Tag: csf firewall

  • How to whitelist a hostname in CSF firewall

    How to whitelist a hostname in CSF firewall

    Firewalls usually allow or block IP addresses. If you need to allow a hostname, you need to find the IP address and white list the IP address. If you use dynamic DNS services like noip, dyndns, the IP address of your hostname changes when your internet provider assigns you a new IP address.

    ConfigServer Security and Firewall (CSF) supports dynamic DNS. This feature can be used to whitelist normal hostnames too.

    To allow a hostname, login to your server using SSH.

    Edit file

    vi /etc/csf/csf.dyndns

    In this file, you can add your hostname to the whitelist.

    In the CSF config file, you need to make the following changes.

    vi /etc/csf/csf.conf

    Set value for DYNDNS

    DYNDNS = "600"

    This will tell the CSF firewall to check for the IP address of whitelisted hostnames every 10 minutes. You can change this as needed.

    DYNDNS_IGNORE = "1"

    By setting the value of DYNDNS_IGNORE to 1, the CSF firewall will never block these IP addresses even if there are failed login attempts or too many connections.

    restart lfd

    systemctl restart lfd

    Back to CSF Firewall

  • How to run docker with csf firewall

    How to run docker with csf firewall

    When running docker on a server with CSF firewall, you may face network connection error because iptables rules added by docker getting replaced by CSF firewall.

    If your docker installation is exposing service to localhost, which is skipped by CSF firewall by default, you can do the following, which will skip the docker0 interface also, so the connection between docker and localhost won’t be affected by CSF firewall. To expose the service to the public, you can use a reverse proxy like Nginx.

    Edit csf.conf

    vi /etc/csf/csf.conf

    Find

    ETH_DEVICE_SKIP = ""

    Replace with

    ETH_DEVICE_SKIP = "docker0"

    Restart CSF

    csf -r

    Back to CSF, Docker

  • csf error path to iptables is either not set or incorrect

    Whem install csf firewall on Ubuntu 20.04, i get following error

    root@ok:~# csf
*Error* The path to iptables is either not set or incorrect for IPTABLES [/usr/sbin/ip6tables] in /etc/csf/csf.conf at /usr/local/csf/lib/ConfigServer/URLGet.pm line 26.
Compilation failed in require at /usr/sbin/csf line 21.
BEGIN failed--compilation aborted at /usr/sbin/csf line 21.
root@ok:~#

    This is because path for iptables is changed in Ubuntu 20.04. To fix the error edit csf.conf

    vi /etc/csf/csf.conf

    Find

    IPTABLES = "/sbin/iptables"
IPTABLES_SAVE = "/sbin/iptables-save"
IPTABLES_RESTORE = "/sbin/iptables-restore"
IP6TABLES = "/sbin/ip6tables"
IP6TABLES_SAVE = "/sbin/ip6tables-save"
IP6TABLES_RESTORE = "/sbin/ip6tables-restore"

    Replace with

    IPTABLES = "/usr/sbin/iptables"
IPTABLES_SAVE = "/usr/sbin/iptables-save"
IPTABLES_RESTORE = "/usr/sbin/iptables-restore"
IP6TABLES = "/usr/sbin/ip6tables"
IP6TABLES_SAVE = "/usr/sbin/ip6tables-save"
IP6TABLES_RESTORE = "/usr/sbin/ip6tables-restore"

    Now restart csf with csf -r, it will work.

    csf -r
systemctl restart lfd

    See csf

  • How to Block a Country in CSF firewall

    To block all traffic from a country in CSF Firewall edit file /etc/csf/csf.conf

    vi /etc/csf/csf.conf

    Find the line

    CC_DENY = ""

    In this line, you can add 2 Letter country code. For example to block China and Russia, add

    CC_DENY = "CN,RU"

    Now you need to restart firewall with command

    systemctl restart lfd
csf -r