CSF/LFD

From Leo's Notes
Last edited on 14 June 2020, at 22:20.

Logging[edit | edit source]

CSF/LFD automatically logs to /var/log/lfd.log. 

# tail /var/log/lfd.log

Quick Usage[edit | edit source]

Task Command
Restart CSF 
# csf -r
Deny IP 
# csf -d <IP>
Allow IP 
# csf -a <IP>
Remove Denial 
# csf -dr <IP>
Remove Allow 
# csf -ar <IP>
Temporary Denial 
# csf -td <IP> <seconds>

A more detailed usage: 

Usage: /usr/sbin/csf [option] [value]
Option              Meaning
-h, --help          Show this message
-l, --status        List/Show iptables configuration
-l6, --status6      List/Show ip6tables configuration
-s, --start         Start firewall rules
-f, --stop          Flush/Stop firewall rules (Note: lfd may restart csf)
-r, --restart       Restart firewall rules
-q, --startq        Quick restart (csf restarted by lfd)
-sf, --startf       Force CLI restart regardless of LFDSTART setting
-a, --add ip        Allow an IP and add to /etc/csf.allow
-ar, --addrm ip     Remove an IP from /etc/csf.allow and delete rule
-d, --deny ip       Deny an IP and add to /etc/csf.deny
-dr, --denyrm ip    Unblock an IP and remove from /etc/csf.deny
-df, --denyf        Remove and unblock all entries in /etc/csf.deny
-g, --grep ip       Search the iptables rules for an IP match (incl. CIDR)
-t, --temp          Displays the current list of temp IP entries and their TTL
-tr, --temprm ip    Remove an IPs from the temp IP ban and allow list
-td, --tempdeny ip ttl [-p port] [-d direction] Add an IP to the temp IP ban list. ttl is how long to block for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
-ta, --tempallow ip ttl [-p port] [-d direction] Add an IP to the temp IP allow list (default:inout)
-tf, --tempf        Flush all IPs from the temp IP entries
-cp, --cping        PING all members in an lfd Cluster
-cd, --cdeny ip     Deny an IP in a Cluster and add to /etc/csf.deny
-ca, --callow ip    Allow an IP in a Cluster and add to /etc/csf.allow
-cr, --crm ip       Unblock an IP in a Cluster and remove from /etc/csf.deny
-cc, --cconfig [key] [value]  Sets cluster configuration option [key] to [value]
-cf, --cfile [file] Send [file] in a Cluster to /etc/csf/
-crs, --crestart    Cluster restart csf and lfd
-w, --watch ip      Log SYN packets for an IP across iptables chains
-m, --mail [addr]   Display Server Check in HTML or email to [addr] if present
-lr, --logrun       Initiate Log Scanner report via lfd
-c, --check         Check for updates to csf but do not upgrade
-u, --update        Check for updates to csf and upgrade if available
-uf                 Force an update of csf
-x, --disable       Disable csf and lfd
-e, --enable        Enable csf and lfd if previously disabled
-v, --version       Show csf version

Automatic Temporary Bans[edit | edit source]

Ghetto script to quickly block clients making excessive connections: 

#!/bin/bash

# Any clients connecting to the server resulting in 20 or more
# connections will be blocked for 5 mins.
/usr/bin/netstat -n \
        | grep tcp | awk '{print $5}' \
        | awk -F: '{print $1}' | sort | uniq -c \
        | awk '$1 > 20 {print $2}' \
        | while read i ; do
                echo Temporarily blocking $i >> /tmp/csf.log
                /usr/sbin/csf -td $i 300
        done
Various Linux Notes
Linux Tools and Utilites
Package Management
Linux Distributions
Networking
Containers

Recent Changes

Recent Changes under Linux

Recent Changes under Guides

Ad-Free + Tracker-Free

I respect your privacy. This site does not serve ads, use trackers/analytics, or load resources from 3rd party websites.

Cookies may be created by MediaWiki but will contain no user identifiable information.


Back to top