Cheatsheet: Commands¶
When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
Enable¶
Enable csf and lfd if previously disabled
Disable¶
Disable csf and lfd completely
Start¶
Starts the firewall and applies any rules that have been configured at startup.
Stop¶
Flush/Stop firewall rules (Note: lfd may restart csf)
Restart¶
Restart firewall rules (csf)
Quick Restart¶
Quick restart (csf restarted by lfd)
Force Restart¶
Force CLI restart regardless of LFDSTART setting
Restart All¶
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
Cluster Restart¶
Cluster restart csf and lfd
Manage Lfd Daemon¶
--lfd [stop|start|restart|status]
Actions to take with the lfd daemon
● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)
Active: active (running) since 15ms ago
Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
Main PID: 3782 (lfd - starting)
Tasks: 1 (limit: 4613)
Memory: 38.7M
CPU: 366ms
CGroup: /system.slice/lfd.service
├─3782 "lfd - starting"
└─3784 "lfd - starting"
systemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...
systemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.
● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)
Active: active (running) since 1min 3s ago
Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
Main PID: 3782 (lfd - sleeping)
Tasks: 2 (limit: 4613)
Memory: 45.2M
CPU: 9.476s
CGroup: /system.slice/lfd.service
├─3782 "lfd - sleeping"
└─3791 "lfd UI"
systemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...
systemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.
Check for Updates¶
Check for updates to csf but do not upgrade
Update¶
Check for updates to csf and upgrade if available
Update (Force)¶
Force an update of csf whether and upgrade is required or not
Version¶
Show csf version
List Firewall Rules (IPv4)¶
List/Show the IPv4 iptables configuration
iptables filter table
=====================
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353
2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000
3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353
4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0
13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22
14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25
15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53
16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853
17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80
18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110
19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143
List Firewall Rules (IPv6)¶
List/Show the IPv6 ip6tables configuration
ip6tables filter table
======================
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED
9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20
10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21
11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22
12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25
13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53
14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853
15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80
16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110
17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143
Add IP to Allow List¶
Allow an IP and add to /etc/csf/csf.allow
Remove IP to Allow List¶
Remove an IP from /etc/csf/csf.allow
and delete rule
Add IP to Deny List¶
Deny an IP and add to /etc/csf/csf.deny
Remove IP from Deny List¶
Unblock an IP and remove from /etc/csf/csf.deny
Remove All IPs from Deny List¶
Remove and unblock all entries in /etc/csf/csf.deny
Grep Search for IP¶
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
Lookup IP¶
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
View Temp Allow/Ban List¶
Displays the current list of temporary allow and deny IP entries with their TTL and comment
Remove Temp Allow/Ban IP¶
Remove an IP from the temporary IP ban or allow list
Remove Temp Ban IP¶
Remove an IP from the temporary IP ban list only
Remove Temp Allow IP¶
Remove an IP from the temporary IP allow list only
Add Temp Block IP¶
-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
Add Temp Allow IP¶
-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP allow list (default:inout)
Flush All Temp IP Entries¶
Flush all IPs from the temporary IP entries
Initiate Lfd Log Scanner¶
Initiate Log Scanner report via lfd
If you receive the following error in console:
Open your csf.conf
configuration file, locate the setting LOGSCANNER
, and change the value to 1
:
###############################################################################
# SECTION:Log Scanner
###############################################################################
# Log Scanner. This feature will send out an email summary of the log lines of
# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless
# they match a regular expression in /etc/csf/csf.logignore
#
# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,
# be aware that the more files lfd has to track, the greater the performance
# hit. Note: File globs are only evaluated when lfd is started
#
# Note: lfd builds the report continuously from lines logged after lfd has
# started, so any lines logged when lfd is not running will not be reported
# (e.g. during reboot). If lfd is restarted, then the report will include any
# lines logged during the previous lfd logging period that weren't reported
#
# 1 to enable, 0 to disable
LOGSCANNER = "0"
Then go back to console and re-run the command.
View Ports¶
View ports on the server that have a running process behind them listening for external connections
Ports listening for external connections and the executables running behind them:
Port/Proto Open Conn PID/User Command Line Executable
631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd
8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl
5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved
5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon
40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon
49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon
View Graphs¶
--graphs [graph type] [directory]
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
[graph type]
-
- disk
- apachework
- mysqlslowqueries
- cpu
- load
- mysqlconns
- net
- diskw
- apachecpu
- temp
- apacheconn
- mysqlqueries
- mem
- mysqldata
If you run the above command and see the error:
Open your csf.conf
configuration file, locate the setting ST_SYSTEM
, and change the value to 1
:
# This option will gather basic system statstics. Through the UI it displays
# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:
# . Hourly (per minute)
# . 24 hours (per minute)
# . 7 days (per minute averaged over an hour)
# . 30 days (per minute averaged over an hour) - user definable
# The data is stored in /var/lib/csf/stats/system and the option requires the
# perl GD::Graph module
#
# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on
# those systems do not store the required information in /proc/diskstats
# On new installations or when enabling this option it will take time for these
# graphs to be populated
ST_SYSTEM = "0"
If you receive the error:
Install the package libgd-graph-perl
: