Tutorial News Comments FAQ Related Articles

How to configure IP based access on CSF on Debian 12(Allow, Deny, Ignore)

{{postValue.id}}

To Configure IP Based Access On CSF On Debian 12(Allow, Deny, Ignore)

Introduction

Configuring IP-based access on CSF (ConfigServer Security & Firewall) involves managing which IP addresses are allowed (allow), blocked (deny), or exempted from security rules (ignore) on your server. It's a way to control that who can access your server or its services based on their IP addresses. "Allow" permits access, "Deny" blocks access, and "Ignore" excludes IP addresses from security rules.

Procedure:

Step 1: Check the OS version by using the below command.

root@linuxhelp:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 12 (bookworm)
Release:	12
Codename:	bookworm

Step 2: Go to the following location by using the below command.

root@linuxhelp:~# cd /etc/csf/

Step 3: Edit the csf.conf file to make changes by using the below command.

root@linuxhelp:/etc/csf# vim csf.conf
################################################################################ SECTION:Initial Settings
###############################################################################
# Testing flag - enables a CRON job that clears iptables incase of
# configuration problems when you start csf. This should be enabled until you
# are sure that the firewall works - i.e. incase you get locked out of your
# server! Then do remember to set it to 0 and restart csf when you're sure
# everything is OK. Stopping csf will remove the line from /etc/crontab
#
# lfd will not start while this is enabled
TESTING = "0"

# The interval for the crontab in minutes. Since this uses the system clock the
# CRON job will run at the interval past the hour and not from when you issue
# the start command. Therefore an interval of 5 minutes means the firewall
# will be cleared in 0-5 minutes from the firewall start
TESTING_INTERVAL = "5"

Step 4: Reload and apply the changes by using the below command.

root@linuxhelp:/etc/csf# csf -ra
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `PREROUTING'
LOCALINPUT  all opt -- in !lo out *  ::/0  -> ::/0  
● lfd.service - ConfigServer Firewall & Security - lfd
     Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)
     Active: active (running) since Fri 2023-11-10 07:28:41 IST; 36ms ago
    Process: 5056 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
   Main PID: 5069 (lfd - starting)
      Tasks: 1 (limit: 3408)
     Memory: 25.4M
        CPU: 876ms
     CGroup: /system.slice/lfd.service
             └─5069 "lfd - starting"

Nov 10 07:28:40 linuxhelp systemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...
Nov 10 07:28:41 linuxhelp systemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Step 5: Deny the IP address by using the below command.

root@linuxhelp:/etc/csf# csf -d 192.168.6.132
Adding 192.168.6.132 to csf.deny and iptables DROP...
DROP  all opt -- in !lo out *  192.168.6.132  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.132

Step 6: Check denied IP address if added inside the csf.deny file by using the below command.

root@linuxhelp:/etc/csf# vim csf.deny

Step 7: Check denied IP address by using ping command.

root@linuxhelp:/etc/csf# ping 192.168.6.132
PING 192.168.6.132 (192.168.6.132) 56(84) bytes of data.
From 192.168.6.131 icmp_seq=1 Destination Port Unreachable
ping: sendmsg: Operation not permitted
From 192.168.6.131 icmp_seq=2 Destination Port Unreachable
ping: sendmsg: Operation not permitted
^C
--- 192.168.6.132 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1031ms

Step 8: Remove the denied IP address by using the below command.

root@linuxhelp:/etc/csf# csf -dr 192.168.6.132
Removing rule...
DROP  all opt -- in !lo out *  192.168.6.132  -> 0.0.0.0/0  
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.132

Step 9: Check denied IP address if removed from the csf.deny file by using the below command.

root@linuxhelp:/etc/csf# vim csf.deny

Step 10: Allow the IP address by using the below command.

root@linuxhelp:/etc/csf# csf -a 192.168.6.132
Adding 192.168.6.132 to csf.allow and iptables ACCEPT...
ACCEPT  all opt -- in !lo out *  192.168.6.132  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.132

Step 11: Check allowed IP address if added inside the csf.allow file by using the below command.

root@linuxhelp:/etc/csf# vim csf.allow

Step 12: Check allowed IP address by using ping command.

root@linuxhelp:/etc/csf# ping 192.168.6.132
PING 192.168.6.132 (192.168.6.132) 56(84) bytes of data.
64 bytes from 192.168.6.132: icmp_seq=1 ttl=64 time=1.58 ms
64 bytes from 192.168.6.132: icmp_seq=2 ttl=64 time=0.543 ms
^C
--- 192.168.6.132 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.543/1.061/1.580/0.518 ms

Step 13: Remove the allowed IP address by using the below command.

root@linuxhelp:/etc/csf# csf -ar 192.168.6.132
Removing rule...
ACCEPT  all opt -- in !lo out *  192.168.6.132  -> 0.0.0.0/0  
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 192.168.6.132

Step 14: Check allowed IP address if removed from the csf.allow file by using the below command.

root@linuxhelp:/etc/csf# vim csf.allow

Step 15: Edit the csf.conf file to make email alert by using the below command.

###############################################################################
# SECTION:Reporting Settings
###############################################################################
# By default, lfd will send alert emails using the relevant alert template to
# the To: address configured within that template. Setting the following
# option will override the configured To: field in all lfd alert emails
#
# Leave this option empty to use the To: field setting in each alert template
LF_ALERT_TO = "linuxhelp3@mailinator.com"

# By default, lfd will send alert emails using the relevant alert template from
# the From: address configured within that template. Setting the following
# option will override the configured From: field in all lfd alert emails

Step 16: Reload and apply the changes by using the below command.

root@linuxhelp:/etc/csf# csf -ra
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
LOCALINPUT  all opt -- in !lo out *  ::/0  -> ::/0  
● lfd.service - ConfigServer Firewall & Security - lfd
     Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)
     Active: active (running) since Fri 2023-11-10 07:37:35 IST; 25ms ago
    Process: 5600 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
   Main PID: 5613 (lfd - starting)
      Tasks: 1 (limit: 3408)
     Memory: 25.4M
        CPU: 691ms
     CGroup: /system.slice/lfd.service
             └─5613 "lfd - starting"

Nov 10 07:37:34 linuxhelp systemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...
Nov 10 07:37:35 linuxhelp systemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.
*WARNING* Binary location for [SENDMAIL] [/usr/sbin/sendmail] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Step 17: Open Web browser and search mailinator.com as shown in below image. snap 1

Step 18: Click Public inbox and search mail account name as shown in below image. snap 2

Step 19: Install the sendmail on terminal by using the below command.

root@linuxhelp:/etc/csf# apt install sendmail -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  libc-ares2 libjs-jquery liblockfile1 lockfile-progs postfix-mta-sts-resolver
  procmail python3-aiodns python3-aiohttp python3-aioredis python3-aiosignal
  python3-aiosqlite python3-async-timeout python3-attr python3-deprecated
  python3-frozenlist python3-hiredis python3-multidict python3-packaging
  python3-pycares python3-redis python3-typing-extensions python3-uvloop
  python3-wrapt python3-yaml python3-yarl sendmail-base sendmail-bin
  sendmail-cf sensible-mdaUpdating /etc/mail/aliases...
/etc/mail/aliases: 0 aliases, longest 0 bytes, 0 bytes total
 
Warning: 3 database(s) sources
	were not found, (but were created)
	please investigate.
Setting up sensible-mda (8.17.1.9-2) ...
Setting up sendmail (8.17.1.9-2) ...
Processing triggers for libc-bin (2.36-9+deb12u1) ...
Processing triggers for man-db (2.11.2-2) ...

Step 20: Again Reload and apply the changes by using the below command.

root@linuxhelp:/etc/csf# csf -ra
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `INVALID'
LOCALINPUT  all opt -- in !lo out *  ::/0  -> ::/0  
● lfd.service - ConfigServer Firewall & Security - lfd
     Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)
     Active: active (running) since Fri 2023-11-10 07:42:24 IST; 37ms ago
    Process: 7873 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
   Main PID: 7886 (lfd - starting)
      Tasks: 1 (limit: 3408)
     Memory: 25.5M
        CPU: 735ms
     CGroup: /system.slice/lfd.service
             └─7886 "lfd - starting"

Nov 10 07:42:24 linuxhelp systemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...
Nov 10 07:42:24 linuxhelp systemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Step 21: Go to browser and check the email alert as shown in below image. snap 3

Step 22: Click excessive resource and observe the account, executable path, cmd as shown in below image. snap 4

Step 23: Edit the csf.pignore file to ignore processes by using the below command.

root@linuxhelp:/etc/csf# vim csf.pignore

Step 24: Reload and apply the changes by using the below command.

root@linuxhelp:/etc/csf# csf -ra
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
LOCALINPUT  all opt -- in !lo out *  ::/0  -> ::/0  
● lfd.service - ConfigServer Firewall & Security - lfd
     Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)
     Active: active (running) since Fri 2023-11-10 07:46:38 IST; 36ms ago
    Process: 8459 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
   Main PID: 8472 (lfd - starting)
      Tasks: 1 (limit: 3408)
     Memory: 25.4M
        CPU: 720ms
     CGroup: /system.slice/lfd.service
             └─8472 "lfd - starting"

Nov 10 07:46:38 linuxhelp systemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...
Nov 10 07:46:38 linuxhelp systemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Step 25: Go to Browser and check alert if ignored the process as shown in below image. snap 5

Step 26: Open another terminal and make the control another machine by using the below command.

linuxhelp@linuxhelp:~$ ssh linuxhelp@192.168.6.132
The authenticity of host '192.168.6.132 (192.168.6.132)' can't be established.
ED25519 key fingerprint is SHA256:gQq2yIGImDIMNAxtrHhNb1xu9oysI8BrceBGiKKS36g.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.6.132' (ED25519) to the list of known hosts.
linuxhelp@192.168.6.132's password:
Linux linuxhelp 6.1.0-12-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.52-1 (2023-09-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.

Step 27: Check the IP address by using the below command.

root@linuxhelp:/home/linuxhelp# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:e4:c8:72 brd ff:ff:ff:ff:ff:ff
    altname enp2s1
    inet 192.168.6.132/23 brd 192.168.7.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fee4:c872/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

Step 28: Take control the csf server by using the below command.

root@linuxhelp:/home/linuxhelp# ssh linuxhelp@192.168.6.131
linuxhelp@192.168.6.131's password:
Linux linuxhelp 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Nov  9 08:53:55 2023 from 192.168.6.132

Step 29: Go to web browser and check the ssh alert If present as shown in below image. snap 6

Step 30: Go to the log file location by using the below command.

root@linuxhelp:/etc/csf# cd /var/log/

Step 31: Long list the files to check auth.log if present by using the below command.

root@linuxhelp:/var/log# ll
total 1728
-rw-r--r--  1 root              root              4175 Nov 10 07:41 alternatives.log
-rw-r--r--  1 root              root             55292 Sep 11 04:40 alternatives.log.1
drwxr-xr-x  2 root              root              4096 Nov 10 07:40 apt
-rw-r--r--  1 root              root             10477 Sep 11 04:40 aptitude
drwxr-xr-x  5 root              root              4096 Sep 11 05:56 asterisk
-rw-------  1 root              root                 0 Nov  9 08:39 boot.log
-rw-------  1 root              root              2848 Nov  9 08:39 boot.log.1
-rw-------  1 root              root             16013 Nov  7 12:21 boot.log.2
-rw-------  1 root              root             30364 Nov  4 13:45 boot.log.3
-rw-------  1 root              root             15834 Sep 11 00:00 boot.log.4
-rw-rw----  1 root              utmp               384 Nov  9 17:44 btmp

Step 32: If auth.log file not present, Install the rsyslog-openssl package by using the below command.

root@linuxhelp:/var/log# apt install rsyslog-openssl -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  libestr0 libfastjson4 liblognorm5 rsyslog
Suggested packages:
  rsyslog-mysql | rsyslog-pgsql rsyslog-mongodb rsyslog-doc rsyslog-gssapi rsyslog-relp
The following NEW packages will be installed:
  libestr0 libfastjson4 liblognorm5 rsyslog rsyslog-openssl
0 upgraded, 5 newly installed, 0 to remove and 128 not upgraded.
Need to get 1,121 kB of archives.
After this operation, 2,625 kB of additional disk space will be used.
Get:1 https://deb.debian.org/debian bookworm/main amd64 libestr0 amd64 0.1.11-1 [9,204 B]
Get:2 https://deb.debian.org/debian bookworm/main amd64 libfastjson4 amd64 1.2304.0-1 [28.9 kB]
Get:3 https://deb.debian.org/debian bookworm/main amd64 liblognorm5 amd64 2.0.6-4 [67.2 kB]
Get:4 https://deb.debian.org/debian bookworm/main amd64 rsyslog amd64 8.2302.0-1 [723 kB]
Get:5 https://deb.debian.org/debian bookworm/main amd64 rsyslog-openssl amd64 8.2302.0-1 [293 kB]
Fetched 1,121 kB in 6s (190 kB/s)         
Selecting previously unselected package libestr0:amd64.
Created symlink /etc/systemd/system/syslog.service → /lib/systemd/system/rsyslog.service.
Created symlink /etc/systemd/system/multi-user.target.wants/rsyslog.service → /lib/systemd/system/rsyslog.service.
Setting up rsyslog-openssl (8.2302.0-1) ...
Processing triggers for man-db (2.11.2-2) ...
Processing triggers for libc-bin (2.36-9+deb12u1) ...

Step 33: Check the rsyslog by using the below command.

root@linuxhelp:/var/log# systemctl status rsyslog
● rsyslog.service - System Logging Service
     Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; preset: enabled)
     Active: active (running) since Fri 2023-11-10 08:04:46 IST; 23s ago
TriggeredBy: ● syslog.socket
       Docs: man:rsyslogd(8)
             man:rsyslog.conf(5)
             https://www.rsyslog.com/doc/
   Main PID: 9081 (rsyslogd)
      Tasks: 4 (limit: 3408)
     Memory: 2.2M
        CPU: 98ms
     CGroup: /system.slice/rsyslog.service
             └─9081 /usr/sbin/rsyslogd -n -iNONE

Nov 10 08:04:46 linuxhelp systemd[1]: Starting rsyslog.service - System Logging Service...
Nov 10 08:04:46 linuxhelp rsyslogd[9081]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2302.0]
Nov 10 08:04:46 linuxhelp rsyslogd[9081]: [origin software="rsyslogd" swVersion="8.2302.0" x-pid="9081" x-info="https://www.rsyslog.com"] s>
Nov 10 08:04:46 linuxhelp systemd[1]: Started rsyslog.service - System Logging Service.

Step 34: Restart the rsyslog by using the below command.

root@linuxhelp:/var/log# systemctl restart rsyslog

Step 35: Check the status of ssh service by using the below command.

root@linuxhelp:/var/log# systemctl status sshd
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; preset: enabled)
     Active: active (running) since Thu 2023-11-09 17:42:22 IST; 14h ago
       Docs: man:sshd(8)
             man:sshd_config(5)
   Main PID: 3832 (sshd)
      Tasks: 1 (limit: 3408)
     Memory: 3.2M
        CPU: 797ms
     CGroup: /system.slice/ssh.service
             └─3832 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

Nov 09 17:48:15 linuxhelp sshd[3900]: Accepted password for linuxhelp from 192.168.6.132 port 44288 ssh2
Nov 09 17:48:15 linuxhelp sshd[3900]: pam_unix(sshd:session): session opened for user linuxhelp(uid=1000) by (uid=0)
Nov 09 17:48:15 linuxhelp sshd[3900]: pam_env(sshd:session): deprecated reading of user environment enabled
Nov 09 17:48:15 linuxhelp sshd[3900]: pam_unix(sshd:session): session closed for user linuxhelp
Nov 09 17:49:47 linuxhelp sshd[4030]: Accepted password for linuxhelp from 192.168.6.132 port 43586 ssh2
Nov 09 17:49:47 linuxhelp sshd[4030]: pam_unix(sshd:session): session opened for user linuxhelp(uid=1000) by (uid=0)
Nov 09 17:49:47 linuxhelp sshd[4030]: pam_env(sshd:session): deprecated reading of user environment enabled
Nov 10 08:00:05 linuxhelp sshd[8866]: Accepted password for linuxhelp from 192.168.6.132 port 41182 ssh2
Nov 10 08:00:05 linuxhelp sshd[8866]: pam_unix(sshd:session): session opened for user linuxhelp(uid=1000) by (uid=0)
Nov 10 08:00:05 linuxhelp sshd[8866]: pam_env(sshd:session): deprecated reading of user environment enabled

Step 36: Restart the sshd service by using the below command.

root@linuxhelp:/var/log# systemctl restart sshd

Step 37: Long list the files to check if auth.log file present by using the below command.

root@linuxhelp:/var/log# ll
total 2584
-rw-r--r--  1 root              root              4175 Nov 10 07:41 alternatives.log
-rw-r--r--  1 root              root             55292 Sep 11 04:40 alternatives.log.1
drwxr-xr-x  2 root              root              4096 Nov 10 08:04 apt
-rw-r--r--  1 root              root             10477 Sep 11 04:40 aptitude
drwxr-xr-x  5 root              root              4096 Sep 11 05:56 asterisk
-rw-r-----  1 root              adm                419 Nov 10 08:05 auth.log
-rw-------  1 root              root                 0 Nov  9 08:39 boot.log
-rw-------  1 root              root              2848 Nov  9 08:39 boot.log.1
-rw-------  1 root              root             16013 Nov  7 12:21 boot.log.2
-rw-------  1 root              root             30364 Nov  4 13:45 boot.log.3
-rw-------  1 root              root             15834 Sep 11 00:00 boot.log.4

Step 38: Reload and apply the changes by using the below command.

root@linuxhelp:/var/log# csf -ra
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `DENYIN'
LOCALINPUT  all opt -- in !lo out *  ::/0  -> ::/0  
● lfd.service - ConfigServer Firewall & Security - lfd
     Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)
     Active: active (running) since Fri 2023-11-10 08:09:32 IST; 36ms ago
    Process: 9452 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
   Main PID: 9466 (lfd - starting)
      Tasks: 1 (limit: 3408)
     Memory: 25.5M
        CPU: 694ms
     CGroup: /system.slice/lfd.service
             └─9466 "lfd - starting"

Nov 10 08:09:31 linuxhelp systemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...
Nov 10 08:09:32 linuxhelp systemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Step 39: Go to another tab and exit the control then again take control the csf server by using the below command.

root@linuxhelp:~# exit
exit
linuxhelp@linuxhelp:~$ exit
logout
Connection to 192.168.6.131 closed.
root@linuxhelp:/home/linuxhelp# ssh linuxhelp@192.168.6.131
linuxhelp@192.168.6.131's password:
Linux linuxhelp 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Nov 10 08:08:12 2023 from 192.168.6.132

Step 40: Go to check the browser if ssh alert is present as shown in below image. snap 7

Step 41: Go to the following location by using the below command.

root@linuxhelp:/var/log# cd /etc/csf

Step 42: Edit the csf.ignore file to ignore ssh alert to particular IP address by using the below command.

root@linuxhelp:/etc/csf# vim csf.ignore

Step 43: Reload and apply the changes by using the below command.

root@linuxhelp:/etc/csf# csf -ra
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
LOCALINPUT  all opt -- in !lo out *  ::/0  -> ::/0  
● lfd.service - ConfigServer Firewall & Security - lfd
     Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)
     Active: active (running) since Fri 2023-11-10 08:13:24 IST; 28ms ago
    Process: 9680 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
   Main PID: 9693 (lfd - starting)
      Tasks: 1 (limit: 3408)
     Memory: 25.3M
        CPU: 708ms
     CGroup: /system.slice/lfd.service
             └─9693 "lfd - starting"

Nov 10 08:13:24 linuxhelp systemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...
Nov 10 08:13:24 linuxhelp systemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.

Step 44: Go to browser and check the ssh alert if present as shown in below image. snap 8

Conclusion:

We have reached the end of this article. In this guide, we have walked you through the steps required to Configure IP Based Access on CSF on Debian 12 (Allow, Deny, Ignore). Your feedback is much welcome.

Tags:
Author: 

Comments ( 0 )

No comments available

Frequently asked questions ( 5 )

Q

What is CSF and why should I use it?

A

CSF, or ConfigServer Security & Firewall, is a firewall configuration script for Linux servers. It helps enhance server security by managing iptables rules and providing features like IP whitelisting, blacklisting, and more.

Q

How can I allow specific IP addresses in CSF?

A

To allow specific IP addresses, edit the TCP_IN and UDP_IN settings in /etc/csf/csf.conf. Add the desired IPs to the lists, and then restart CSF with sudo csf -r.

Q

What is the process to deny certain IP addresses using CSF?

A

To deny specific IPs, add them to the DENY_IP setting in /etc/csf/csf.conf. After making changes, restart CSF with sudo csf -r to apply the new rules.

Q

How can I ignore (whitelist) certain IP addresses with CSF?

A

To whitelist IPs, add them to the IGNORE setting in /etc/csf/csf.conf. Following this, restart CSF with sudo csf -r to implement the changes and ignore the specified IPs.

Q

Can I allow, deny, or ignore IP ranges in CSF?

A

Yes, you can allow, deny, or ignore IP ranges in CSF. In the configuration file, use CIDR notation for ranges. For example: 192.168.1.0/24.

Back To Top!