What is CSF (ConfigServer Security and Firewall)?
ConfigServer Firewall, also known as CSF, is a firewall configuration script created to provide better security for your server while giving you an advanced, easy to use interface for managing firewall settings. ConfigServer Security & Firewall configures your server’s firewall to lock down public access to services and only allow certain connections, such as logging into FTP, checking email, or loading websites.
ConfigServer Firewall also comes with a service called Login Failure Daemon, or LFD. LFD watches your user activity for excessive login failures which are commonly seen during brute force attacks. If a large number of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. These IP blocks will automatically expire, however they can be removed manually through the ConfigServer interface in WebHost Manager. In addition to removing IPs, ConfigServer Security & Firewall also allows you to manually whitelist or blacklist IPs in your firewall, as well as real-time monitoring for automatic IP blocks in LFD. Configuration details are covered in Managing Your CSF Firewall.
Features of ConfigServer Security & Firewall
Config Server Firewall offers a wide range of protections ConfigServer Firewall Provides,
- Straight-forward SPI iptables firewall script ;
- Daemon process checking ;
- login authentication failures check (ssh, mail server, FTP & cPanel) ;
- SSH & SU login notification ;
- Alert for spam mail scripts ;
- Suspicious process reporting ;
- Excessive user processes reporting ;
- Suspicious file reporting ;
- BOGON packet protection ;
- Port Scan tracking and blocking ;
- Permanent and Temporary IP blocking ;
- IPv6 Support with ip6tables ;
- Permanent and Temporary IP allow ;
- SYN Flood protection ;
- IDS (Intrusion Detection System) ;
What Are The Advantages of CSF?
Managing firewall settings ‘by hand’ with the iptables command in Linux is complicated. Also, the active rules for iptables are not persistent. This makes it is easy to understand why there are several firewall ‘managers’ available. So if CSF is not unique in providing basic iptables rule management, why use it? What helps set it apart from similar applications are its additional built-in features. Just a few of these are:
- The ability to perform basic security, stability and settings check on your server
- The Login Failure Daemon( LFD ) helps protect your server against brute-force login attempts
- Watching, and searching various important system log files right from WHM
- Viewing currently ‘listening’ ports, and the processes that listen to them
- And lots more
What is LFD (Login Failure Daemon)?
LFD stands for Login Failure Daemon. To complement the ConfigServer Firewall (CSF), LFD process runs all the time and periodically (every X seconds) scans log file entries for recent continually failed login attempts against your server. Such attempts are referred to as ‘Brute-force attacks’. The daemon process responds very quickly to such patterns and blocks offending IP’s using CSF. Usually, blocks are graduated; the first may last for 15 minutes, the second for an hour, and the third is permanent (the intervals can be set in the config file). CSF allows users to whitelist known IPs to prevent accidental blocking of a valid user.
The relation between CSF and LFD:
ConfigServer Security & Firewall has been exclusively designed to provide security to your Linux server or Virtual Private Server (VPS). ConfigServer Security & Firewall comes with an additional Login Failure Daemon (LFD) process that scans the log file entries periodically after every (X) second, looking for suspicious multiple failed login attempts within a certain time slot. The daemon process reacts and blocks such as unauthorized IP’s. Another key feature is the “Login Tracking”, an extension of LFD, restricts the number of SSH, SMTP, POP3, and IMAP connections per IP per hour per Account.
A front end UI based platform is available for both CSF and LFD, and are both accessible by the root account through cPanel, WebAdmin, and DirectAdmin. The ConfigServer offers a free Web Host Manager (WHM) plugin CSF, allowing the modifications and updates of iptable rules within WHM.
How to Manage the CSF Firewall in WHM/Cpanel
If your server is using CSF, you will find its interface listed in WHM as ConfigServer Security & Firewall under the Plugins section in the left menu. You also can begin typing “firewall” into the search box at the top left to narrow down the choices.
Unblocking an IP Address in CSF
To determine whether an IP address is blocked, you can use the Search for IP button on the ConfigServer Security & Firewall page. Simply enter the IP address into the search field and click the button.
If the IP address is blocked, the reason for the block will be listed and an unlocked padlock icon will appear to the right of the blocked IP address. Clicking the padlock icon will unblock the IP in the firewall.
Allowing (Whitelisting) an IP Address
It is important to note that there are two components to the CSF firewall, the firewall itself, and the Login Failure Daemon (LFD).
To whitelist an IP address in the firewall (csf.allow), you can enter the IP address into the Quick Allow section, along with an optional comment for the allow (such as “Office network”), and click the Quick Allow button.
When an IP address is whitelisted in ConfigServer Security & Firewall, it still can become blocked by LFD for abusive behavior such as multiple failed logins or repeated violations of certain ModSecurity rules. This helps to mitigate the sort of brute-force attacks that could occur should a computer or device on the same network as a whitelisted IP address become compromised or infected with malware.
It is recommended to whitelist IPs only as necessary and, for a long-term solution, focus on resolving the issue which led to the block (such as incorrect login credentials). However, as a temporary measure, while troubleshooting or otherwise working to correct the underlying issue, you can prevent an IP address from being blocked by lfd by adding it to the ignore list (csf.ignore).
That can be done using the Quick Ignore button on the ConfigServer Security & Firewall page.
Blocked IP? Don’t Forget to Check cPHulk
WebHost Manager also includes the cPHulk Brute Force Protection module which, like the Login Failure Daemon component of the ConfigServer firewall, can block IP addresses (independently of the firewall) when they have repeated failed login attempts.
If you’re trying to unblock an IP address but no block is to be found in the firewall, you will want to check cPHulk as well. In WHM, you’ll find cPHulk Brute Force Protection listed under the Security Center section of the left menu.
On cPHulk’s History Reports tab, you can search for failed logins, blocked users, blocked IP addresses, or one-day blocks.
Removing a block is as easy as clicking the Remove Blocks and Clear Reports button.
You also can whitelist IP addresses, with an optional comment, under the Whitelist Management tab.
Please be aware that whitelisting an IP address here means that the IP address always will be able to attempt to log into the server. That could potentially present a security risk in the event that a computer or device on the same local network as the whitelisted IP becomes compromised or infected and uses brute force to try to gain protected access. For this reason, IP address whitelisting in cPHulk should be used sparingly and with caution.
Opening and Closing Ports in the Firewall
On the ConfigServer Security & Firewall page in WebHost Manager, click on the Firewall Configuration button to enter advanced settings.
On the Firewall Configuration screen, scroll down to the IPv4 Port Settings section, and locate the Allow incoming TCP ports and Allow outgoing TCP ports sections.
You will need to add the necessary port to the appropriate list (or remove a listed port to block it), then scroll all the way to the bottom of the page and click the Change button to save your settings and restart the firewall.
ConfigServer Security & Firewall Usage through Command Line
Sample list of CSF Commands:
How to allow/whitelist an IP address?
sudo csf -a 192.168.1.2
This will add IP address 168.1.2in /etc/csf/csf.allow.
Restart the firewall after whitelisting the IP address.
How to remove a blocked IP address without adding to whitelist?
sudo csf -dr 192.168.1.5
This will remove the IP address 168.1.5from deny list
How to block an IP address?
sudo csf -d 192.168.1.2
This will add IP address 168.1.2in /etc/csf/csf.deny.
How to check whether an IP is blocked by CSF?
sudo csf -g 192.168.1.2
The above command will show whether IP is blocked by CSF.
How to disable CSF and LFD completely?
sudo csf –x
How to enable CSF firewall?
sudo csf –e
How to restart CSF firewall?
sudo csf –r
How to Flush CSF firewall?
sudo csf –f
How to remove an IP from CSF allow list?
sudo csf -ar 192.168.1.2
This will remove IP address from /etc/csf/csf.allow.
Configserver Security Firewall also compatible with Imunify360 of CloudLinux Inc to provide
Imunify360 automatically detects that Configserver Security Firewall is running. Imunify360 Blocked Ports, DoS Protection and SMTP Traffic Manager features are automatically disabled in that case. In general:
- Black List, Gray List, and White List can be managed in Imunify360 regardless of Configserver Security Firewall.
- Configserver Security Firewall Allow, Deny and Ignore Lists are not automatically imported from Configserver Security Firewall. They can still be managed using Configserver Security Firewall interface.
- Imunify360 will not block addresses from Configserver Security Firewall Allow and Ignore Lists.