Best way to Temporary Allow-Deny IP addresses in CSF

CSF is the most commonly used firewall with many control panels on Linux based servers. CSF acts as a wrapper over IPTables or the IPSET and provides a more convenient way to manage them graphically or cli based. In this article, we will see which are the best ways to temporary allow-deny ip addresses in csf through the command line option.

Why we temporary Allow-Deny IP addresses in CSF?

temporary allow-deny ip addresses in csf 

temporary allow-deny ip addresses in csf

In many situations, we might need to allow or deny an IP for a particular time period for doing maintenance or b allow access to a specific port while it’s globally blocked.

How to Temporary Allow IP addresses in CSF for a time period?

CSF has provided parameters or switches to allow IPs for a time frame temporarily. We can even provide temporary access for a specific port also.

Syntax :

csf -ta ip ttl [-p port] [-d direction] [comment]

csf --tempallow ip ttl [-p port] [-d direction] [comment]

TTL is Time to Live and is specified in seconds. By default, it is set to 3600 (1 hr) if we didn’t tell it specifically. Ports (e.g., 80, 443) and directions ( IN, OUT) are optional and are useful when we need to provide more minute rules.

Samples :

[[email protected]~]# csf -ta 11x.1xx.1xx.xx
ACCEPT  all opt -- in !lo out * 11x.1xx.1xx.xx  -> 0.0.0.0/0
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 11x.1xx.1xx.xx
csf: 11x.1xx.1xx.xx allowed on port * for 3600 seconds in and outbound

[[email protected] ~]# csf -ta 11x.1xx.1xx.xx 86400 -p 80
ACCEPT  all opt -- in !lo out * 11x.1xx.1xx.xx  -> 0.0.0.0/0
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 11x.1xx.1xx.xx
csf: 11x.1xx.1xx.xx allowed on port 80 for 86400 seconds in and outbound

How to Block/Deny an IP address in CSF temporary for a particular time period?

Syntax:

csf -td ip ttl [-p port] [-d direction] [comment]

csf --tempdeny ip ttl [-p port] [-d direction] [comment]

The TTL here is by default 3600. That means the IP will be blocked or denied for 1 hour if you didn’t specify a time.

Example (Default)

[email protected]# csf -td 11x.xx1.1xx.xx1
DROP all opt -- in !lo out * 11x.xx1.1xx.xx1 -> 0.0.0.0/0 
csf: 11x.xx1.1xx.xx1 blocked on port * for 3600 seconds inbound

Example (with time in seconds)

[email protected]# csf -td 11x.xx1.1xx.xx1
DROP all opt -- in !lo out * 11x.xx1.1xx.xx1 -> 0.0.0.0/0
csf: 11x.xx1.1xx.xx1 blocked on port * for 60 seconds inbound

Displays the current list of temporary allow and deny IP entries with their TTL and comment

CSF provides a way to view all the temporary allows and denies using a simple command. 

csf -t 

csf --temp

Samples: 

[email protected]# csf -t

A/D         IP address   Port    Dir      Time To Live       Comment
DENY 11x.xx1.1xx.xx1   *    in         59m 44s          Manually added

How to remove an IP from the temporary IP ban or allow list

We can use ‘r’ switch to remove an IP address from the temporary list.

Syntax:

csf -tr 

csf --temprm ip

Example:

[email protected]# csf -tr 11x.xx1.1xx.xx1
DROP all opt -- in !lo out * 11x.xx1.1xx.xx1 -> 0.0.0.0/0
csf: 11x.xx1.1xx.xx1 temporary block removed
csf: There are no temporary IP allows

How to flush out all IPs from the temporary IP entries

CSF provides a simple way to flush out all temporary IPs at once. 

Syntax

csf -tf 

csf --tempf

Samples : 

[email protected]# csf -tf
DROP all opt -- in !lo out * 11x.xx1.1xx.xx1? -> 0.0.0.0/0
csf: 11x.xx1.1xx.xx1? temporary block removed
csf: There are no temporary IP allows

The temporary ban and allow are useful in many cases and scenarios under shared hosting environments. CSF is an easy to use firewall interface where even newbies can manage the firewall. CSF also has support for IPSET along with iptables for faster processing of rules. The complete details can be viewed in the readme file. 

Hope you enjoyed the Best way to Temporary Allow-Deny IP addresses in CSF. We also recommend reading our other articles on CSF.

How to install CSF on a cPanel server

Leave a Reply

Your email address will not be published. Required fields are marked *