How to configure IP based access on CSF on Debian 12(Allow, Deny, Ignore)
To Configure IP Based Access On CSF On Debian 12(Allow, Deny, Ignore)
Introduction
Configuring IP-based access on CSF (ConfigServer Security & Firewall) involves managing which IP addresses are allowed (allow), blocked (deny), or exempted from security rules (ignore) on your server. It's a way to control that who can access your server or its services based on their IP addresses. "Allow" permits access, "Deny" blocks access, and "Ignore" excludes IP addresses from security rules.
Procedure:
Step 1: Check the OS version by using the below command.
root@linuxhelp:~# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 12 (bookworm)
Release: 12
Codename: bookworm
Step 2: Go to the following location by using the below command.
root@linuxhelp:~# cd /etc/csf/
Step 3: Edit the csf.conf file to make changes by using the below command.
root@linuxhelp:/etc/csf# vim csf.conf
################################################################################ SECTION:Initial Settings
###############################################################################
# Testing flag - enables a CRON job that clears iptables incase of
# configuration problems when you start csf. This should be enabled until you
# are sure that the firewall works - i.e. incase you get locked out of your
# server! Then do remember to set it to 0 and restart csf when you're sure
# everything is OK. Stopping csf will remove the line from /etc/crontab
#
# lfd will not start while this is enabled
TESTING = "0"
# The interval for the crontab in minutes. Since this uses the system clock the
# CRON job will run at the interval past the hour and not from when you issue
# the start command. Therefore an interval of 5 minutes means the firewall
# will be cleared in 0-5 minutes from the firewall start
TESTING_INTERVAL = "5"
Step 4: Reload and apply the changes by using the below command.
root@linuxhelp:/etc/csf# csf -ra
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `PREROUTING'
LOCALINPUT all opt -- in !lo out * ::/0 -> ::/0
● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)
Active: active (running) since Fri 2023-11-10 07:28:41 IST; 36ms ago
Process: 5056 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
Main PID: 5069 (lfd - starting)
Tasks: 1 (limit: 3408)
Memory: 25.4M
CPU: 876ms
CGroup: /system.slice/lfd.service
└─5069 "lfd - starting"
Nov 10 07:28:40 linuxhelp systemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...
Nov 10 07:28:41 linuxhelp systemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality
*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.
Step 5: Deny the IP address by using the below command.
root@linuxhelp:/etc/csf# csf -d 192.168.6.132
Adding 192.168.6.132 to csf.deny and iptables DROP...
DROP all opt -- in !lo out * 192.168.6.132 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.6.132
Step 6: Check denied IP address if added inside the csf.deny file by using the below command.
root@linuxhelp:/etc/csf# vim csf.deny
Step 7: Check denied IP address by using ping command.
root@linuxhelp:/etc/csf# ping 192.168.6.132
PING 192.168.6.132 (192.168.6.132) 56(84) bytes of data.
From 192.168.6.131 icmp_seq=1 Destination Port Unreachable
ping: sendmsg: Operation not permitted
From 192.168.6.131 icmp_seq=2 Destination Port Unreachable
ping: sendmsg: Operation not permitted
^C
--- 192.168.6.132 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1031ms
Step 8: Remove the denied IP address by using the below command.
root@linuxhelp:/etc/csf# csf -dr 192.168.6.132
Removing rule...
DROP all opt -- in !lo out * 192.168.6.132 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.6.132
Step 9: Check denied IP address if removed from the csf.deny file by using the below command.
root@linuxhelp:/etc/csf# vim csf.deny
Step 10: Allow the IP address by using the below command.
root@linuxhelp:/etc/csf# csf -a 192.168.6.132
Adding 192.168.6.132 to csf.allow and iptables ACCEPT...
ACCEPT all opt -- in !lo out * 192.168.6.132 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.6.132
Step 11: Check allowed IP address if added inside the csf.allow file by using the below command.
root@linuxhelp:/etc/csf# vim csf.allow
Step 12: Check allowed IP address by using ping command.
root@linuxhelp:/etc/csf# ping 192.168.6.132
PING 192.168.6.132 (192.168.6.132) 56(84) bytes of data.
64 bytes from 192.168.6.132: icmp_seq=1 ttl=64 time=1.58 ms
64 bytes from 192.168.6.132: icmp_seq=2 ttl=64 time=0.543 ms
^C
--- 192.168.6.132 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.543/1.061/1.580/0.518 ms
Step 13: Remove the allowed IP address by using the below command.
root@linuxhelp:/etc/csf# csf -ar 192.168.6.132
Removing rule...
ACCEPT all opt -- in !lo out * 192.168.6.132 -> 0.0.0.0/0
ACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 192.168.6.132
Step 14: Check allowed IP address if removed from the csf.allow file by using the below command.
root@linuxhelp:/etc/csf# vim csf.allow
Step 15: Edit the csf.conf file to make email alert by using the below command.
###############################################################################
# SECTION:Reporting Settings
###############################################################################
# By default, lfd will send alert emails using the relevant alert template to
# the To: address configured within that template. Setting the following
# option will override the configured To: field in all lfd alert emails
#
# Leave this option empty to use the To: field setting in each alert template
LF_ALERT_TO = "linuxhelp3@mailinator.com"
# By default, lfd will send alert emails using the relevant alert template from
# the From: address configured within that template. Setting the following
# option will override the configured From: field in all lfd alert emails
Step 16: Reload and apply the changes by using the below command.
root@linuxhelp:/etc/csf# csf -ra
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
LOCALINPUT all opt -- in !lo out * ::/0 -> ::/0
● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)
Active: active (running) since Fri 2023-11-10 07:37:35 IST; 25ms ago
Process: 5600 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
Main PID: 5613 (lfd - starting)
Tasks: 1 (limit: 3408)
Memory: 25.4M
CPU: 691ms
CGroup: /system.slice/lfd.service
└─5613 "lfd - starting"
Nov 10 07:37:34 linuxhelp systemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...
Nov 10 07:37:35 linuxhelp systemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality
*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.
Step 17: Open Web browser and search mailinator.com as shown in below image.
Step 18: Click Public inbox and search mail account name as shown in below image.
Step 19: Install the sendmail on terminal by using the below command.
root@linuxhelp:/etc/csf# apt install sendmail -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
libc-ares2 libjs-jquery liblockfile1 lockfile-progs postfix-mta-sts-resolver
procmail python3-aiodns python3-aiohttp python3-aioredis python3-aiosignal
python3-aiosqlite python3-async-timeout python3-attr python3-deprecated
python3-frozenlist python3-hiredis python3-multidict python3-packaging
python3-pycares python3-redis python3-typing-extensions python3-uvloop
python3-wrapt python3-yaml python3-yarl sendmail-base sendmail-bin
sendmail-cf sensible-mdaUpdating /etc/mail/aliases...
/etc/mail/aliases: 0 aliases, longest 0 bytes, 0 bytes total
Warning: 3 database(s) sources
were not found, (but were created)
please investigate.
Setting up sensible-mda (8.17.1.9-2) ...
Setting up sendmail (8.17.1.9-2) ...
Processing triggers for libc-bin (2.36-9+deb12u1) ...
Processing triggers for man-db (2.11.2-2) ...
Step 20: Again Reload and apply the changes by using the below command.
root@linuxhelp:/etc/csf# csf -ra
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `INVALID'
LOCALINPUT all opt -- in !lo out * ::/0 -> ::/0
● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)
Active: active (running) since Fri 2023-11-10 07:42:24 IST; 37ms ago
Process: 7873 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
Main PID: 7886 (lfd - starting)
Tasks: 1 (limit: 3408)
Memory: 25.5M
CPU: 735ms
CGroup: /system.slice/lfd.service
└─7886 "lfd - starting"
Nov 10 07:42:24 linuxhelp systemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...
Nov 10 07:42:24 linuxhelp systemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.
*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.
Step 21: Go to browser and check the email alert as shown in below image.
Step 22: Click excessive resource and observe the account, executable path, cmd as shown in below image.
Step 23: Edit the csf.pignore file to ignore processes by using the below command.
root@linuxhelp:/etc/csf# vim csf.pignore
Step 24: Reload and apply the changes by using the below command.
root@linuxhelp:/etc/csf# csf -ra
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
LOCALINPUT all opt -- in !lo out * ::/0 -> ::/0
● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)
Active: active (running) since Fri 2023-11-10 07:46:38 IST; 36ms ago
Process: 8459 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
Main PID: 8472 (lfd - starting)
Tasks: 1 (limit: 3408)
Memory: 25.4M
CPU: 720ms
CGroup: /system.slice/lfd.service
└─8472 "lfd - starting"
Nov 10 07:46:38 linuxhelp systemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...
Nov 10 07:46:38 linuxhelp systemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.
*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.
Step 25: Go to Browser and check alert if ignored the process as shown in below image.
Step 26: Open another terminal and make the control another machine by using the below command.
linuxhelp@linuxhelp:~$ ssh linuxhelp@192.168.6.132
The authenticity of host '192.168.6.132 (192.168.6.132)' can't be established.
ED25519 key fingerprint is SHA256:gQq2yIGImDIMNAxtrHhNb1xu9oysI8BrceBGiKKS36g.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.6.132' (ED25519) to the list of known hosts.
linuxhelp@192.168.6.132's password:
Linux linuxhelp 6.1.0-12-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.52-1 (2023-09-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Step 27: Check the IP address by using the below command.
root@linuxhelp:/home/linuxhelp# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:e4:c8:72 brd ff:ff:ff:ff:ff:ff
altname enp2s1
inet 192.168.6.132/23 brd 192.168.7.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fee4:c872/64 scope link noprefixroute
valid_lft forever preferred_lft forever
Step 28: Take control the csf server by using the below command.
root@linuxhelp:/home/linuxhelp# ssh linuxhelp@192.168.6.131
linuxhelp@192.168.6.131's password:
Linux linuxhelp 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Nov 9 08:53:55 2023 from 192.168.6.132
Step 29: Go to web browser and check the ssh alert If present as shown in below image.
Step 30: Go to the log file location by using the below command.
root@linuxhelp:/etc/csf# cd /var/log/
Step 31: Long list the files to check auth.log if present by using the below command.
root@linuxhelp:/var/log# ll
total 1728
-rw-r--r-- 1 root root 4175 Nov 10 07:41 alternatives.log
-rw-r--r-- 1 root root 55292 Sep 11 04:40 alternatives.log.1
drwxr-xr-x 2 root root 4096 Nov 10 07:40 apt
-rw-r--r-- 1 root root 10477 Sep 11 04:40 aptitude
drwxr-xr-x 5 root root 4096 Sep 11 05:56 asterisk
-rw------- 1 root root 0 Nov 9 08:39 boot.log
-rw------- 1 root root 2848 Nov 9 08:39 boot.log.1
-rw------- 1 root root 16013 Nov 7 12:21 boot.log.2
-rw------- 1 root root 30364 Nov 4 13:45 boot.log.3
-rw------- 1 root root 15834 Sep 11 00:00 boot.log.4
-rw-rw---- 1 root utmp 384 Nov 9 17:44 btmp
Step 32: If auth.log file not present, Install the rsyslog-openssl package by using the below command.
root@linuxhelp:/var/log# apt install rsyslog-openssl -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
libestr0 libfastjson4 liblognorm5 rsyslog
Suggested packages:
rsyslog-mysql | rsyslog-pgsql rsyslog-mongodb rsyslog-doc rsyslog-gssapi rsyslog-relp
The following NEW packages will be installed:
libestr0 libfastjson4 liblognorm5 rsyslog rsyslog-openssl
0 upgraded, 5 newly installed, 0 to remove and 128 not upgraded.
Need to get 1,121 kB of archives.
After this operation, 2,625 kB of additional disk space will be used.
Get:1 https://deb.debian.org/debian bookworm/main amd64 libestr0 amd64 0.1.11-1 [9,204 B]
Get:2 https://deb.debian.org/debian bookworm/main amd64 libfastjson4 amd64 1.2304.0-1 [28.9 kB]
Get:3 https://deb.debian.org/debian bookworm/main amd64 liblognorm5 amd64 2.0.6-4 [67.2 kB]
Get:4 https://deb.debian.org/debian bookworm/main amd64 rsyslog amd64 8.2302.0-1 [723 kB]
Get:5 https://deb.debian.org/debian bookworm/main amd64 rsyslog-openssl amd64 8.2302.0-1 [293 kB]
Fetched 1,121 kB in 6s (190 kB/s)
Selecting previously unselected package libestr0:amd64.
Created symlink /etc/systemd/system/syslog.service → /lib/systemd/system/rsyslog.service.
Created symlink /etc/systemd/system/multi-user.target.wants/rsyslog.service → /lib/systemd/system/rsyslog.service.
Setting up rsyslog-openssl (8.2302.0-1) ...
Processing triggers for man-db (2.11.2-2) ...
Processing triggers for libc-bin (2.36-9+deb12u1) ...
Step 33: Check the rsyslog by using the below command.
root@linuxhelp:/var/log# systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; preset: enabled)
Active: active (running) since Fri 2023-11-10 08:04:46 IST; 23s ago
TriggeredBy: ● syslog.socket
Docs: man:rsyslogd(8)
man:rsyslog.conf(5)
https://www.rsyslog.com/doc/
Main PID: 9081 (rsyslogd)
Tasks: 4 (limit: 3408)
Memory: 2.2M
CPU: 98ms
CGroup: /system.slice/rsyslog.service
└─9081 /usr/sbin/rsyslogd -n -iNONE
Nov 10 08:04:46 linuxhelp systemd[1]: Starting rsyslog.service - System Logging Service...
Nov 10 08:04:46 linuxhelp rsyslogd[9081]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.2302.0]
Nov 10 08:04:46 linuxhelp rsyslogd[9081]: [origin software="rsyslogd" swVersion="8.2302.0" x-pid="9081" x-info="https://www.rsyslog.com"] s>
Nov 10 08:04:46 linuxhelp systemd[1]: Started rsyslog.service - System Logging Service.
Step 34: Restart the rsyslog by using the below command.
root@linuxhelp:/var/log# systemctl restart rsyslog
Step 35: Check the status of ssh service by using the below command.
root@linuxhelp:/var/log# systemctl status sshd
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; preset: enabled)
Active: active (running) since Thu 2023-11-09 17:42:22 IST; 14h ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 3832 (sshd)
Tasks: 1 (limit: 3408)
Memory: 3.2M
CPU: 797ms
CGroup: /system.slice/ssh.service
└─3832 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"
Nov 09 17:48:15 linuxhelp sshd[3900]: Accepted password for linuxhelp from 192.168.6.132 port 44288 ssh2
Nov 09 17:48:15 linuxhelp sshd[3900]: pam_unix(sshd:session): session opened for user linuxhelp(uid=1000) by (uid=0)
Nov 09 17:48:15 linuxhelp sshd[3900]: pam_env(sshd:session): deprecated reading of user environment enabled
Nov 09 17:48:15 linuxhelp sshd[3900]: pam_unix(sshd:session): session closed for user linuxhelp
Nov 09 17:49:47 linuxhelp sshd[4030]: Accepted password for linuxhelp from 192.168.6.132 port 43586 ssh2
Nov 09 17:49:47 linuxhelp sshd[4030]: pam_unix(sshd:session): session opened for user linuxhelp(uid=1000) by (uid=0)
Nov 09 17:49:47 linuxhelp sshd[4030]: pam_env(sshd:session): deprecated reading of user environment enabled
Nov 10 08:00:05 linuxhelp sshd[8866]: Accepted password for linuxhelp from 192.168.6.132 port 41182 ssh2
Nov 10 08:00:05 linuxhelp sshd[8866]: pam_unix(sshd:session): session opened for user linuxhelp(uid=1000) by (uid=0)
Nov 10 08:00:05 linuxhelp sshd[8866]: pam_env(sshd:session): deprecated reading of user environment enabled
Step 36: Restart the sshd service by using the below command.
root@linuxhelp:/var/log# systemctl restart sshd
Step 37: Long list the files to check if auth.log file present by using the below command.
root@linuxhelp:/var/log# ll
total 2584
-rw-r--r-- 1 root root 4175 Nov 10 07:41 alternatives.log
-rw-r--r-- 1 root root 55292 Sep 11 04:40 alternatives.log.1
drwxr-xr-x 2 root root 4096 Nov 10 08:04 apt
-rw-r--r-- 1 root root 10477 Sep 11 04:40 aptitude
drwxr-xr-x 5 root root 4096 Sep 11 05:56 asterisk
-rw-r----- 1 root adm 419 Nov 10 08:05 auth.log
-rw------- 1 root root 0 Nov 9 08:39 boot.log
-rw------- 1 root root 2848 Nov 9 08:39 boot.log.1
-rw------- 1 root root 16013 Nov 7 12:21 boot.log.2
-rw------- 1 root root 30364 Nov 4 13:45 boot.log.3
-rw------- 1 root root 15834 Sep 11 00:00 boot.log.4
Step 38: Reload and apply the changes by using the below command.
root@linuxhelp:/var/log# csf -ra
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
LOCALINPUT all opt -- in !lo out * ::/0 -> ::/0
● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)
Active: active (running) since Fri 2023-11-10 08:09:32 IST; 36ms ago
Process: 9452 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
Main PID: 9466 (lfd - starting)
Tasks: 1 (limit: 3408)
Memory: 25.5M
CPU: 694ms
CGroup: /system.slice/lfd.service
└─9466 "lfd - starting"
Nov 10 08:09:31 linuxhelp systemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...
Nov 10 08:09:32 linuxhelp systemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.
*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.
Step 39: Go to another tab and exit the control then again take control the csf server by using the below command.
root@linuxhelp:~# exit
exit
linuxhelp@linuxhelp:~$ exit
logout
Connection to 192.168.6.131 closed.
root@linuxhelp:/home/linuxhelp# ssh linuxhelp@192.168.6.131
linuxhelp@192.168.6.131's password:
Linux linuxhelp 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Nov 10 08:08:12 2023 from 192.168.6.132
Step 40: Go to check the browser if ssh alert is present as shown in below image.
Step 41: Go to the following location by using the below command.
root@linuxhelp:/var/log# cd /etc/csf
Step 42: Edit the csf.ignore file to ignore ssh alert to particular IP address by using the below command.
root@linuxhelp:/etc/csf# vim csf.ignore
Step 43: Reload and apply the changes by using the below command.
root@linuxhelp:/etc/csf# csf -ra
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
LOCALINPUT all opt -- in !lo out * ::/0 -> ::/0
● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)
Active: active (running) since Fri 2023-11-10 08:13:24 IST; 28ms ago
Process: 9680 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
Main PID: 9693 (lfd - starting)
Tasks: 1 (limit: 3408)
Memory: 25.3M
CPU: 708ms
CGroup: /system.slice/lfd.service
└─9693 "lfd - starting"
Nov 10 08:13:24 linuxhelp systemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...
Nov 10 08:13:24 linuxhelp systemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.
*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.
Step 44: Go to browser and check the ssh alert if present as shown in below image.
Conclusion:
We have reached the end of this article. In this guide, we have walked you through the steps required to Configure IP Based Access on CSF on Debian 12 (Allow, Deny, Ignore). Your feedback is much welcome.
Q
Can I allow, deny, or ignore IP ranges in CSF?
A
Yes, you can allow, deny, or ignore IP ranges in CSF. In the configuration file, use CIDR notation for ranges. For example: 192.168.1.0/24.
Q
How can I ignore (whitelist) certain IP addresses with CSF?
A
To whitelist IPs, add them to the IGNORE setting in /etc/csf/csf.conf. Following this, restart CSF with sudo csf -r to implement the changes and ignore the specified IPs.
Q
What is the process to deny certain IP addresses using CSF?
A
To deny specific IPs, add them to the DENY_IP setting in /etc/csf/csf.conf. After making changes, restart CSF with sudo csf -r to apply the new rules.
Q
How can I allow specific IP addresses in CSF?
A
To allow specific IP addresses, edit the TCP_IN and UDP_IN settings in /etc/csf/csf.conf. Add the desired IPs to the lists, and then restart CSF with sudo csf -r.
Q
What is CSF and why should I use it?
A
CSF, or ConfigServer Security & Firewall, is a firewall configuration script for Linux servers. It helps enhance server security by managing iptables rules and providing features like IP whitelisting, blacklisting, and more.