properly, if you've not installed PERL you'll need to do this to check its working properly.
yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph
Now copy the text to see if it is fully working.
You should have an output which looks something like this:Testing ip_tables/iptable_filter...OK
CSF is now installed.
Now that you've installed Config File Server by default its disabled so we'll need to enable this, lets go to the CSF directory.
You can now view all the files within the directory using the
We are going to edit the csf.conf file using vim or nano, you can also install one of these text editors using any of the commands:
yum install nano or
yum install vim
Once installed type nano or vim followed by csf.conf
This is the main file to make any changes to the firewall, to enable the firewall change TESTING from 1 to 0.
Once you've completed setting the firewall rules, save and exit then restart CSF to implement the new rules.
We would also recommend adding your IP to csf.ignore and csf.allow so it doesn't get blocked.
CSF commands cheat sheet
|csf -e||Enable CSF||root@server[~]#csf -e|
|csf -x||Disable CSF||root@server[~]#csf -x|
|csf -s||Start firewall rules||root@server[~]#csf -s|
|csf -f||Flush & Stop firewall rules||root@server[~]#csf -f|
|csf -r||Restart the firewall rules||root@server[~]#csf -r|
|csf -a [IP] [Optional comment]||Allow an ip, adds to /etc/csf/allow||root@server[~]#csf -a 123.456.78.9 Business IP address|
|csf -td [IP] [Optional comment]||Puts IP on a temporary deny list in /var/lib/csf/csf.tempban||root@server[~]#csf -td 123.456.78.9 Strange traffic patterns|
|csf -tr [IP]||Removes the IP from the temporary IP ban or allow list||root@server[~]#csf -tr 123.456.78.9|
|csf -tf [IP]||Flush all IPs from the temporary IP entries||root@server[~]#csf -tf 123.456.78.9|
|csf -d [IP] [Optional comment]||Deny an IP and add to /etc/csf/csf.deny||root@server[~]#csf -tf 123.456.78.9 Brute force attacker|
|csf -dr [IP]||Unblock an IP and removes from /etc/csf/csf.deny||root@server[~]#csf -tf 123.456.78.9|
|csf -df [IP]||Removes and unblocks all entries in /etc/csf/csf.deny||root@server[~]#csf -df|
|csf -g [IP]||Searches the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)||root@server[~]#csf -g 18.104.22.168|
|csf -t||Displays the current list of temporary allow and deny IP entries with their TTL and comments||root@server[~]#csf -t|