Basic CSF commands
- Enable CSF
csf -e
- Disable CSF
csf -x
- Start CSF
csf -s
- Flush/Stop CSF
csf -f
- Reload CSF
csf -r
- Allow an IP and add it to csf.allow – /etc/csf/csf.allow
csf -a 162.162.1.219
- Remove and delete an IP from csf.allow – /etc/csf/csf.allow
csf -ar 162.162.1.209
- Place an IP on temporary deny list in /var/lib/csf/csf.tempban
csf -td
- Remove an IP from the temporary IP ban or allow list
csf -tr 162.162.1.209
- Flush all IPs from the temporary IP entries
csf -tf
- Deny an IP and add to csf.deny
csf -d 162.162.1.209
- Remove and Unblock an IP from csf.deny
csf -dr 162.162.1.209
- Remove and Unblock all entries from csf.deny
csf -df
- Search for a pattern match on iptables e.g : IP, CIDR, Port Number
csf -g 152.167.1.118
Advanced Configuration to csf.conf at /etc/csf/csf.conf
- Add root and admin notification email addresses at /etc/aliases.
root: root@domain.com admin: admin@domain.com
- Add email address to get all notifications – /etc/csf
(csf > firewall configuration > Reporting Settings > LF_ALERT_TO = alert@domain.com)LF_ALERT_TO = "alert@domain.com"
- Stop or disable “excessive resource usage” change PT_USERTIME = 0
PT_USERTIME = "0"
Under Process Tracking at /etc/csf
- Don’t Block IP addresses that are in the csf.allow files
IGNORE_ALLOW = "1"
- Allow Incoming and Outgoing ICMP
ICMP_IN = "1"
ICMP_OUT = "1"
- Block Certain Countres
CC_DENY = "CA,CN,US"
CC_ALLOW = "IN,ME,DE"
- Send the Su and SSH Login log by Email
LF_SSH_EMAIL_ALERT = "1"
LF_SU_EMAIL_ALERT = "1"
- Get alert or notification
LF_ALERT_TO = "email@domain.tld"
Warning in CSF
- SYSLOG_CHECK option check
(This option helps prevent brute force attacks on your server services)- Open /etc/csf/csf.conf
- Search for “SYSLOG_CHECK”
- Put value between 300 and 3600 seconds
SYSLOG_CHECK = "600"
- Restart CSF firewall
#csf -r
-
Check for DNS recursion restrictions
(You have a local DNS server running but do not appear to have any recursion restrictions set. This is a security and performance risk and you should look at restricting recursive lookups to the local IP addresses only)- Add following options to /etc/named.conf
options { allow-recursion { localhost; };
- Restart named
service named restart
- Add following options to /etc/named.conf
- Check for cxs
(You should consider using cxs to scan web script uploads and user accounts for exploits uploaded to the server)ConfigServer eXploit Scanner (cxs) - from $60/server
https://configserver.com/cp/cxs.html
- Check for osm
(You should consider using osm to provide protection from spammers exploiting the server)Outgoing Spam Monitor (osm) - $40/server
https://www.configserver.com/cp/osm.html
- Check for swap file
(The server appears to have no swap file. This is usually considered a stability and performance risk. You should either add a swap partition, or create one via a normal file on an existing partition) -
SSH/Telnet Check
-
Check SSH PasswordAuthentication
(You should disable PasswordAuthentication and only allow access using PubkeyAuthentication to improve brute-force SSH security) -
Check SSH UseDNS
(You should disable UseDNS by editing /etc/ssh/sshd_config. Otherwise, lfd will be unable to track SSHD login failures successfully as the log files will not report IP addresses)UseDNS no
-