run the script /etc/csf/csftest.pl using:
perl /etc/csf/csftest.pl
This script will test whether the required iptables modules are functioning on
the server. Don't worry if it cannot run all the features, so long as the
script doesn't report any FATAL errors.
You can view the csf command line options by using:
# csf -h
Usage: /usr/sbin/csf [option] [value]
Option Meaning
-h, --help Show this message
-l, --status List/Show iptables configuration
-l6, --status6 List/Show ip6tables configuration
-s, --start Start firewall rules
-f, --stop Flush/Stop firewall rules (Note: lfd may restart csf)
-r, --restart Restart firewall rules
-q, --startq Quick restart (csf restarted by lfd)
-sf, --startf Force CLI restart regardless of LF_QUICKSTART setting
-a, --add ip Allow an IP and add to /etc/csf.allow
-ar, --addrm ip Remove an IP from /etc/csf.allow and delete rule
-d, --deny ip Deny an IP and add to /etc/csf.deny
-dr, --denyrm ip Unblock an IP and remove from /etc/csf.deny
-df, --denyf Remove and unblock all entries in /etc/csf.deny
-g, --grep ip Search the iptables rules for an IP match (incl. CIDR)
-t, --temp Displays the current list of temp IP entries and their TTL
-tr, --temprm ip Remove an IPs from the temp IP ban and allow list
-td, --tempdeny ip ttl [-p port] [-d direction]
Add an IP to the temp IP ban list. ttl is how long to
blocks for (default:seconds, can use one suffix of h/m/d).
Optional port. Optional direction of block can be one of:
in, out or inout (default:in)
-ta, --tempallow ip ttl [-p port] [-d direction]
Add an IP to the temp IP allow list (default:inout)
-tf, --tempf Flush all IPs from the temp IP entries
-cp, --cping PING all members in an lfd Cluster
-cd, --cdeny ip Deny an IP in a Cluster and add to /etc/csf.deny
-ca, --callow ip Allow an IP in a Cluster and add to /etc/csf.allow
-cr, --crm ip Unblock an IP in a Cluster and remove from /etc/csf.deny
-cc, --cconfig [name] [value]
Change configuration option [name] to [value] in a Cluster
-cf, --cfile [file] Send [file] in a Cluster to /etc/csf/
-crs, --crestart Cluster restart csf and lfd
-m, --mail [addr] Display Server Check in HTML or email to [addr] if present
-c, --check Check for updates to csf but do not upgrade
-u, --update Check for updates to csf and upgrade if available
-uf Force an update of csf
-x, --disable Disable csf and lfd
-e, --enable Enable csf and lfd if previously disabled
-v, --version Show csf version
These options allow you to easily and quickly control and view csf. All the
configuration files for csf are in /etc/csf and include:
csf.conf - the main configuration file, it has helpful comments explaining
what each option does
csf.allow - a list of IP's and CIDR addresses that should always be allowed
through the firewall
csf.deny - a list of IP's and CIDR addresses that should never be allowed
through the firewall
csf.ignore - a list of IP's and CIDR addresses that lfd should ignore and not
not block if detected
csf.*ignore - various ignore files that list files, users, IP's that lfd
should ignore. See each file for their specific purpose and
tax
If you modify any of the files listed above, you will need to restart csf to
have them take effect. If you use the command line options to add or deny IP
addresses, then csf automatically does this for you.
Both csf.allow and csf.deny can have comments after the IP address listed. The
comments must be on the same line as the IP address otherwise the IP rotation
of csf.deny will remove them.
If editing the csf.allow or csf.deny files directly, either from shell or the
WHM UI, you should put a
like this:
11.22.33.44 # Added because I don't like them
You can also include comments when using the csf -a or csf -d commands, but in
those cases you must not use a # like this:
csf -d 11.22.33.44 Added because I don't like them
If you use the shell commands then each comment line will be timestamped. You
will also find that if lfd blocks an IP address it will add a descriptive
comment plus timestamp.
If you don't want csf to rotate a particular IP in csf.deny if the line limit
is reach you can do so by adding "do not delete" within the comment field,
e.g.:
11.22.33.44 # Added because I don't like them. do not delete
You can also use an Include statement in either csf.allow or csf.deny to
include other files that conform to the above. You must specify the full path
to the included file, e.g. in /etc/csf/csf.allow:
Include /etc/csf/csf.alsoallow
Note: None of the csf commands for adding or removing IP addresses from
csf.allow or csf.deny work on included files, they are treated as read-only.
No comments:
Post a Comment