What is CSF Firewall?

CSF Firewall is a suite of scripts which provide firewall security with Stateful Packet Inspection and Login Intrusion detection. All documentation is linked below. CSF also has GUI Web Interface Integration for cPanel, DirectAdmin and Webmin. However, for Centmin Mod install, CSF is a non-gui based.

CSF Firewall is a default installed item as at Centmin Mod v1.2.3+. With Centmin Mod 1.2.3-eva2000.08+ and higher, CSF Firewall also auto detects if your server environment supports IPSET and enables CSF Firewall's IPSET support to allow more efficient handling of larger number of IP addresses. IPSET isn't supported by OpenVZ virtualization so only available for dedicated barebones servers, Xen and KVM based virtualized environments. It's highly recommend that CSF Firewall is installed on your CentOS server.

CSF Firewall interfaces with iptables and makes it much easier to manage compared to iptables (see CSF Documentation Links below). The main CSF Firewall config file is located at /etc/csf/csf.conf where you can also define which TCP and UDP ports to allow IN or OUT of the server.

If CSF Firewall is blocking legit visitors to your site, check out Official FAQ items 40 & 41 for further clues.



Unblocking Your ISP IP

If for whatever reason, your own ISP IP address gets blocked in CSF Firewall, you maybe able to unblock yourself if you use a web host with KVM/Console out of band feature. DigitalOcean Console and SolusVM based VPS hosts have Console access (example), Linode has Lish or dedicated servers may come with KVM/IPMI console access. Use the console access to log back into your server via SSH and check if your ISP IP address has been blocked by grepping CSF Firewall IPs

csf -g ISPIPADDRRESS

Example output from blocked IP = 119.249.54.86 blocked due to failed SSH login attacks

csf -g 119.249.54.86

Chain            num   pkts bytes target     prot opt in     out     source               destination         
No matches found for 119.249.54.86 in iptables

IPSET: Set:chain_DENY Match:119.249.54.86 Setting: File:/etc/csf/csf.deny

ip6tables:

Chain            num   pkts bytes target     prot opt in     out     source               destination         
No matches found for 119.249.54.86 in ip6tables

csf.deny: 119.249.54.86 # lfd: (sshd) Failed SSH login from 119.249.54.86 (CN/China/-): 5 in the last 3600 secs - Sat Sep 10 04:56:25 2016

To remove your ISP IP address from CSF Firewall block, there's 2 methods. First, is manually editing /etc/csf/csf.deny to remove ISP IP and restart CSF Firewall. Second, method is using command:

csf -dr ISPIPADDRRESS

Whitelist Ports

The CSF Firewall configuration file at /etc/csf/csf.conf has a list of predefined white listed ports for TCP, TCP6, UDP and UDP6 in comma separated format. You can edit, add or remove ports you require and then restart CSF Firewall service for it to take effect.

In SSH you can type this command to have a quick overview of existing ports for the respective variables.

egrep '^TCP_|^TCP6_|^UDP_|^UDP6_' /etc/csf/csf.conf

Output will be a comma separated list of port numbers that are white listed by CSF Firewall

TCP_IN =
TCP_OUT =
UDP_IN =
UDP_OUT =
TCP6_IN =
TCP6_OUT =
UDP6_IN =
UDP6_OUT =

You can also whitelist ports for specific source and/or destination IP addresses only. For example, if you need to setup portmapper/RPC (port 111) and NFS share (port 2049) on TCP and UDP, you can add/append to /etc/csf/csf.allow where source and destination IP = 11.22.33.44 which could be a public or private IP.

tcp|in|d=111|s=11.22.33.44
tcp|in|d=2049|s=11.22.33.44
tcp|out|d=111|d=11.22.33.44
tcp|out|d=2049|d=11.22.33.44
udp|in|d=111|s=11.22.33.44
udp|in|d=2049|s=11.22.33.44
udp|out|d=111|d=11.22.33.44
udp|out|d=2049|d=11.22.33.44

Or if you need to setup remote Memcached server (port 11211) or remote PHP-FPM server (port 9000) on TCP, you can add/append to /etc/csf/csf.allow where source and destination IP = 11.22.33.44 which could be a public or private IP.

tcp|in|d=11211|s=11.22.33.44
tcp|in|d=9000|s=11.22.33.44
tcp|out|d=11211|d=11.22.33.44
tcp|out|d=9000|d=11.22.33.44

then restart CSF Firewall

csf -r

Whitelist allowing IPs

CSF Firewall can allow or whitelist ip addresses using SSH telnet and command where xxx.xxx.xxx.xxx is IP address:

csf -a xxx.xxx.xxx.xxx

You can also add comments to whitelist entries

csf -a xxx.xxx.xxx.xxx comment

You can also totally ignore an IP address from CSF's LFD Daemon (login failure daemon) by appending that IP address (xxx.xxx.xxx.xxx) on a single line in /etc/csf/csf.ignore

###############################################################################
# Copyright 2006-2015, Way to the Web Limited
# URL: http://www.configserver.com
# Email: [email protected]
###############################################################################
# The following IP addresses will be ignored by all lfd checks
# One IP address per line
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24)
# Only list IP addresses, not domain names (they will be ignored)
#

127.0.0.1
xxx.xxx.xxx.xxx

If you need to whitelist a dynamic IP address, you would need to use a dynamic DNS service provider like noip.com or dnsexit.com to create a hostname to point to your dynamic IP address and then use a provided client to auto or manually update that hostname's assigned dynamic IP address when it is changed at your ISP level. You will then need to enable CSF Firewall's Dynamic DNS support options outlined on the forums here or futher down this page here.

If you have problems using SCP, SFTP, rsync, or other commands trying to connect to or from a remote server to your Centmin Mod server, you will need to whitelist the remote server's IP address as per above command. Common, situation would be connecting to a remote MySQL server which you need to whitelist remote MySQL server IP address as well as edit /etc/csf/csf.conf to add to TCP_OUT the default MySQL port 3306. Then restart CSF firewall service.

If you use third party SMTP services, you also need to add the appropriate ports to TCP_OUT listing within /etc/csf/csf.conf. Then restart CSF firewall service. Full example outlined on Centmin Mod Community forums.

If you use monitoring services UptimeRobot, you will need to whitelist the remote server's IP address as per above command.

UptimeRobot maintains a list of current IP addresses, which you can find here.. You can easily generate a CSF Firewall whitelist using these commands on your server:

curl -s https://uptimerobot.com/inc/files/ips/IPv4andIPv6.txt | while read i; do echo "csf -a ${i}"; done

Which will output a list of CSF whitelisting commands you can run.

curl -s https://uptimerobot.com/inc/files/ips/IPv4andIPv6.txt | while read i; do echo "csf -a ${i}"; done
csf -a 216.144.250.150
csf -a 69.162.124.226
csf -a 69.162.124.227
csf -a 69.162.124.228
csf -a 69.162.124.229
csf -a 69.162.124.230
csf -a 69.162.124.231
csf -a 69.162.124.232
csf -a 69.162.124.233
csf -a 69.162.124.234
csf -a 69.162.124.235
csf -a 69.162.124.236
csf -a 69.162.124.237
csf -a 69.162.124.238
csf -a 63.143.42.242
csf -a 63.143.42.243
csf -a 63.143.42.244
csf -a 63.143.42.245
csf -a 63.143.42.246
csf -a 63.143.42.247
csf -a 63.143.42.248
csf -a 63.143.42.249
csf -a 63.143.42.250
csf -a 63.143.42.251
csf -a 63.143.42.252
csf -a 63.143.42.253
csf -a 216.245.221.82
csf -a 216.245.221.83
csf -a 216.245.221.84
csf -a 216.245.221.85
csf -a 216.245.221.86
csf -a 216.245.221.87
csf -a 216.245.221.88
csf -a 216.245.221.89
csf -a 216.245.221.90
csf -a 216.245.221.91
csf -a 216.245.221.92
csf -a 216.245.221.93
csf -a 46.137.190.132
csf -a 122.248.234.23
csf -a 188.226.183.141
csf -a 178.62.52.237
csf -a 54.79.28.129
csf -a 54.94.142.218
csf -a 104.131.107.63
csf -a 54.67.10.127
csf -a 54.64.67.106
csf -a 159.203.30.41
csf -a 46.101.250.135
csf -a 18.221.56.27
csf -a 52.60.129.180
csf -a 159.89.8.111
csf -a 146.185.143.14
csf -a 139.59.173.249
csf -a 165.227.83.148
csf -a 128.199.195.156
csf -a 138.197.150.151
csf -a 34.233.66.117
csf -a 2607:ff68:107::3
csf -a 2607:ff68:107::4
csf -a 2607:ff68:107::5
csf -a 2607:ff68:107::6
csf -a 2607:ff68:107::7
csf -a 2607:ff68:107::8
csf -a 2607:ff68:107::9
csf -a 2607:ff68:107::10
csf -a 2607:ff68:107::11
csf -a 2607:ff68:107::12
csf -a 2607:ff68:107::13
csf -a 2607:ff68:107::14
csf -a 2607:ff68:107::15
csf -a 2607:ff68:107::16
csf -a 2607:ff68:107::17
csf -a 2607:ff68:107::18
csf -a 2607:ff68:107::19
csf -a 2607:ff68:107::20
csf -a 2607:ff68:107::21
csf -a 2607:ff68:107::22
csf -a 2607:ff68:107::23
csf -a 2607:ff68:107::24
csf -a 2607:ff68:107::25
csf -a 2607:ff68:107::26
csf -a 2607:ff68:107::27
csf -a 2607:ff68:107::28
csf -a 2607:ff68:107::29
csf -a 2607:ff68:107::30
csf -a 2607:ff68:107::31
csf -a 2607:ff68:107::32
csf -a 2607:ff68:107::33
csf -a 2607:ff68:107::34
csf -a 2607:ff68:107::35
csf -a 2607:ff68:107::36
csf -a 2607:ff68:107::37
csf -a 2607:ff68:107::38
csf -a 2a03:b0c0:0:1010::832:1
csf -a 2a03:b0c0:1:d0::e54:a001
csf -a 2604:a880:800:10::4e6:f001
csf -a 2604:a880:cad:d0::122:7001
csf -a 2a03:b0c0:3:d0::33e:4001
csf -a 2600:1f16:775:3a01:70d6:601a:1eb5:dbb9
csf -a 2600:1f11:56a:9000:23:651b:dac0:9be4
csf -a 2a03:b0c0:3:d0::44:f001
csf -a 2a03:b0c0:0:1010::2b:b001
csf -a 2a03:b0c0:1:d0::22:5001
csf -a 2604:a880:400:d0::4f:3001
csf -a 2400:6180:0:d0::16:d001
csf -a 2604:a880:cad:d0::18:f001
csf -a 2600:1f18:179:f900:88b2:b3d:e487:e2f4

If you use monitoring services such as Pingdom.com or NodePing.com, you will need to whitelist the remote server's IP address as per above command.

For NodePing.com, these are following IP addresses and commands needed to be run:

IPv4 only IPs

csf -a 96.9.222.119 pinghostil.nodeping.com
csf -a 89.45.10.135 pinghostro.nodeping.com
csf -a 78.157.200.148 pinghostuk.nodeping.com
csf -a 66.23.202.26 pinghostny.nodeping.com
csf -a 54.36.110.96 pinghostde.nodeping.com
csf -a 54.232.120.40 pinghostbr.nodeping.com
csf -a 5.226.139.158 pinghostld.nodeping.com
csf -a 37.252.125.64 pinghostnl.nodeping.com
csf -a 23.226.135.34 pinghostnj.nodeping.com
csf -a 217.182.201.227 pinghostpl.nodeping.com
csf -a 208.82.130.170 pinghostpy.nodeping.com
csf -a 206.222.22.82 pinghostoh.nodeping.com
csf -a 203.29.240.44 pinghostpe.nodeping.com
csf -a 198.96.95.50 pinghosttx.nodeping.com
csf -a 195.154.167.97 pinghostfr.nodeping.com
csf -a 192.161.172.202 pinghostca.nodeping.com
csf -a 192.154.102.130 pinghostut.nodeping.com
csf -a 190.210.176.48 pinghostar.nodeping.com
csf -a 180.149.230.17 pinghostjp.nodeping.com
csf -a 173.248.161.42 pinghostco.nodeping.com
csf -a 173.205.92.154 pinghostwa.nodeping.com
csf -a 172.104.181.238 pinghostsg.nodeping.com
csf -a 162.254.202.35 pinghostfl.nodeping.com
csf -a 162.210.173.188 pinghostor.nodeping.com
csf -a 144.48.37.241 pinghostam.nodeping.com
csf -a 139.99.130.48 pinghostau.nodeping.com
csf -a 107.150.22.26 pinghostga.nodeping.com
csf -a 103.6.85.58 pinghosthk.nodeping.com

IPv6 only IPs

csf -a 2a04:9dc0:1::79a4:725e pinghostro.nodeping.com
csf -a 2a02:2770:5:0:21a:4aff:fe1a:c131 pinghostnl.nodeping.com
csf -a 2a01:a500:375:1::25:4617 pinghostuk.nodeping.com
csf -a 2a01:4020:1:26::10 pinghostld.nodeping.com
csf -a 2607:fcd0:da80:4300::10 pinghosttx.nodeping.com
csf -a 2607:fcd0:cd00:a00::10 pinghostwa.nodeping.com
csf -a 2607:fcd0:ccc0:1301::10 pinghostnj.nodeping.com
csf -a 2607:fcd0:aa80:2200::10 pinghostga.nodeping.com
csf -a 2607:fcd0:106:ab01::10 pinghostca.nodeping.com
csf -a 2607:fc88:100:40::2 pinghostco.nodeping.com
csf -a 2606:c700:4020:17:225:90ff:fe50:390a pinghostut.nodeping.com
csf -a 2605:9f80:c000:127::2 pinghostny.nodeping.com
csf -a 2604:bf00:214::10 pinghostpy.nodeping.com
csf -a 2604:bc80:8001:3c:225:90ff:fee5:5c6 pinghostfl.nodeping.com
csf -a 2604:b480:ffff:ffff:fa06::10 pinghostor.nodeping.com
csf -a 2602:ffc8:3d02::190:4ae6 pinghostil.nodeping.com
csf -a 2406:d500:9::7a91:9b75 pinghostjp.nodeping.com
csf -a 2404:f780:2:950:216:3cff:feb8:ab8e pinghostam.nodeping.com
csf -a 2404:9400:4:0:216:3eff:fee1:3c1b pinghostpe.nodeping.com
csf -a 2403:2500:8000:1::ce6 pinghosthk.nodeping.com
csf -a 2402:1f00:8100:230::10 pinghostau.nodeping.com
csf -a 2400:8901::f03c:91ff:feb9:fbf4 pinghostsg.nodeping.com
csf -a 2001:bc8:2327:110::10 pinghostfr.nodeping.com
csf -a 2001:41d0:700:1360::10 pinghostde.nodeping.com
csf -a 2001:41d0:602:4e3::10 pinghostpl.nodeping.com
csf -a 2001:1828:0:6a::2 pinghostoh.nodeping.com

Nodeping maintains a list of current IP addresses, which you can find here.. You can easily generate a CSF Firewall whitelist using these 2 commands on your server:

IPv4 only IPs

wget -O nodeping.txt https://nodeping.com/content/txt/pinghosts.txt
awk '{print "csf -a",$2, $1}' nodeping.txt | sort -r | grep -v ':'

IPv6 only IPs

wget -O nodeping.txt https://nodeping.com/content/txt/pinghosts.txt
awk '{print "csf -a",$2, $1}' nodeping.txt | sort -r | grep ':'

For Hextrixtools.com Uptime Monitor, these are following IP addresses and commands needed to be run:

csf -a 96.126.106.201 wk1-1.hetrixtools.com
csf -a 95.179.193.59 wk4-2.hetrixtools.com
csf -a 95.179.139.97 wk3.hetrixtools.com
csf -a 94.16.112.18 wk5-2.hetrixtools.com
csf -a 78.46.88.58 wk5-1.hetrixtools.com
csf -a 52.67.204.189 wk9.hetrixtools.com
csf -a 52.65.182.14 wk8.hetrixtools.com
csf -a 52.59.92.96 wk5.hetrixtools.com
csf -a 52.56.73.124 wk4.hetrixtools.com
csf -a 52.52.33.209 wk2-1.hetrixtools.com
csf -a 52.23.120.125 wk1-2.hetrixtools.com
csf -a 52.221.91.160 wk6.hetrixtools.com
csf -a 52.207.41.187 wk1.hetrixtools.com
csf -a 52.199.17.123 wk10.hetrixtools.com
csf -a 51.15.61.222 wk3-1.hetrixtools.com
csf -a 45.76.202.144 wk10-1.hetrixtools.com
csf -a 45.76.120.140 wk8-1.hetrixtools.com
csf -a 45.32.204.172 wk7-1.hetrixtools.com
csf -a 35.154.5.38 wk11.hetrixtools.com
csf -a 31.192.104.220 wk12-1.hetrixtools.com
csf -a 23.239.7.4 wk2.hetrixtools.com
csf -a 188.166.79.172 wk3-2.hetrixtools.com
csf -a 185.143.173.230 wk12.hetrixtools.com
csf -a 178.62.11.90 wk4-3.hetrixtools.com
csf -a 172.104.99.63 wk10-2.hetrixtools.com
csf -a 159.89.159.134 wk2-3.hetrixtools.com
csf -a 149.28.212.239 wk2-2.hetrixtools.com
csf -a 139.99.169.250 wk8-2.hetrixtools.com
csf -a 139.162.228.62 wk4-1.hetrixtools.com
csf -a 139.162.22.205 wk6-1.hetrixtools.com
csf -a 138.197.17.201 wk1-3.hetrixtools.com
csf -a 128.199.187.77 wk6-2.hetrixtools.com
csf -a 104.41.61.219 wk9-1.hetrixtools.com
csf -a 104.237.139.48 wk7.hetrixtools.com
csf -a 104.211.188.46 wk11-1.hetrixtools.com

Hextrixtools maintains a list of current IP addresses, which you can find here.. You can easily generate a CSF Firewall whitelist using these 2 commands on your server:

wget -O hetrixtools.txt https://hetrixtools.com/resources/uptime-monitor-ips.txt
awk '{print "csf -a",$2, $1}' hetrixtools.txt | sort -r

For MailChimp.com to whitelist their listed IPs:

csf -a 72.26.195.64/27 mailchimp
csf -a 74.63.47.96/27 mailchimp
csf -a 173.231.138.192/27 mailchimp
csf -a 173.231.139.0/24 mailchimp
csf -a 173.231.176.0/21 mailchimp
csf -a 173.231.184.0/21 mailchimp
csf -a 205.201.128.0/20 mailchimp
csf -a 198.2.128.0/18 mailchimp?

For Newrelic users, whitelist the following IPs:

csf -a 50.31.164.0/24 newrelic
csf -a 162.247.240.0/22 newrelic
csf -a 54.252.114.170 newrelic
csf -a 54.252.114.169 newrelic
csf -a 54.251.34.67 newrelic
csf -a 54.251.109.246 newrelic
csf -a 54.248.250.232 newrelic
csf -a 54.248.225.67 newrelic
csf -a 54.247.188.179 newrelic
csf -a 54.241.22.142 newrelic
csf -a 54.232.123.139 newrelic
csf -a 54.228.244.177 newrelic
csf -a 54.214.255.205 newrelic
csf -a 50.31.164.139 newrelic
csf -a 50.18.57.7 newrelic
csf -a 50.16.189.130 newrelic
csf -a 50.112.95.211 newrelic
csf -a 184.73.237.85 newrelic
csf -a 177.71.245.207 newrelic

For CloudFlare IP addresses, full list of IPs available at https://www.cloudflare.com/ips/ and https://support.cloudflare.com/hc/en-us/articles/200169296-How-do-I-whitelist-CloudFlare-s-IPs-in-htaccess-. Check the link regularly for updated IPs.

You can also grab Cloudflare IP address list via Cloudflare API at https://api.cloudflare.com/#cloudflare-ips-properties

(IPv4)

curl -sX GET "https://api.cloudflare.com/client/v4/ips" |  jq -r '.result.ipv4_cidrs[]' | sort
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
104.16.0.0/12
108.162.192.0/18
131.0.72.0/22
141.101.64.0/18
162.158.0.0/15
172.64.0.0/13
173.245.48.0/20
188.114.96.0/20
190.93.240.0/20
197.234.240.0/22
198.41.128.0/17

(IPv6)

curl -sX GET "https://api.cloudflare.com/client/v4/ips" |  jq -r '.result.ipv6_cidrs[]' | sort 
2400:cb00::/32
2405:8100::/32
2405:b500::/32
2606:4700::/32
2803:f800::/32
2a06:98c0::/29
2c0f:f248::/32

Whitelist Cloudflare IPs in CSF Firewall using -a flag:

(IPv4)

csf -a 173.245.48.0/20 cloudflare
csf -a 103.21.244.0/22 cloudflare
csf -a 103.22.200.0/22 cloudflare
csf -a 103.31.4.0/22 cloudflare
csf -a 141.101.64.0/18 cloudflare
csf -a 108.162.192.0/18 cloudflare
csf -a 190.93.240.0/20 cloudflare
csf -a 188.114.96.0/20 cloudflare
csf -a 197.234.240.0/22 cloudflare
csf -a 198.41.128.0/17 cloudflare
csf -a 162.158.0.0/15 cloudflare
csf -a 104.16.0.0/12 cloudflare
csf -a 172.64.0.0/13 cloudflare
csf -a 131.0.72.0/22 cloudflare

(IPv6)

csf -a 2400:cb00::/32 cloudflare
csf -a 2606:4700::/32 cloudflare
csf -a 2803:f800::/32 cloudflare
csf -a 2405:b500::/32 cloudflare
csf -a 2405:8100::/32 cloudflare
csf -a 2a06:98c0::/29 cloudflare
csf -a 2c0f:f248::/32 cloudflare

For Incapsula IP addresses, full list of IPs available at https://incapsula.zendesk.com/hc/en-us/articles/200627570-Restricting-direct-access-to-your-website-Incapsula-s-IP-addresses-. Check the link regularly for updated IPs.

Incapsula IPs can also be retrieved in preset formats via their API

curl -k -s --data "resp_format=json" https://my.incapsula.com/api/integration/v1/ips
curl -k -s --data "resp_format=apache" https://my.incapsula.com/api/integration/v1/ips
curl -k -s --data "resp_format=nginx" https://my.incapsula.com/api/integration/v1/ips
curl -k -s --data "resp_format=iptables" https://my.incapsula.com/api/integration/v1/ips

Nginx format:

curl -k -s --data "resp_format=nginx" https://my.incapsula.com/api/integration/v1/ips
allow 199.83.128.0/21;
allow 198.143.32.0/19;
allow 149.126.72.0/21;
allow 103.28.248.0/22;
allow 185.11.124.0/22;
allow 192.230.64.0/18;
allow 45.64.64.0/22;
allow 107.154.0.0/16;
allow 45.60.0.0/16;
allow 45.223.0.0/16;
allow 2a02:e980::/29;

Which you can pipe through sed and awk to get CSF Firewall format whitelist commands

curl -k -s --data "resp_format=nginx" https://my.incapsula.com/api/integration/v1/ips | sed -e 's|;||g' | awk '{print "csf -a",$2,"incapsula"}'

Resulting output:

csf -a 199.83.128.0/21 incapsula
csf -a 198.143.32.0/19 incapsula
csf -a 149.126.72.0/21 incapsula
csf -a 103.28.248.0/22 incapsula
csf -a 185.11.124.0/22 incapsula
csf -a 192.230.64.0/18 incapsula
csf -a 45.64.64.0/22 incapsula
csf -a 107.154.0.0/16 incapsula
csf -a 45.60.0.0/16 incapsula
csf -a 45.223.0.0/16 incapsula
csf -a 2a02:e980::/29 incapsula

Or you can edit allow list at /etc/csf/csf.allow. Contents of example csf.allow file

###############################################################################
# Copyright 2006-2013, Way to the Web Limited
# URL: http://www.configserver.com
# Email: [email protected]
###############################################################################
# The following IP addresses will be allowed through iptables.
# One IP address per line.
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24).
# Only list IP addresses, not domain names (they will be ignored)
#
# Advanced port+ip filtering allowed with the following format
# tcp/udp|in/out|s/d=port|s/d=ip
# See readme.txt for more information
#
# Note: IP addressess listed in this file will NOT be ignored by lfd, so they
# can still be blocked. If you do not want lfd to block an IP address you must
# add it to csf.ignore

173.255.243.111 # pinghostca.nodeping.com - Thu Jul 25 22:56:44 2013
204.11.60.100 # pinghosttx.nodeping.com - Thu Jul 25 22:56:44 2013
192.30.32.170 # pinghostga.nodeping.com - Thu Jul 25 22:56:44 2013
108.61.56.241 # pinghostnj.nodeping.com - Thu Jul 25 22:56:44 2013
89.32.145.126 # pinghostld.nodeping.com - Thu Jul 25 22:56:45 2013
46.249.33.15 # pinghostnl.nodeping.com - Thu Jul 25 22:56:45 2013
78.47.40.108 # pinghostde.nodeping.com - Thu Jul 25 22:56:45 2013
89.45.249.16 # pinghostro.nodeping.com - Thu Jul 25 22:56:45 2013

For Constellix monitoring:

csf -a 158.85.11.83 USWAS-MON2-constellix
csf -a 158.85.11.82 USWAS-MON1-constellix
csf -a 45.77.3.147 USSJC-MON2-constellix
csf -a 45.63.95.103 USSJC-MON1-constellix
csf -a 104.236.176.222 USSFO-MON2-constellix
csf -a 107.170.204.192 USSFO-MON1-constellix
csf -a 174.37.182.245 USSEA-MON2-constellix
csf -a 174.37.182.242 USSEA-MON1-constellix
csf -a 108.61.157.199 USNYC-MON2-constellix
csf -a 45.55.175.142 USNYC-MON2-constellix
csf -a 104.131.186.91 USNYC-MON1-constellix
csf -a 45.63.10.211 USNYC-MON1-constellix
csf -a 45.32.173.194 USMIA-MON2-constellix
csf -a 45.32.167.106 USMIA-MON1-constellix
csf -a 45.32.69.210 USLAX-MON2-constellix
csf -a 45.76.67.106 USLAX-MON1-constellix
csf -a 45.33.52.40 USFMT-MON2-constellix
csf -a 45.33.61.194 USFMT-MON1-constellix
csf -a 45.56.110.50 USEWR-MON2-constellix
csf -a 45.33.74.47 USEWR-MON1-constellix
csf -a 104.237.137.134 USDAL-MON2-constellix
csf -a 169.44.29.101 USDAL-MON2-constellix
csf -a 169.44.29.99 USDAL-MON1-constellix
csf -a 198.58.122.143 USDAL-MON1-constellix
csf -a 45.63.66.43 USCHI-MON2-constellix
csf -a 104.238.164.23 USCHI-MON1-constellix
csf -a 45.33.96.168 USATL-MON2-constellix
csf -a 23.239.17.158 USATL-MON1-constellix
csf -a 172.104.39.47 SGSIN-MON2-constellix
csf -a 139.162.27.246 SGSIN-MON1-constellix
csf -a 163.47.21.14 NZAKL-MON2-constellix
csf -a 163.47.21.36 NZAKL-MON1-constellix
csf -a 45.32.185.22 NLAMS-MON2-constellix
csf -a 188.166.25.57 NLAMS-MON2-constellix
csf -a 178.62.215.141 NLAMS-MON1-constellix
csf -a 45.32.235.23 NLAMS-MON1-constellix
csf -a 139.162.121.51 JPTYO-MON2-constellix
csf -a 139.162.111.217 JPTYO-MON1-constellix
csf -a 37.247.49.124 ITMIL-MON2-constellix
csf -a 37.247.53.67 ITMIL-MON1-constellix
csf -a 169.38.75.34 INMAA-MON2-constellix
csf -a 169.38.75.36 INMAA-MON1-constellix
csf -a 119.81.149.101 HKHKG-MON2-constellix
csf -a 119.81.149.98 HKHKG-MON1-constellix
csf -a 139.59.178.83 GBLON-MON2-constellix
csf -a 178.62.112.179 GBLON-MON1-constellix
csf -a 151.80.183.172 FRPAR-MON2-constellix
csf -a 188.165.95.156 FRPAR-MON1-constellix
csf -a 185.134.30.215 DKCPH-MON2-constellix
csf -a 77.66.12.141 DKCPH-MON1-constellix
csf -a 139.162.187.35 DEFRA-MON2-constellix
csf -a 139.162.172.30 DEFRA-MON1-constellix
csf -a 139.162.172.30 DEFRA-MON1-constellix
csf -a 138.197.136.228 CATOR-MON2-constellix
csf -a 138.197.136.227 CATOR-MON1-constellix
csf -a 163.47.20.159 AUSYD-MON2-constellix
csf -a 103.25.58.42 AUSYD-MON1-constellix
csf -a 149.154.153.136 ATVIE-MON2-constellix
csf -a 149.154.152.196 ATVIE-MON1-constellix

Deny banning IPs

CSF Firewall can ban or deny ip addresses using SSH telnet and command where xxx.xxx.xxx.xxx is IP address:

csf -d xxx.xxx.xxx.xxx

Or you can edit deny list at /etc/csf/csf.deny

How to whitelist ISP Dynamic IP Address in CSF Firewall?

You can use a service like noip.com or DNSExit.com to get a free dynamic subdomain hostname and set that up to be whitelisted by CSF Firewall.

step 1. Sign up for free dynamic dns subdomain hostname with DNSExit Free Dynamic DNS services for Dynamic IP i.e. yourhostname.publicvm.com

step 2. Log into your VPS or dedicated servers and on SSH command line type the following lines. Remember to change the first DYNDNSHOST variable to your own hostname created from step 1 above.

DYNDNSHOST=yourhostname.publicvm.com

Once changed, type the following in SSH window as root user. Note, Centmin Mod 1.2.3-eva2000.08+ and higher has been updated already with DYNDNS=300 and DYNDNS_IGNORE=1 settings for csf.conf

To add your DYNDNSHOST=yourhostname.publicvm.com variable to /etc/csf/csf.dyndns

DYNDNSHOST=yourhostname.publicvm.com
echo "$DYNDNSHOST" >> /etc/csf/csf.dyndns;
csf -r;
tail -2 /etc/csf/csf.dyndns;

Setup settings if on Centmin Mod 1.2.3-eva2000.07 and older only.

sed -i 's/DYNDNS = \"0\"/DYNDNS = \"300\"/' /etc/csf/csf.conf;
sed -i 's/DYNDNS_IGNORE = \"0\"/DYNDNS_IGNORE = \"1\"/' /etc/csf/csf.conf;
csf -r;
egrep '^DYNDNS|^DYNDNS_IGNORE' /etc/csf/csf.conf;

step 3. Download and install DNS Update client from Dynamic DNS IP Update Clients - ipUpdaters on your local PC so it auto updates your dynamically assigned IP address from your ISP. DNSExit also offer url API to update the IP manually too

.

How to update CSF Firewall?

CSF Firewall by default auto updates itself on Centmin Mod installs. You can manually update CSF Firewall via the command below:

csf -u

Restarting CSF Firewall?

CSF Firewall can be restarted via the command below which will output all the iptable rules set etc which is normal:

csf -r

Login Failure Daemon (lfd)

CSF isn't just a firewall but includes a Login Failure Daemon (lfd). Straight from CSF readme file:

To complement the ConfigServer Firewall, we have developed a daemon process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time.

Such attempts are often called "Brute-force attacks" and the daemon process responds very quickly to such patterns and blocks offending IP's quickly. Other similar products run every x minutes via cron and as such often miss break-in attempts until after they've finished, our daemon eliminates such long waits and makes it much more effective at performing its task.

There are an array of extensive checks that lfd can perform to help alert the server administrator of changes to the server, potential problems and possible compromises.

Login Failure Daemon (lfd) Principles

One of the best ways to protect the server from inbound attack against network daemons is to monitor their authentication logs. Invalid login attempts which happen in a short space of time from the same source can often mean someone is attempting to brute-force their way into the server, usually by guessing usernames and passwords and therefore generating authentication and login failures.

lfd can monitor the most commonly abused protocols, SSHD, POP3, IMAP, FTP and HTTP password protection. Unlike other applications, lfd is a daemon process that monitors logs continuously and so can react within seconds of detecting such attempts. It also monitors across protocols, so if attempts are made on different protocols in a short space of time, all those attempts will be counted against the threshold.

Once the number of failed login attempts is reached, lfd immediately forks a sub-process and uses csf to block the offending IP address from both in and outgoing connections. Stopping the attack in its tracks in a quick and timely manner. Other applications that use cron job timings to run usually completely miss brute force attacks as they run usually every 5 minutes or by which time the attack could be over, or simply biding its time. In the meantime lfd will have block the offenders IP address.

By running the block and alert email actions in a sub-process, the main daemon can continue monitoring the logs without delay.

If you want to know when lfd blocks an IP address you can enable the email alert (which is on by default) and you should watch the log file in /var/log/lfd.log. If you use logcheck, you can add it to your log monitoring by editing logcheck.sh and adding the line:

$LOGTAIL /var/log/lfd.log >> $TMPDIR/check.$$      

How to backup & restore CSF Firewall configuration profiles

With Centmin Mod 123.09beta01 and newer, the initial Centmin Mod installations also automatically does a CSF Firewall configuration backups of the initial CSF Firewall configuration after initial. This allows you to restore the CSF Firewall configuration back to the version which existed after Centmin Mod initial install. This is useful if you mess up your CSF Firewall configuration when you manually mess with it's configuration file at /etc/csf/csf.conf etc.

To backup CSF firewall's current configuration profile run command where backup-name is name of your back which will have auto appended a date timestamp prefix in front when running csf --profile list command

csf --profile backup-name

To restore original CSF firewall backup profile, run commands to list backup profiles, then restore specific named backup profile, restart CSF Firewall+LFD services, and finally update CSF Firewall

csf --profile list
csf --profile restore 1547784956_cmm_after_whitelist
csf -ra
csf -u

profile list will list csf profile backups look for listing name containing cmm_after_whitelist with date timestamp prefix in front i.e. date timestamp prefix backup profile named 1547784956_cmm_after_whitelist

example csf --profile list output

csf --profile list

Configuration Profiles
======================
block_all_perm
block_all_temp
disable_alerts
protection_high
protection_low
protection_medium
reset_to_defaults

Configuration Backups
=====================
1547784956_cmm_after_whitelist (Fri Jan 18 04:15:56 2019)
1547784954_cmm_b4_whitelist (Fri Jan 18 04:15:54 2019)
1547784920_cmm_b4_shodan_block (Fri Jan 18 04:15:20 2019)
1547784919_cmm_b4_censys_block (Fri Jan 18 04:15:19 2019)
1547784918_cmm_default_tweaked (Fri Jan 18 04:15:18 2019)
1547784917_cmm_before_ptload_action (Fri Jan 18 04:15:17 2019)
1547784915_initial_default (Fri Jan 18 04:15:15 2019)
1547784914_pre_v12_09_upgrade (Fri Jan 18 04:15:14 2019)

CSF Documentation Links