m (Text replacement - "Category:Linux{{Navbox Linux}}" to "{{Navbox Linux}}Category:Linux")
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
  
 
== Logging ==
 
== Logging ==
CSF/LFD automatically logs to /var/log/lfd.log
+
CSF/LFD automatically logs to {{code|/var/log/lfd.log}}.
tail /var/log/lfd.log
+
{{highlight|lang=terminal|code=
 +
# tail /var/log/lfd.log
 +
}}
  
 +
== Quick Usage ==
 +
{| class="wikitable"
 +
! Task
 +
! Command
 +
|-
 +
| Restart CSF ||  {{highlight|lang=terminal|code=# csf -r}}
 +
|-
 +
| Deny IP ||  {{highlight|lang=terminal|code=# csf -d <IP>}}
 +
|- 
 +
| Allow IP || {{highlight|lang=terminal|code=# csf -a <IP>}}
 +
|-
 +
| Remove Denial || {{highlight|lang=terminal|code=# csf -dr <IP>}}
 +
|-
 +
| Remove Allow || {{highlight|lang=terminal|code=# csf -ar <IP>}}
 +
|-
 +
| Temporary Denial || {{highlight|lang=terminal|code=# csf -td <IP> <seconds>}}
 +
|}
  
== Block / Unblock IP ==
+
A more detailed usage:
 +
{{highlight|lang=text|code=
 +
Usage: /usr/sbin/csf [option] [value]
 +
Option              Meaning
 +
-h, --help          Show this message
 +
-l, --status        List/Show iptables configuration
 +
-l6, --status6      List/Show ip6tables configuration
 +
-s, --start        Start firewall rules
 +
-f, --stop          Flush/Stop firewall rules (Note: lfd may restart csf)
 +
-r, --restart      Restart firewall rules
 +
-q, --startq        Quick restart (csf restarted by lfd)
 +
-sf, --startf      Force CLI restart regardless of LFDSTART setting
 +
-a, --add ip        Allow an IP and add to /etc/csf.allow
 +
-ar, --addrm ip    Remove an IP from /etc/csf.allow and delete rule
 +
-d, --deny ip      Deny an IP and add to /etc/csf.deny
 +
-dr, --denyrm ip    Unblock an IP and remove from /etc/csf.deny
 +
-df, --denyf        Remove and unblock all entries in /etc/csf.deny
 +
-g, --grep ip      Search the iptables rules for an IP match (incl. CIDR)
 +
-t, --temp          Displays the current list of temp IP entries and their TTL
 +
-tr, --temprm ip    Remove an IPs from the temp IP ban and allow list
 +
-td, --tempdeny ip ttl [-p port] [-d direction] Add an IP to the temp IP ban list. ttl is how long to block for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
 +
-ta, --tempallow ip ttl [-p port] [-d direction] Add an IP to the temp IP allow list (default:inout)
 +
-tf, --tempf        Flush all IPs from the temp IP entries
 +
-cp, --cping        PING all members in an lfd Cluster
 +
-cd, --cdeny ip    Deny an IP in a Cluster and add to /etc/csf.deny
 +
-ca, --callow ip    Allow an IP in a Cluster and add to /etc/csf.allow
 +
-cr, --crm ip      Unblock an IP in a Cluster and remove from /etc/csf.deny
 +
-cc, --cconfig [key] [value]  Sets cluster configuration option [key] to [value]
 +
-cf, --cfile [file] Send [file] in a Cluster to /etc/csf/
 +
-crs, --crestart    Cluster restart csf and lfd
 +
-w, --watch ip      Log SYN packets for an IP across iptables chains
 +
-m, --mail [addr]  Display Server Check in HTML or email to [addr] if present
 +
-lr, --logrun      Initiate Log Scanner report via lfd
 +
-c, --check        Check for updates to csf but do not upgrade
 +
-u, --update        Check for updates to csf and upgrade if available
 +
-uf                Force an update of csf
 +
-x, --disable      Disable csf and lfd
 +
-e, --enable        Enable csf and lfd if previously disabled
 +
-v, --version      Show csf version
 +
}}
  
csf -d <IP> : block IP
+
== Automatic Temporary Bans ==
csf -a <IP> : allow IP
+
Ghetto script to quickly block clients making excessive connections:
csf -dr <IP> : Deny removal
+
{{highlight|lang=bash|code=
csf -ar <IP> : Allow removal
+
#!/bin/bash
 +
 
 +
# Any clients connecting to the server resulting in 20 or more
 +
# connections will be blocked for 5 mins.
 +
/usr/bin/netstat -n \
 +
        {{!}} grep tcp {{!}} awk '{print $5}' \
 +
        {{!}} awk -F: '{print $1}' {{!}} sort {{!}} uniq -c \
 +
        {{!}} awk '$1 > 20 {print $2}' \
 +
        {{!}} while read i ; do
 +
                echo Temporarily blocking $i >> /tmp/csf.log
 +
                /usr/sbin/csf -td $i 300
 +
        done
 +
}}
  
  
 
{{Navbox Linux}}[[Category:Linux]]
 
{{Navbox Linux}}[[Category:Linux]]

Latest revision as of 15:21, 1 December 2019

Logging[edit]

CSF/LFD automatically logs to /var/log/lfd.log.

# tail /var/log/lfd.log

Quick Usage[edit]

Task Command
Restart CSF
# csf -r
Deny IP
# csf -d <IP>
Allow IP
# csf -a <IP>
Remove Denial
# csf -dr <IP>
Remove Allow
# csf -ar <IP>
Temporary Denial
# csf -td <IP> <seconds>

A more detailed usage:

Usage: /usr/sbin/csf [option] [value]
Option              Meaning
-h, --help          Show this message
-l, --status        List/Show iptables configuration
-l6, --status6      List/Show ip6tables configuration
-s, --start         Start firewall rules
-f, --stop          Flush/Stop firewall rules (Note: lfd may restart csf)
-r, --restart       Restart firewall rules
-q, --startq        Quick restart (csf restarted by lfd)
-sf, --startf       Force CLI restart regardless of LFDSTART setting
-a, --add ip        Allow an IP and add to /etc/csf.allow
-ar, --addrm ip     Remove an IP from /etc/csf.allow and delete rule
-d, --deny ip       Deny an IP and add to /etc/csf.deny
-dr, --denyrm ip    Unblock an IP and remove from /etc/csf.deny
-df, --denyf        Remove and unblock all entries in /etc/csf.deny
-g, --grep ip       Search the iptables rules for an IP match (incl. CIDR)
-t, --temp          Displays the current list of temp IP entries and their TTL
-tr, --temprm ip    Remove an IPs from the temp IP ban and allow list
-td, --tempdeny ip ttl [-p port] [-d direction] Add an IP to the temp IP ban list. ttl is how long to block for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
-ta, --tempallow ip ttl [-p port] [-d direction] Add an IP to the temp IP allow list (default:inout)
-tf, --tempf        Flush all IPs from the temp IP entries
-cp, --cping        PING all members in an lfd Cluster
-cd, --cdeny ip     Deny an IP in a Cluster and add to /etc/csf.deny
-ca, --callow ip    Allow an IP in a Cluster and add to /etc/csf.allow
-cr, --crm ip       Unblock an IP in a Cluster and remove from /etc/csf.deny
-cc, --cconfig [key] [value]  Sets cluster configuration option [key] to [value]
-cf, --cfile [file] Send [file] in a Cluster to /etc/csf/
-crs, --crestart    Cluster restart csf and lfd
-w, --watch ip      Log SYN packets for an IP across iptables chains
-m, --mail [addr]   Display Server Check in HTML or email to [addr] if present
-lr, --logrun       Initiate Log Scanner report via lfd
-c, --check         Check for updates to csf but do not upgrade
-u, --update        Check for updates to csf and upgrade if available
-uf                 Force an update of csf
-x, --disable       Disable csf and lfd
-e, --enable        Enable csf and lfd if previously disabled
-v, --version       Show csf version

Automatic Temporary Bans[edit]

Ghetto script to quickly block clients making excessive connections:

#!/bin/bash

# Any clients connecting to the server resulting in 20 or more
# connections will be blocked for 5 mins.
/usr/bin/netstat -n \
        | grep tcp | awk '{print $5}' \
        | awk -F: '{print $1}' | sort | uniq -c \
        | awk '$1 > 20 {print $2}' \
        | while read i ; do
                echo Temporarily blocking $i >> /tmp/csf.log
                /usr/sbin/csf -td $i 300
        done