Some useful CSF / LFD commands to do via SSH.
| Commands | Purpose | Example |
| csf -e | Enable CSF | |
| csf -x | Disable CSF | |
| csf -f | Flush/Stop firewall rules | |
| csf -d IP Comment | Block the IP | csf -d 1.2.3.4 badguy |
| csf -d IP/netmask | Block the IP range | csf -d 145.123.44.0/24 |
| csf -dr IP | Unblock an IP | csf -dr 1.2.3.4 |
| csf -df | Remove and unblock all entries in /etc/csf/csf.deny | |
| csf -g IP | Search an IPs status in csf | csf -g 1.2.3.4 |
| csf -a IP | Allow an IP permanently | csf -a 1.2.3.4 |
To do more with CSF / LFD.
# To limit the number of connections per IP address
$ vim /etc/csf/csf.conf
Find CT_LIMIT value and update it to value which you need.
For example if CT_LIMIT is set to 100, it means if the total number of connections to the server is more than 100 from an IP, that IP address will be blocked
# To limit the number of connections from an IP address to a port at a particular time
Note : xt_connlimit you need to have this module enabled in the server.
$ vim /etc/csf/csf.conf
Find and edit the value - CONNLIMIT
CONNLIMIT = "80;100 25;40"
The above settings shows the server only allows 100 connections from an IP address to the port 80 and 40 connections to the port 25.
# SYNflood Protection
Its recommended by CSF to have this setting only when you are under a SYN attack.
Check for SYN packets :
# netstat -nap | grep SYN -c
Only if you see a large number, it can be a possible SYNflood attack.
Normally, it would be disabled with this in the /etc/csf/csf.conf :
SYNFLOOD = "0" SYNFLOOD_RATE = "100/s" SYNFLOOD_BURST = "150" Enabled it by setting the SYNFLOOD to 1.
SYNFLOOD_RATE is the number of SYN packets to accept per IP, per second.
SYNFLOOD_BURST is the number of times the IP can hit the rate limit before being blocked in the firewall.
# Block offending countries
Look for CC_DENY option and enter the Code of the country you want to block CC_DENY = "" You can find the codes online for countries.
# Blocking particular IPs which has 'x' connections in a minute
A combination of the following values is needed for this.
- CT_LIMIT = “10” – This allows you to set maximum number of all connections ( x ) from a single IP addresses to the server. When the number of connections goes over 10 , it will be blocked.
- CT_PERMANENT = “1” – IPs with excessive connections will be blocked permanently
- CT_BLOCK_TIME = “3600” – Blocks IP for 1 hour (3600 Seconds)
- CT_INTERVAL – “60” – This value sets the interval in seconds between the Connection Tracking scans.