Search Our Database
How to whitelist and blacklist IP using ConfigServer and Firewall (CSF) via Command Line
Introduction
This is a guide to help you on whitelist/blacklist an IP in your server by using CSF. Before that, a little bit of introduction on CSF.
ConfigServer and Firewall (CSF) is a free firewall software that can be installed to provide better security in your server. There are UI integration for control panel such as cPanel and Directadmin, but we will focus on the command line in this guide.
With CSF, you can perform:
- restricting public access to certain services in the server
- preventing DDoS attacks
- whitelisting and blacklisting IPs
One of the services that comes with CSF is called Login Failure Daemon (LFD). The purposes of LFD is to observe user’s activity for multiple failure login attempts, which is commonly seen in Brute Force attacks. Meaning if CSF notice that there’s multiple failed login attempts made by a specific IP, the CSF will proceed to temporarily block the IP from further accessing the IP. The ban on the IP will automatically expired, however you can also manually remove the IP from being blocked.
Prerequisites
- Ensure you have root or appropriate administrative access to your server.
- CSF must be installed and functioning correctly.
- Familiarity with SSH and command-line interface operations is required.
Overview of CSF Commands
Below is the table to show important CSF commands that you should know:
| Command | Description |
|---|---|
| csf -e | Enabling CSF |
| csf -x | Disabling CSF |
| csf -g [IP_ADDRESS] | Search the iptables and ip6tables rules if the IP is being allowed or blocked |
| csf -a [IP_ADDRESS] | Whitelisting an IP and add it in /etc/csf/csf.allow |
| csf -d [IP_ADDRESS] | Blacklisting an IP and add it in the /etc/csf/csf.deny |
| csf -tr [IP_ADDRESS] | Remove an IP from /etc/csf/csf.allow or temporary IP ban |
| csf -dr [IP_ADDRESS] | Unblock an IP and remove it from /etc/csf/csf.deny |
Now that you have an idea of what CSF is and commands that you can run, let’s begin!
Instructions
First, login to your server via SSH.
1) Checking if the IP is being blocked
Run the command below:
csf -g [IP_ADDRESS]
You would see the result below if an IP is not being block:
[root@icky ~]# csf -g 192.8.213.5
Table Chain num pkts bytes target prot opt in out source destination No matches found for 192.8.213.5 in iptables ip6tables: Table Chain num pkts bytes target prot opt in out source destination No matches found for 192.8.213.5 in ip6tables
You would see below if an IP is being block:
[root@icky ~]# csf -g [IP_ADDRESS] Table Chain num pkts bytes target prot opt in out source destination filter DENYIN 3 0 0 DROP all -- !lo * [IP_ADDRESS] 0.0.0.0/0 filter DENYOUT 3 9 1224 LOGDROPOUT all -- * !lo 0.0.0.0/0 [IP_ADDRESS] ip6tables: Table Chain num pkts bytes target prot opt in out source destination No matches found for [IP_ADDRESS] in ip6tables csf.deny: [IP_ADDRESS] # lfd: (sshd) Failed SSH login from [IP_ADDRESS] (MY/Malaysia/-): 5 in the last 3600 secs - Thu Dec 22 04:43:38 2022
2) Whitelisting an IP
In order to whitelist an IP, you just need to run the command below:
csf -a [IP_ADDRESS]
You will see the result below once you run it:
[root@icky ~]# csf -a [IP_ADDRESS] Removing [IP_ADDRESS] from csf.deny... Removing rule... DROP all opt -- in !lo out * [IP_ADDRESS] -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> [IP_ADDRESS] Adding [IP_ADDRESS] to csf.allow and iptables ACCEPT... ACCEPT all opt -- in !lo out * [IP_ADDRESS] -> 0.0.0.0/0 ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> [IP_ADDRESS]
Please take note that we do not recommend to whitelist an IP because if there were an actual Brute Force attempts that occuring from the IP, CSF will ignore it. You can run below command to remove it from the Whitelist
csf -tr [IP_ADDRESS]
3) Blacklisting an IP
In order to whitelist an IP, you just need to run the command below:
csf -d [IP_ADDRESS]
You will see the result below once you run it:
[root@icky ~]# csf -d [IP_ADDRESS] Adding [IP_ADDRESS] to csf.deny and iptables DROP... DROP all opt -- in !lo out * [IP_ADDRESS] -> 0.0.0.0/0 LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> [IP_ADDRESS]
Should you have any inquiries of the guidelines, please feel free to open a ticket through your portal account or contact us at +603 – 2026 1688. We’ll be happy to assist you further :)