CSF Shell Command
Config Server Firewall (CSF) is a free and advanced firewall for most Linux distributions and Linux based VPS. In addition to the basic functionality of a firewall – filtering packets – CSF includes other security features, such as login/intrusion/flood detections. CSF includes UI integration for cPanel, DirectAdmin and Webmin, but this tutorial only covers the command line usage. CSF is able to recognize many attacks, such as port scans, SYN floods, and login brute force attacks on many services. It is configured to temporarily block clients who are detected to be attacking the cloud server.
Here are some helpful shell commands.
| Command | Extended Command | Description | Example |
|---|---|---|---|
| csf -h | –help | Show this message | root@server[~]#csf -h |
| csf -r | –restart | Restart firewall rules | root@server[~]#csf -r |
| csf -d [IP.add.re.ss] [comment] | –deny ip | Deny an IP and add to /etc/csf.deny | root@server[~]#csf -d 11.22.33.44 Blocked This Guy |
| csf -dr [IP.add.re.ss] | –denyrm ip | Unblock an IP and remove from /etc/csf.deny | root@server[~]#csf -dr 22.33.44.55 |
| csf -df | –denyf | Remove and unblock all entries in /etc/csf.deny | root@server[~]#csf -df |
| csf -tr [IP.add.re.ss] | –temprm ip | Remove an IP from the temporary IP ban or allow list. | root@server[~]#csf -tr 55.66.77.88 |
| csf -td | –tempdeny ip ttl [-p port] [-d direction] | Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). | root@server[~]#csf -t |
| csf -a [IP.add.re.ss] [comment] | –add ip | Allow an IP and add to /etc/csf.allow | root@server[~]#csf -a 33.44.55.66 Home IP Address |
| csf -tf | –tempf | Flush all IPs from the temporary IP entries | root@server[~]#csf -tf |
| csf -g [IP.add.re.ss] | –grep ip | Search the iptables rules for an IP match (incl. CIDR) | root@server[~]#csf -g 44.55.66.77 |
| csf -v | –version | Show csf version | root@server[~]#csf -v |
| csf -u | –update | Check for updates to csf and upgrade if available | root@server[~]#csf -u |
| csf -l | –status | List/Show iptables configuration | |
| csf -l6 | –status6 | List/Show ip6tables configuration | |
| csf -s | –start | Start firewall rules | |
| csf -f | –stop | Flush/Stop firewall rules (Note: lfd may restart csf) | |
| csf -q | –startq | Quick restart (csf restarted by lfd) | |
| csf -sf | –startf | Force CLI restart regardless of LFDSTART setting | |
| csf -ar | –addrm ip | Remove an IP from /etc/csf.allow and delete rule | |
| csf -t | –temp | Displays the current list of temp IP entries and their TTLOptional port. Optional direction of block can be one of: in, out or inout (default:in) | |
| csf -ta | –tempallow ip, ttl [-p port] [-d direction] | Add an IP to the temp IP allow list (default:inout) | |
| csf -cp | –cping | PING all members in an lfd Cluster | |
| csf -cd | –cdeny ip | Deny an IP in a Cluster and add to /etc/csf.deny | |
| csf -ca | –callow ip | Allow an IP in a Cluster and add to /etc/csf.allow | |
| csf -cr | –crm ip | Unblock an IP in a Cluster and remove from /etc/csf.deny | |
| csf -cc | –cconfig [name] [value] | Change configuration option [name] to [value] in a Cluster | |
| csf -cf | –cfile [file] | Send [file] in a Cluster to /etc/csf/ | |
| csf -crs | –crestart | Cluster restart csf and lfd | |
| csf -w | –watch ip | Log SYN packets for an IP across iptables chains | |
| csf -m | –mail [addr} | Display Server Check in HTML or email to [addr] if present | |
| csf -lr | –logrun | Initiate Log Scanner report via lfd | |
| csf -c | –check | Check for updates to csf but do not upgrade | |
| csf -uf | Force an update of csf | ||
| csf -x | –disable | Disable csf and lfd | |
| csf -e | –enable | Enable csf and lfd if previously disabled |
