CSF

Basic CSF commands

Enable CSF
```
csf -e
```
Disable CSF
```
csf -x
```
Start CSF
```
csf -s
```
Flush/Stop CSF
```
csf -f
```
Reload CSF
```
csf -r
```
Allow an IP and add it to csf.allow – /etc/csf/csf.allow
```
csf -a 162.162.1.219
```
Remove and delete an IP from csf.allow – /etc/csf/csf.allow
```
csf -ar 162.162.1.209
```
Place an IP on temporary deny list in /var/lib/csf/csf.tempban
```
csf -td
```
Remove an IP from the temporary IP ban or allow list
```
csf -tr 162.162.1.209
```
Flush all IPs from the temporary IP entries
```
csf -tf
```
Deny an IP and add to csf.deny
```
csf -d 162.162.1.209
```
Remove and Unblock an IP from csf.deny
```
csf -dr 162.162.1.209
```
Remove and Unblock all entries from csf.deny
```
csf -df
```
Search for a pattern match on iptables e.g : IP, CIDR, Port Number
```
csf -g 152.167.1.118
```

Advanced Configuration to csf.conf at /etc/csf/csf.conf

Add root and admin notification email addresses at /etc/aliases.
```
root: root@domain.com
admin: admin@domain.com
```
Add email address to get all notifications – /etc/csf
(csf > firewall configuration > Reporting Settings > LF_ALERT_TO = alert@domain.com)
```
LF_ALERT_TO = "alert@domain.com"
```
Stop or disable “excessive resource usage” change PT_USERTIME = 0
```
PT_USERTIME = "0"
```
Under Process Tracking at /etc/csf
Don’t Block IP addresses that are in the csf.allow files
```
IGNORE_ALLOW = "1"
```
Allow Incoming and Outgoing ICMP
```
ICMP_IN = "1"
```
```
ICMP_OUT = "1"
```

Block Certain Countres

CC_DENY = "CA,CN,US"

CC_ALLOW = "IN,ME,DE"

Send the Su and SSH Login log by Email

LF_SSH_EMAIL_ALERT = "1"

LF_SU_EMAIL_ALERT = "1"

Get alert or notification
```
LF_ALERT_TO = "email@domain.tld"
```

Warning in CSF

SYSLOG_CHECK option check
(This option helps prevent brute force attacks on your server services)
- Open /etc/csf/csf.conf
- Search for “SYSLOG_CHECK”
- Put value between 300 and 3600 seconds
```
SYSLOG_CHECK = "600"
```
- Restart CSF firewall
```
#csf -r
```
Check for DNS recursion restrictions
(You have a local DNS server running but do not appear to have any recursion restrictions set. This is a security and performance risk and you should look at restricting recursive lookups to the local IP addresses only)
- Add following options to /etc/named.conf
```
options {        
   allow-recursion {
   localhost;
};
```
- Restart named
```
service named restart
```
Check for cxs
(You should consider using cxs to scan web script uploads and user accounts for exploits uploaded to the server)
```
ConfigServer eXploit Scanner (cxs) - from $60/server
```
https://configserver.com/cp/cxs.html
Check for osm
(You should consider using osm to provide protection from spammers exploiting the server)
```
Outgoing Spam Monitor (osm) - $40/server
```
https://www.configserver.com/cp/osm.html
Check for swap file
(The server appears to have no swap file. This is usually considered a stability and performance risk. You should either add a swap partition, or create one via a normal file on an existing partition)
SSH/Telnet Check
- Check SSH PasswordAuthentication
  (You should disable PasswordAuthentication and only allow access using PubkeyAuthentication to improve brute-force SSH security)
- Check SSH UseDNS
  (You should disable UseDNS by editing /etc/ssh/sshd_config. Otherwise, lfd will be unable to track SSHD login failures successfully as the log files will not report IP addresses)
```
UseDNS no
```

Change DirectAdmin port from 2222 to your choice where CSF installed.

How to install CSF with Brute Force Monitor (BFM) on DirectAdmin

ConfigServer Security & Firewall, CSF basic commands, advanced configurations and settings