What is CSF Firewall?
CSF Firewall is a suite of scripts which provide firewall security with Stateful Packet Inspection and Login Intrusion detection. All documentation is linked below. CSF also has GUI Web Interface Integration for cPanel, DirectAdmin and Webmin. However, for Centmin Mod install, CSF is a non-gui based.
CSF Firewall is a default installed item as at Centmin Mod v1.2.3+. With Centmin Mod 1.2.3-eva2000.08+ and higher, CSF Firewall also auto detects if your server environment supports IPSET and enables CSF Firewall's IPSET support to allow more efficient handling of larger number of IP addresses. IPSET isn't supported by OpenVZ virtualization so only available for dedicated barebones servers, Xen and KVM based virtualized environments. It's highly recommend that CSF Firewall is installed on your CentOS server.
CSF Firewall interfaces with iptables and makes it much easier to manage compared to iptables (see CSF Documentation Links below). The main CSF Firewall config file is located at /etc/csf/csf.conf where you can also define which TCP and UDP ports to allow IN or OUT of the server.
If CSF Firewall is blocking legit visitors to your site, check out Official FAQ items 40 & 41 for further clues.
Unblocking Your ISP IP
If for whatever reason, your own ISP IP address gets blocked in CSF Firewall, you maybe able to unblock yourself if you use a web host with KVM/Console out of band feature. DigitalOcean Console and SolusVM based VPS hosts have Console access (example), Linode has Lish or dedicated servers may come with KVM/IPMI console access. Use the console access to log back into your server via SSH and check if your ISP IP address has been blocked by grepping CSF Firewall IPs
csf -g ISPIPADDRRESS
Example output from blocked IP = 119.249.54.86 blocked due to failed SSH login attacks
csf -g 119.249.54.86 Chain num pkts bytes target prot opt in out source destination No matches found for 119.249.54.86 in iptables IPSET: Set:chain_DENY Match:119.249.54.86 Setting: File:/etc/csf/csf.deny ip6tables: Chain num pkts bytes target prot opt in out source destination No matches found for 119.249.54.86 in ip6tables csf.deny: 119.249.54.86 # lfd: (sshd) Failed SSH login from 119.249.54.86 (CN/China/-): 5 in the last 3600 secs - Sat Sep 10 04:56:25 2016
To remove your ISP IP address from CSF Firewall block, there's 2 methods. First, is manually editing /etc/csf/csf.deny to remove ISP IP and restart CSF Firewall. Second, method is using command:
csf -dr ISPIPADDRRESS
Whitelist Ports
The CSF Firewall configuration file at /etc/csf/csf.conf has a list of predefined white listed ports for TCP, TCP6, UDP and UDP6 in comma separated format. You can edit, add or remove ports you require and then restart CSF Firewall service for it to take effect.
In SSH you can type this command to have a quick overview of existing ports for the respective variables.
egrep '^TCP_|^TCP6_|^UDP_|^UDP6_' /etc/csf/csf.conf
Output will be a comma separated list of port numbers that are white listed by CSF Firewall
TCP_IN = TCP_OUT = UDP_IN = UDP_OUT = TCP6_IN = TCP6_OUT = UDP6_IN = UDP6_OUT =
You can also whitelist ports for specific source and/or destination IP addresses only. For example, if you need to setup portmapper/RPC (port 111) and NFS share (port 2049) on TCP and UDP, you can add/append to /etc/csf/csf.allow where source and destination IP = 11.22.33.44 which could be a public or private IP.
tcp|in|d=111|s=11.22.33.44 tcp|in|d=2049|s=11.22.33.44 tcp|out|d=111|d=11.22.33.44 tcp|out|d=2049|d=11.22.33.44 udp|in|d=111|s=11.22.33.44 udp|in|d=2049|s=11.22.33.44 udp|out|d=111|d=11.22.33.44 udp|out|d=2049|d=11.22.33.44
Or if you need to setup remote Memcached server (port 11211) or remote PHP-FPM server (port 9000) on TCP, you can add/append to /etc/csf/csf.allow where source and destination IP = 11.22.33.44 which could be a public or private IP.
tcp|in|d=11211|s=11.22.33.44 tcp|in|d=9000|s=11.22.33.44 tcp|out|d=11211|d=11.22.33.44 tcp|out|d=9000|d=11.22.33.44
then restart CSF Firewall
csf -r
Whitelist allowing IPs
CSF Firewall can allow or whitelist ip addresses using SSH telnet and command where xxx.xxx.xxx.xxx is IP address:
csf -a xxx.xxx.xxx.xxx
You can also add comments to whitelist entries
csf -a xxx.xxx.xxx.xxx comment
You can also totally ignore an IP address from CSF's LFD Daemon (login failure daemon) by appending that IP address (xxx.xxx.xxx.xxx) on a single line in /etc/csf/csf.ignore
############################################################################### # Copyright 2006-2015, Way to the Web Limited # URL: http://www.configserver.com # Email: [email protected] ############################################################################### # The following IP addresses will be ignored by all lfd checks # One IP address per line # CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24) # Only list IP addresses, not domain names (they will be ignored) # 127.0.0.1 xxx.xxx.xxx.xxx
If you need to whitelist a dynamic IP address, you would need to use a dynamic DNS service provider like noip.com or dnsexit.com to create a hostname to point to your dynamic IP address and then use a provided client to auto or manually update that hostname's assigned dynamic IP address when it is changed at your ISP level. You will then need to enable CSF Firewall's Dynamic DNS support options outlined on the forums here or futher down this page here.
If you have problems using SCP, SFTP, rsync, or other commands trying to connect to or from a remote server to your Centmin Mod server, you will need to whitelist the remote server's IP address as per above command. Common, situation would be connecting to a remote MySQL server which you need to whitelist remote MySQL server IP address as well as edit /etc/csf/csf.conf to add to TCP_OUT the default MySQL port 3306. Then restart CSF firewall service.
If you use third party SMTP services, you also need to add the appropriate ports to TCP_OUT listing within /etc/csf/csf.conf. Then restart CSF firewall service. Full example outlined on Centmin Mod Community forums.
If you use monitoring services UptimeRobot, you will need to whitelist the remote server's IP address as per above command.
UptimeRobot maintains a list of current IP addresses, which you can find here.. You can easily generate a CSF Firewall whitelist using these commands on your server:
curl -s https://uptimerobot.com/inc/files/ips/IPv4andIPv6.txt | while read i; do echo "csf -a ${i}"; done
Which will output a list of CSF whitelisting commands you can run.
curl -s https://uptimerobot.com/inc/files/ips/IPv4andIPv6.txt | while read i; do echo "csf -a ${i}"; done
csf -a 216.144.250.150
csf -a 69.162.124.226
csf -a 69.162.124.227
csf -a 69.162.124.228
csf -a 69.162.124.229
csf -a 69.162.124.230
csf -a 69.162.124.231
csf -a 69.162.124.232
csf -a 69.162.124.233
csf -a 69.162.124.234
csf -a 69.162.124.235
csf -a 69.162.124.236
csf -a 69.162.124.237
csf -a 69.162.124.238
csf -a 63.143.42.242
csf -a 63.143.42.243
csf -a 63.143.42.244
csf -a 63.143.42.245
csf -a 63.143.42.246
csf -a 63.143.42.247
csf -a 63.143.42.248
csf -a 63.143.42.249
csf -a 63.143.42.250
csf -a 63.143.42.251
csf -a 63.143.42.252
csf -a 63.143.42.253
csf -a 216.245.221.82
csf -a 216.245.221.83
csf -a 216.245.221.84
csf -a 216.245.221.85
csf -a 216.245.221.86
csf -a 216.245.221.87
csf -a 216.245.221.88
csf -a 216.245.221.89
csf -a 216.245.221.90
csf -a 216.245.221.91
csf -a 216.245.221.92
csf -a 216.245.221.93
csf -a 46.137.190.132
csf -a 122.248.234.23
csf -a 188.226.183.141
csf -a 178.62.52.237
csf -a 54.79.28.129
csf -a 54.94.142.218
csf -a 104.131.107.63
csf -a 54.67.10.127
csf -a 54.64.67.106
csf -a 159.203.30.41
csf -a 46.101.250.135
csf -a 18.221.56.27
csf -a 52.60.129.180
csf -a 159.89.8.111
csf -a 146.185.143.14
csf -a 139.59.173.249
csf -a 165.227.83.148
csf -a 128.199.195.156
csf -a 138.197.150.151
csf -a 34.233.66.117
csf -a 2607:ff68:107::3
csf -a 2607:ff68:107::4
csf -a 2607:ff68:107::5
csf -a 2607:ff68:107::6
csf -a 2607:ff68:107::7
csf -a 2607:ff68:107::8
csf -a 2607:ff68:107::9
csf -a 2607:ff68:107::10
csf -a 2607:ff68:107::11
csf -a 2607:ff68:107::12
csf -a 2607:ff68:107::13
csf -a 2607:ff68:107::14
csf -a 2607:ff68:107::15
csf -a 2607:ff68:107::16
csf -a 2607:ff68:107::17
csf -a 2607:ff68:107::18
csf -a 2607:ff68:107::19
csf -a 2607:ff68:107::20
csf -a 2607:ff68:107::21
csf -a 2607:ff68:107::22
csf -a 2607:ff68:107::23
csf -a 2607:ff68:107::24
csf -a 2607:ff68:107::25
csf -a 2607:ff68:107::26
csf -a 2607:ff68:107::27
csf -a 2607:ff68:107::28
csf -a 2607:ff68:107::29
csf -a 2607:ff68:107::30
csf -a 2607:ff68:107::31
csf -a 2607:ff68:107::32
csf -a 2607:ff68:107::33
csf -a 2607:ff68:107::34
csf -a 2607:ff68:107::35
csf -a 2607:ff68:107::36
csf -a 2607:ff68:107::37
csf -a 2607:ff68:107::38
csf -a 2a03:b0c0:0:1010::832:1
csf -a 2a03:b0c0:1:d0::e54:a001
csf -a 2604:a880:800:10::4e6:f001
csf -a 2604:a880:cad:d0::122:7001
csf -a 2a03:b0c0:3:d0::33e:4001
csf -a 2600:1f16:775:3a01:70d6:601a:1eb5:dbb9
csf -a 2600:1f11:56a:9000:23:651b:dac0:9be4
csf -a 2a03:b0c0:3:d0::44:f001
csf -a 2a03:b0c0:0:1010::2b:b001
csf -a 2a03:b0c0:1:d0::22:5001
csf -a 2604:a880:400:d0::4f:3001
csf -a 2400:6180:0:d0::16:d001
csf -a 2604:a880:cad:d0::18:f001
csf -a 2600:1f18:179:f900:88b2:b3d:e487:e2f4
If you use monitoring services such as Pingdom.com or NodePing.com, you will need to whitelist the remote server's IP address as per above command.
For NodePing.com, these are following IP addresses and commands needed to be run:
IPv4 only IPs
csf -a 96.9.222.119 pinghostil.nodeping.com csf -a 89.45.10.135 pinghostro.nodeping.com csf -a 78.157.200.148 pinghostuk.nodeping.com csf -a 66.23.202.26 pinghostny.nodeping.com csf -a 54.36.110.96 pinghostde.nodeping.com csf -a 54.232.120.40 pinghostbr.nodeping.com csf -a 5.226.139.158 pinghostld.nodeping.com csf -a 37.252.125.64 pinghostnl.nodeping.com csf -a 23.226.135.34 pinghostnj.nodeping.com csf -a 217.182.201.227 pinghostpl.nodeping.com csf -a 208.82.130.170 pinghostpy.nodeping.com csf -a 206.222.22.82 pinghostoh.nodeping.com csf -a 203.29.240.44 pinghostpe.nodeping.com csf -a 198.96.95.50 pinghosttx.nodeping.com csf -a 195.154.167.97 pinghostfr.nodeping.com csf -a 192.161.172.202 pinghostca.nodeping.com csf -a 192.154.102.130 pinghostut.nodeping.com csf -a 190.210.176.48 pinghostar.nodeping.com csf -a 180.149.230.17 pinghostjp.nodeping.com csf -a 173.248.161.42 pinghostco.nodeping.com csf -a 173.205.92.154 pinghostwa.nodeping.com csf -a 172.104.181.238 pinghostsg.nodeping.com csf -a 162.254.202.35 pinghostfl.nodeping.com csf -a 162.210.173.188 pinghostor.nodeping.com csf -a 144.48.37.241 pinghostam.nodeping.com csf -a 139.99.130.48 pinghostau.nodeping.com csf -a 107.150.22.26 pinghostga.nodeping.com csf -a 103.6.85.58 pinghosthk.nodeping.com
IPv6 only IPs
csf -a 2a04:9dc0:1::79a4:725e pinghostro.nodeping.com csf -a 2a02:2770:5:0:21a:4aff:fe1a:c131 pinghostnl.nodeping.com csf -a 2a01:a500:375:1::25:4617 pinghostuk.nodeping.com csf -a 2a01:4020:1:26::10 pinghostld.nodeping.com csf -a 2607:fcd0:da80:4300::10 pinghosttx.nodeping.com csf -a 2607:fcd0:cd00:a00::10 pinghostwa.nodeping.com csf -a 2607:fcd0:ccc0:1301::10 pinghostnj.nodeping.com csf -a 2607:fcd0:aa80:2200::10 pinghostga.nodeping.com csf -a 2607:fcd0:106:ab01::10 pinghostca.nodeping.com csf -a 2607:fc88:100:40::2 pinghostco.nodeping.com csf -a 2606:c700:4020:17:225:90ff:fe50:390a pinghostut.nodeping.com csf -a 2605:9f80:c000:127::2 pinghostny.nodeping.com csf -a 2604:bf00:214::10 pinghostpy.nodeping.com csf -a 2604:bc80:8001:3c:225:90ff:fee5:5c6 pinghostfl.nodeping.com csf -a 2604:b480:ffff:ffff:fa06::10 pinghostor.nodeping.com csf -a 2602:ffc8:3d02::190:4ae6 pinghostil.nodeping.com csf -a 2406:d500:9::7a91:9b75 pinghostjp.nodeping.com csf -a 2404:f780:2:950:216:3cff:feb8:ab8e pinghostam.nodeping.com csf -a 2404:9400:4:0:216:3eff:fee1:3c1b pinghostpe.nodeping.com csf -a 2403:2500:8000:1::ce6 pinghosthk.nodeping.com csf -a 2402:1f00:8100:230::10 pinghostau.nodeping.com csf -a 2400:8901::f03c:91ff:feb9:fbf4 pinghostsg.nodeping.com csf -a 2001:bc8:2327:110::10 pinghostfr.nodeping.com csf -a 2001:41d0:700:1360::10 pinghostde.nodeping.com csf -a 2001:41d0:602:4e3::10 pinghostpl.nodeping.com csf -a 2001:1828:0:6a::2 pinghostoh.nodeping.com
Nodeping maintains a list of current IP addresses, which you can find here.. You can easily generate a CSF Firewall whitelist using these 2 commands on your server:
IPv4 only IPs
wget -O nodeping.txt https://nodeping.com/content/txt/pinghosts.txt
awk '{print "csf -a",$2, $1}' nodeping.txt | sort -r | grep -v ':'
IPv6 only IPs
wget -O nodeping.txt https://nodeping.com/content/txt/pinghosts.txt
awk '{print "csf -a",$2, $1}' nodeping.txt | sort -r | grep ':'
For Hextrixtools.com Uptime Monitor, these are following IP addresses and commands needed to be run:
csf -a 96.126.106.201 wk1-1.hetrixtools.com csf -a 95.179.193.59 wk4-2.hetrixtools.com csf -a 95.179.139.97 wk3.hetrixtools.com csf -a 94.16.112.18 wk5-2.hetrixtools.com csf -a 78.46.88.58 wk5-1.hetrixtools.com csf -a 52.67.204.189 wk9.hetrixtools.com csf -a 52.65.182.14 wk8.hetrixtools.com csf -a 52.59.92.96 wk5.hetrixtools.com csf -a 52.56.73.124 wk4.hetrixtools.com csf -a 52.52.33.209 wk2-1.hetrixtools.com csf -a 52.23.120.125 wk1-2.hetrixtools.com csf -a 52.221.91.160 wk6.hetrixtools.com csf -a 52.207.41.187 wk1.hetrixtools.com csf -a 52.199.17.123 wk10.hetrixtools.com csf -a 51.15.61.222 wk3-1.hetrixtools.com csf -a 45.76.202.144 wk10-1.hetrixtools.com csf -a 45.76.120.140 wk8-1.hetrixtools.com csf -a 45.32.204.172 wk7-1.hetrixtools.com csf -a 35.154.5.38 wk11.hetrixtools.com csf -a 31.192.104.220 wk12-1.hetrixtools.com csf -a 23.239.7.4 wk2.hetrixtools.com csf -a 188.166.79.172 wk3-2.hetrixtools.com csf -a 185.143.173.230 wk12.hetrixtools.com csf -a 178.62.11.90 wk4-3.hetrixtools.com csf -a 172.104.99.63 wk10-2.hetrixtools.com csf -a 159.89.159.134 wk2-3.hetrixtools.com csf -a 149.28.212.239 wk2-2.hetrixtools.com csf -a 139.99.169.250 wk8-2.hetrixtools.com csf -a 139.162.228.62 wk4-1.hetrixtools.com csf -a 139.162.22.205 wk6-1.hetrixtools.com csf -a 138.197.17.201 wk1-3.hetrixtools.com csf -a 128.199.187.77 wk6-2.hetrixtools.com csf -a 104.41.61.219 wk9-1.hetrixtools.com csf -a 104.237.139.48 wk7.hetrixtools.com csf -a 104.211.188.46 wk11-1.hetrixtools.com
Hextrixtools maintains a list of current IP addresses, which you can find here.. You can easily generate a CSF Firewall whitelist using these 2 commands on your server:
wget -O hetrixtools.txt https://hetrixtools.com/resources/uptime-monitor-ips.txt
awk '{print "csf -a",$2, $1}' hetrixtools.txt | sort -r
For MailChimp.com to whitelist their listed IPs:
csf -a 72.26.195.64/27 mailchimp csf -a 74.63.47.96/27 mailchimp csf -a 173.231.138.192/27 mailchimp csf -a 173.231.139.0/24 mailchimp csf -a 173.231.176.0/21 mailchimp csf -a 173.231.184.0/21 mailchimp csf -a 205.201.128.0/20 mailchimp csf -a 198.2.128.0/18 mailchimp?
For Newrelic users, whitelist the following IPs:
csf -a 50.31.164.0/24 newrelic csf -a 162.247.240.0/22 newrelic csf -a 54.252.114.170 newrelic csf -a 54.252.114.169 newrelic csf -a 54.251.34.67 newrelic csf -a 54.251.109.246 newrelic csf -a 54.248.250.232 newrelic csf -a 54.248.225.67 newrelic csf -a 54.247.188.179 newrelic csf -a 54.241.22.142 newrelic csf -a 54.232.123.139 newrelic csf -a 54.228.244.177 newrelic csf -a 54.214.255.205 newrelic csf -a 50.31.164.139 newrelic csf -a 50.18.57.7 newrelic csf -a 50.16.189.130 newrelic csf -a 50.112.95.211 newrelic csf -a 184.73.237.85 newrelic csf -a 177.71.245.207 newrelic
For CloudFlare IP addresses, full list of IPs available at https://www.cloudflare.com/ips/ and https://support.cloudflare.com/hc/en-us/articles/200169296-How-do-I-whitelist-CloudFlare-s-IPs-in-htaccess-. Check the link regularly for updated IPs.
You can also grab Cloudflare IP address list via Cloudflare API at https://api.cloudflare.com/#cloudflare-ips-properties
(IPv4)
curl -sX GET "https://api.cloudflare.com/client/v4/ips" | jq -r '.result.ipv4_cidrs[]' | sort 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 104.16.0.0/12 108.162.192.0/18 131.0.72.0/22 141.101.64.0/18 162.158.0.0/15 172.64.0.0/13 173.245.48.0/20 188.114.96.0/20 190.93.240.0/20 197.234.240.0/22 198.41.128.0/17
(IPv6)
curl -sX GET "https://api.cloudflare.com/client/v4/ips" | jq -r '.result.ipv6_cidrs[]' | sort 2400:cb00::/32 2405:8100::/32 2405:b500::/32 2606:4700::/32 2803:f800::/32 2a06:98c0::/29 2c0f:f248::/32
Whitelist Cloudflare IPs in CSF Firewall using -a flag:
(IPv4)
csf -a 173.245.48.0/20 cloudflare csf -a 103.21.244.0/22 cloudflare csf -a 103.22.200.0/22 cloudflare csf -a 103.31.4.0/22 cloudflare csf -a 141.101.64.0/18 cloudflare csf -a 108.162.192.0/18 cloudflare csf -a 190.93.240.0/20 cloudflare csf -a 188.114.96.0/20 cloudflare csf -a 197.234.240.0/22 cloudflare csf -a 198.41.128.0/17 cloudflare csf -a 162.158.0.0/15 cloudflare csf -a 104.16.0.0/12 cloudflare csf -a 172.64.0.0/13 cloudflare csf -a 131.0.72.0/22 cloudflare
(IPv6)
csf -a 2400:cb00::/32 cloudflare csf -a 2606:4700::/32 cloudflare csf -a 2803:f800::/32 cloudflare csf -a 2405:b500::/32 cloudflare csf -a 2405:8100::/32 cloudflare csf -a 2a06:98c0::/29 cloudflare csf -a 2c0f:f248::/32 cloudflare
For Incapsula IP addresses, full list of IPs available at https://incapsula.zendesk.com/hc/en-us/articles/200627570-Restricting-direct-access-to-your-website-Incapsula-s-IP-addresses-. Check the link regularly for updated IPs.
Incapsula IPs can also be retrieved in preset formats via their API
curl -k -s --data "resp_format=json" https://my.incapsula.com/api/integration/v1/ips curl -k -s --data "resp_format=apache" https://my.incapsula.com/api/integration/v1/ips curl -k -s --data "resp_format=nginx" https://my.incapsula.com/api/integration/v1/ips curl -k -s --data "resp_format=iptables" https://my.incapsula.com/api/integration/v1/ips
Nginx format:
curl -k -s --data "resp_format=nginx" https://my.incapsula.com/api/integration/v1/ips allow 199.83.128.0/21; allow 198.143.32.0/19; allow 149.126.72.0/21; allow 103.28.248.0/22; allow 185.11.124.0/22; allow 192.230.64.0/18; allow 45.64.64.0/22; allow 107.154.0.0/16; allow 45.60.0.0/16; allow 45.223.0.0/16; allow 2a02:e980::/29;
Which you can pipe through sed and awk to get CSF Firewall format whitelist commands
curl -k -s --data "resp_format=nginx" https://my.incapsula.com/api/integration/v1/ips | sed -e 's|;||g' | awk '{print "csf -a",$2,"incapsula"}'
Resulting output:
csf -a 199.83.128.0/21 incapsula csf -a 198.143.32.0/19 incapsula csf -a 149.126.72.0/21 incapsula csf -a 103.28.248.0/22 incapsula csf -a 185.11.124.0/22 incapsula csf -a 192.230.64.0/18 incapsula csf -a 45.64.64.0/22 incapsula csf -a 107.154.0.0/16 incapsula csf -a 45.60.0.0/16 incapsula csf -a 45.223.0.0/16 incapsula csf -a 2a02:e980::/29 incapsula
Or you can edit allow list at /etc/csf/csf.allow. Contents of example csf.allow file
############################################################################### # Copyright 2006-2013, Way to the Web Limited # URL: http://www.configserver.com # Email: [email protected] ############################################################################### # The following IP addresses will be allowed through iptables. # One IP address per line. # CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24). # Only list IP addresses, not domain names (they will be ignored) # # Advanced port+ip filtering allowed with the following format # tcp/udp|in/out|s/d=port|s/d=ip # See readme.txt for more information # # Note: IP addressess listed in this file will NOT be ignored by lfd, so they # can still be blocked. If you do not want lfd to block an IP address you must # add it to csf.ignore 173.255.243.111 # pinghostca.nodeping.com - Thu Jul 25 22:56:44 2013 204.11.60.100 # pinghosttx.nodeping.com - Thu Jul 25 22:56:44 2013 192.30.32.170 # pinghostga.nodeping.com - Thu Jul 25 22:56:44 2013 108.61.56.241 # pinghostnj.nodeping.com - Thu Jul 25 22:56:44 2013 89.32.145.126 # pinghostld.nodeping.com - Thu Jul 25 22:56:45 2013 46.249.33.15 # pinghostnl.nodeping.com - Thu Jul 25 22:56:45 2013 78.47.40.108 # pinghostde.nodeping.com - Thu Jul 25 22:56:45 2013 89.45.249.16 # pinghostro.nodeping.com - Thu Jul 25 22:56:45 2013
For Constellix monitoring:
csf -a 158.85.11.83 USWAS-MON2-constellix csf -a 158.85.11.82 USWAS-MON1-constellix csf -a 45.77.3.147 USSJC-MON2-constellix csf -a 45.63.95.103 USSJC-MON1-constellix csf -a 104.236.176.222 USSFO-MON2-constellix csf -a 107.170.204.192 USSFO-MON1-constellix csf -a 174.37.182.245 USSEA-MON2-constellix csf -a 174.37.182.242 USSEA-MON1-constellix csf -a 108.61.157.199 USNYC-MON2-constellix csf -a 45.55.175.142 USNYC-MON2-constellix csf -a 104.131.186.91 USNYC-MON1-constellix csf -a 45.63.10.211 USNYC-MON1-constellix csf -a 45.32.173.194 USMIA-MON2-constellix csf -a 45.32.167.106 USMIA-MON1-constellix csf -a 45.32.69.210 USLAX-MON2-constellix csf -a 45.76.67.106 USLAX-MON1-constellix csf -a 45.33.52.40 USFMT-MON2-constellix csf -a 45.33.61.194 USFMT-MON1-constellix csf -a 45.56.110.50 USEWR-MON2-constellix csf -a 45.33.74.47 USEWR-MON1-constellix csf -a 104.237.137.134 USDAL-MON2-constellix csf -a 169.44.29.101 USDAL-MON2-constellix csf -a 169.44.29.99 USDAL-MON1-constellix csf -a 198.58.122.143 USDAL-MON1-constellix csf -a 45.63.66.43 USCHI-MON2-constellix csf -a 104.238.164.23 USCHI-MON1-constellix csf -a 45.33.96.168 USATL-MON2-constellix csf -a 23.239.17.158 USATL-MON1-constellix csf -a 172.104.39.47 SGSIN-MON2-constellix csf -a 139.162.27.246 SGSIN-MON1-constellix csf -a 163.47.21.14 NZAKL-MON2-constellix csf -a 163.47.21.36 NZAKL-MON1-constellix csf -a 45.32.185.22 NLAMS-MON2-constellix csf -a 188.166.25.57 NLAMS-MON2-constellix csf -a 178.62.215.141 NLAMS-MON1-constellix csf -a 45.32.235.23 NLAMS-MON1-constellix csf -a 139.162.121.51 JPTYO-MON2-constellix csf -a 139.162.111.217 JPTYO-MON1-constellix csf -a 37.247.49.124 ITMIL-MON2-constellix csf -a 37.247.53.67 ITMIL-MON1-constellix csf -a 169.38.75.34 INMAA-MON2-constellix csf -a 169.38.75.36 INMAA-MON1-constellix csf -a 119.81.149.101 HKHKG-MON2-constellix csf -a 119.81.149.98 HKHKG-MON1-constellix csf -a 139.59.178.83 GBLON-MON2-constellix csf -a 178.62.112.179 GBLON-MON1-constellix csf -a 151.80.183.172 FRPAR-MON2-constellix csf -a 188.165.95.156 FRPAR-MON1-constellix csf -a 185.134.30.215 DKCPH-MON2-constellix csf -a 77.66.12.141 DKCPH-MON1-constellix csf -a 139.162.187.35 DEFRA-MON2-constellix csf -a 139.162.172.30 DEFRA-MON1-constellix csf -a 139.162.172.30 DEFRA-MON1-constellix csf -a 138.197.136.228 CATOR-MON2-constellix csf -a 138.197.136.227 CATOR-MON1-constellix csf -a 163.47.20.159 AUSYD-MON2-constellix csf -a 103.25.58.42 AUSYD-MON1-constellix csf -a 149.154.153.136 ATVIE-MON2-constellix csf -a 149.154.152.196 ATVIE-MON1-constellix
Deny banning IPs
CSF Firewall can ban or deny ip addresses using SSH telnet and command where xxx.xxx.xxx.xxx is IP address:
csf -d xxx.xxx.xxx.xxx
Or you can edit deny list at /etc/csf/csf.deny
How to whitelist ISP Dynamic IP Address in CSF Firewall?
You can use a service like noip.com or DNSExit.com to get a free dynamic subdomain hostname and set that up to be whitelisted by CSF Firewall.
step 1. Sign up for free dynamic dns subdomain hostname with DNSExit Free Dynamic DNS services for Dynamic IP i.e. yourhostname.publicvm.com
step 2. Log into your VPS or dedicated servers and on SSH command line type the following lines. Remember to change the first DYNDNSHOST variable to your own hostname created from step 1 above.
DYNDNSHOST=yourhostname.publicvm.com
Once changed, type the following in SSH window as root user. Note, Centmin Mod 1.2.3-eva2000.08+ and higher has been updated already with DYNDNS=300 and DYNDNS_IGNORE=1 settings for csf.conf
To add your DYNDNSHOST=yourhostname.publicvm.com variable to /etc/csf/csf.dyndns
DYNDNSHOST=yourhostname.publicvm.com echo "$DYNDNSHOST" >> /etc/csf/csf.dyndns; csf -r; tail -2 /etc/csf/csf.dyndns;
Setup settings if on Centmin Mod 1.2.3-eva2000.07 and older only.
sed -i 's/DYNDNS = \"0\"/DYNDNS = \"300\"/' /etc/csf/csf.conf; sed -i 's/DYNDNS_IGNORE = \"0\"/DYNDNS_IGNORE = \"1\"/' /etc/csf/csf.conf; csf -r; egrep '^DYNDNS|^DYNDNS_IGNORE' /etc/csf/csf.conf;
step 3. Download and install DNS Update client from Dynamic DNS IP Update Clients - ipUpdaters on your local PC so it auto updates your dynamically assigned IP address from your ISP. DNSExit also offer url API to update the IP manually too
.How to update CSF Firewall?
CSF Firewall by default auto updates itself on Centmin Mod installs. You can manually update CSF Firewall via the command below:
csf -u
Restarting CSF Firewall?
CSF Firewall can be restarted via the command below which will output all the iptable rules set etc which is normal:
csf -r
Login Failure Daemon (lfd)
CSF isn't just a firewall but includes a Login Failure Daemon (lfd). Straight from CSF readme file:
To complement the ConfigServer Firewall, we have developed a daemon process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time.
Such attempts are often called "Brute-force attacks" and the daemon process responds very quickly to such patterns and blocks offending IP's quickly. Other similar products run every x minutes via cron and as such often miss break-in attempts until after they've finished, our daemon eliminates such long waits and makes it much more effective at performing its task.
There are an array of extensive checks that lfd can perform to help alert the server administrator of changes to the server, potential problems and possible compromises.
Login Failure Daemon (lfd) Principles
One of the best ways to protect the server from inbound attack against network daemons is to monitor their authentication logs. Invalid login attempts which happen in a short space of time from the same source can often mean someone is attempting to brute-force their way into the server, usually by guessing usernames and passwords and therefore generating authentication and login failures.
lfd can monitor the most commonly abused protocols, SSHD, POP3, IMAP, FTP and HTTP password protection. Unlike other applications, lfd is a daemon process that monitors logs continuously and so can react within seconds of detecting such attempts. It also monitors across protocols, so if attempts are made on different protocols in a short space of time, all those attempts will be counted against the threshold.
Once the number of failed login attempts is reached, lfd immediately forks a sub-process and uses csf to block the offending IP address from both in and outgoing connections. Stopping the attack in its tracks in a quick and timely manner. Other applications that use cron job timings to run usually completely miss brute force attacks as they run usually every 5 minutes or by which time the attack could be over, or simply biding its time. In the meantime lfd will have block the offenders IP address.
By running the block and alert email actions in a sub-process, the main daemon can continue monitoring the logs without delay.
If you want to know when lfd blocks an IP address you can enable the email alert (which is on by default) and you should watch the log file in /var/log/lfd.log. If you use logcheck, you can add it to your log monitoring by editing logcheck.sh and adding the line:
$LOGTAIL /var/log/lfd.log >> $TMPDIR/check.$$
How to backup & restore CSF Firewall configuration profiles
With Centmin Mod 123.09beta01 and newer, the initial Centmin Mod installations also automatically does a CSF Firewall configuration backups of the initial CSF Firewall configuration after initial. This allows you to restore the CSF Firewall configuration back to the version which existed after Centmin Mod initial install. This is useful if you mess up your CSF Firewall configuration when you manually mess with it's configuration file at /etc/csf/csf.conf etc.
To backup CSF firewall's current configuration profile run command where backup-name is name of your back which will have auto appended a date timestamp prefix in front when running csf --profile list command
csf --profile backup-name
To restore original CSF firewall backup profile, run commands to list backup profiles, then restore specific named backup profile, restart CSF Firewall+LFD services, and finally update CSF Firewall
csf --profile list csf --profile restore 1547784956_cmm_after_whitelist csf -ra csf -u
profile list will list csf profile backups look for listing name containing cmm_after_whitelist with date timestamp prefix in front i.e. date timestamp prefix backup profile named 1547784956_cmm_after_whitelist
example csf --profile list output
csf --profile list Configuration Profiles ====================== block_all_perm block_all_temp disable_alerts protection_high protection_low protection_medium reset_to_defaults Configuration Backups ===================== 1547784956_cmm_after_whitelist (Fri Jan 18 04:15:56 2019) 1547784954_cmm_b4_whitelist (Fri Jan 18 04:15:54 2019) 1547784920_cmm_b4_shodan_block (Fri Jan 18 04:15:20 2019) 1547784919_cmm_b4_censys_block (Fri Jan 18 04:15:19 2019) 1547784918_cmm_default_tweaked (Fri Jan 18 04:15:18 2019) 1547784917_cmm_before_ptload_action (Fri Jan 18 04:15:17 2019) 1547784915_initial_default (Fri Jan 18 04:15:15 2019) 1547784914_pre_v12_09_upgrade (Fri Jan 18 04:15:14 2019)
CSF Documentation Links
