Some useful CSF / LFD commands to do via SSH.

csf -eEnable CSF
csf -xDisable CSF
csf -fFlush/Stop firewall rules
csf -d IP CommentBlock the IP csf -d badguy
csf -d IP/netmaskBlock the IP rangecsf -d
csf -dr IPUnblock an IPcsf -dr
csf -dfRemove and unblock all entries in /etc/csf/csf.deny
csf -g IPSearch an IPs status in csfcsf -g
csf -a IPAllow an IP permanentlycsf -a

To do more with CSF / LFD.

# To limit the number of connections per IP address

$ vim /etc/csf/csf.conf

Find CT_LIMIT value and update it to value which you need.

For example if CT_LIMIT is set to 100, it means if the total number of connections to the server is more than 100 from an IP, that IP address will be blocked

# To limit the number of connections from an IP address to a port at a particular time

Note : xt_connlimit you need to have this module enabled in the server.

$ vim /etc/csf/csf.conf

Find and edit the value - CONNLIMIT

CONNLIMIT = "80;100 25;40"

The above settings shows the server only allows 100 connections from an IP address to the port 80 and 40 connections to the port 25.
# SYNflood Protection

Its recommended by CSF to have this setting only when you are under a SYN attack.

Check for SYN packets :

# netstat -nap | grep SYN -c

Only if you see a large number, it can be a possible SYNflood attack.

Normally, it would be disabled with this in the /etc/csf/csf.conf :


Enabled it by setting the SYNFLOOD to 1.

SYNFLOOD_RATE is the number of SYN packets to accept per IP, per second.

SYNFLOOD_BURST is the number of times the IP can hit the rate limit before being blocked in the firewall.

# Block offending countries
Look for CC_DENY option and enter the Code of the country you want to block

CC_DENY = ""
You can find the codes online for countries.
# Blocking particular IPs which has 'x' connections in a minute 

A combination of the following values is needed for this.

  • CT_LIMIT = “10” – This allows you to set maximum number of all connections ( x ) from a single IP addresses to the server. When the number of connections goes over 10 , it will be blocked.
  • CT_PERMANENT = “1” – IPs with excessive connections will be blocked permanently
  • CT_BLOCK_TIME = “3600” – Blocks IP for 1 hour (3600 Seconds)
  • CT_INTERVAL – “60” – This value sets the interval in seconds between the Connection Tracking scans.