-
Notifications
You must be signed in to change notification settings - Fork 1
/
csf.help
226 lines (152 loc) · 7.77 KB
/
csf.help
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
csf(1) General Commands Manual csf(1)
NAME
csf - ConfigServer & Security Firewall
SYNOPSIS
csf [OPTIONS]
DESCRIPTION
This manual documents the csf command line options for the ConfigServer & Security Firewall. See /etc/csf/csf.conf and
/etc/csf/readme.txt for more detailed information on how to use and configure this application.
OPTIONS
-h, --help
Show this message
-l, --status
List/Show the IPv4 iptables configuration
-l6, --status6
List/Show the IPv6 ip6tables configuration
-s, --start
Start the firewall rules
-f, --stop
Flush/Stop firewall rules (Note: lfd may restart csf)
-r, --restart
Restart firewall rules (csf)
-q, --startq
Quick restart (csf restarted by lfd)
-sf, --startf
Force CLI restart regardless of LFDSTART setting
-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to
the configuration files
--lfd [stop|start|restart|status]
Actions to take with the lfd daemon
-a, --add ip [comment]
Allow an IP and add to /etc/csf/csf.allow
-ar, --addrm ip
Remove an IP from /etc/csf/csf.allow and delete rule
-d, --deny ip [comment]
Deny an IP and add to /etc/csf/csf.deny
-dr, --denyrm ip
Unblock an IP and remove from /etc/csf/csf.deny
-df, --denyf
Remove and unblock all entries in /etc/csf/csf.deny
-g, --grep ip
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
-i, --iplookup ip
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
-t, --temp
Displays the current list of temporary allow and deny IP entries with their TTL and comment
-tr, --temprm ip
Remove an IP from the temporary IP ban or allow list
-trd, --temprmd ip
Remove an IP from the temporary IP ban list only
-tra, --temprma ip
Remove an IP from the temporary IP allow list only
-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port.
Optional direction of block can be one of: in, out or inout (default:in)
-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP allow list (default:inout)
-tf, --tempf
Flush all IPs from the temporary IP entries
-cp, --cping
PING all members in an lfd Cluster
-cg, --cgrep ip
Requests the --grep output for IP from each member in an lfd Cluster
-cd, --cdeny ip [comment]
Deny an IP in a Cluster and add to each remote /etc/csf/csf.deny
-ctd, --ctempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP in a Cluster to the temp IP ban list (default:in)
-cr, --crm ip
Unblock an IP in a Cluster and remove from each remote /etc/csf/csf.deny and temporary list
-ca, --callow ip [comment]
Allow an IP in a Cluster and add to each remote /etc/csf/csf.allow
-cta, --ctempallow ip ttl [-p port] [-d direction] [comment]
Add an IP in a Cluster to the temp IP allow list (default:in)
-car, --carm ip
Remove allowed IP in a Cluster and remove from each remote /etc/csf/csf.allow and temporary list
-ci, --cignore ip [comment]
Ignore an IP in a Cluster and add to each remote /etc/csf/csf.ignore. Note: This will result in lfd being restarted
-cir, --cirm ip
Remove ignored IP in a Cluster and remove from each remote /etc/csf/csf.ignore. Note: This will result in lfd being restarted
-cc, --cconfig [name] [value]
Change configuration option [name] to [value] in a Cluster
-cf, --cfile [file]
Send [file] in a Cluster to /etc/csf/
-crs, --crestart
Cluster restart csf and lfd
--trace [add|remove] ip
Log SYN packets for an IP across iptables chains. Note, this can create a LOT of logging information in /var/log/messages so
should only be used for a short period of time. This option requires the iptables TRACE module and access to the raw PREROUTING
chain to function
-m, --mail [email]
Display Server Check in HTML or email to [email] if present
--rbl [email]
Process and display RBL Check in HTML or email to [email] if present
-lr, --logrun
Initiate Log Scanner report via lfd
-p, --ports
View ports on the server that have a running process behind them listening for external connections
--graphs [graph type] [directory]
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
--profile [command] [profile|backup] [profile|backup]
Configuration profile functions for /etc/csf/csf.conf
You can create your own profiles using the examples provided in /usr/local/csf/profiles/
The profile reset_to_defaults.conf is a special case and will always be the latest default csf.conf
list
Lists available profiles and backups
apply [profile]
Modify csf.conf with Configuration Profile
backup "name"
Create Configuration Backup with optional "name" stored in /var/lib/csf/backup/
restore [backup]
Restore a Configuration Backup
keep [num]
Remove old Configuration Backups and keep the latest [num]
diff [profile|backup] [profile|backup]
Report differences between Configuration Profiles or Configuration Backups, only specify one [profile|backup] to compare to the
current Configuration
--mregen
MESSENGERV2 /etc/apache2/conf.d/csf_messenger.conf regeneration. This will also gracefully restart httpd
--cloudflare [command]
Commands for interacting with the CloudFlare firewall. See /etc/csf/readme.txt and CF_ENABLE for more detailed information
Note: target can be one of: An IP address; 2 letter Country Code; IP range CIDR. Only Enterprise customers can block a Country
Code, but all can allow and challenge. IP range CIDR is limited to /16 and /24
list [all|block|challenge|whitelist] [user1,user2,domain1...]
List specified type of CloudFlare Firewall rules for comma separated list of users/domains
add [block|challenge|whitelist] target [user1,user2,domain1...]
Add CloudFlare Firewall rule action for target for comma separated list of users/domains only
del target [user1,user2,domain1...]
Delete CloudFlare Firewall rule for target for comma separated list of users/domains only
tempadd [allow|deny] ip [user1,user2,domain1...]
Add a temporary block for CF_TEMP seconds to both csf and the CloudFlare Firewall rule for ip for comma separated list of
users/domains as well as any user set to "any"
-c, --check
Check for updates to csf but do not upgrade
-u, --update
Check for updates to csf and upgrade if available
-uf Force an update of csf whether and upgrade is required or not
-x, --disable
Disable csf and lfd completely
-e, --enable
Enable csf and lfd if previously disabled
-v, --version
Show csf version
FILES
/etc/csf/csf.conf
The system wide configuration file
/etc/csf/readme.txt
Detailed information about csf and lfd
BUGS
Report bugs on the forums at http://forum.configserver.com
AUTHOR
(c)2006-2021, Way to the Web Limited (http://www.configserver.com)
csf(1)