Light Theme · Dark Theme
Facebook Share Button Twitter Share Button Reddit Share Button

As an Amazon Associate I earn from qualifying purchases. All product links on this page are monetized.

How to Use These Blocklists with CSF Firewall

 

I'm a long-time user and fan of ConfigServer Security & Firewall (CSF), and these lists (and actually, this whole site) was designed with CSF in mind. CSF has a function that allows it to import blocklists and save them to IPTABLES, which is the Linux firewall utility upon which CSF is based.

The lists themselves were also partially generated using CSF, which has the optional ability to execute a script of the root user's choice whenever an IP address is blocked. I wrote simple scripts to record those results into databases, and the lists I make available on this site were created using those databases.

 

Importing Blocklists into CSF Firewall

If you're using CSF, then the blocklists on this site will be very easy for you to use. If you wanted to use the free badips.txt list, for example, you would simply log into the server as root and edit the file /etc/csf/csf.blocklists to include the following three lines:

        # RJM Blocklist Consolidated Bad IP List (Free)
        # Details: https://www.rjmblocklist.com
        RJMBBADIPS|86400|0|https://www.rjmblocklist.com/free/badips.txt
    

The first commented line is for humans to quickly identify the list. The second is a URL to the site sponsoring the list, also for human users who want to learn more about the list.

The syntax of the third, un-commented line may need a bit of explanation if you're new to this. The basic syntax is:

NAME|INTERVAL|MAX|URL

NAME must be a maximum of 25 upper-case characters. It will become the IPTABLES chain name.

INTERVAL is how often, in seconds, CSF will download the list. It must be a minimum of 3600 (once per hour), but once a day (86400) is the default. In the case of my free badips.txt list or webattack.txt list, because they're only updated once a day, downloading them any more often would be a waste of your server's (and my server's) resources (so please don't).

MAX is the maximum number of IP addresses CSF will import. Because the badips.txt only has 250 addresses, you'll probably want to import them all. But some lists have many thousands of addresses that could bog down your server if you imported them all. MAX lets you set a limit.

URL tells CSF where to find the file. It's a good idea to visit the URL using a Web browser first to make sure it's still active and accessible, and to take a look at the list if you like.

The MAX setting is especially important if you're using a list containing many IP addresses. Every additional IP that the firewall has to check against slows down your server, albeit not to an extent that humans would notice. Adding too many IP's, however, will noticeably slow down your server's response times. If your server is lightly-loaded, then you can probably afford to load more IP addresses. If it's a very busy server, then not so much. This is one area where you really have to experiment. My personal advice is to start low (say maybe 250). The value "0" means download the whole list.

Finally, you can stop using a list by commenting the line with a leading #, or by deleting the entry altogether. After any change to /etc/csf/csf.blocklists, you should also restart both CSF and LFD.

Please note that if your server runs cPanel, you can edit /etc/csf/csf.blocklists from the CSF WHM Plugin in the "lfd - Login Failure Daemon" section. Otherwise, you'll need to directly edit the file using the text editor of your choice.

 

Using These Lists with Other Firewalls

Because my blocklists are plain text files, they should work with any firewall that can import text files into their tables. Beyond that, all I can say is that you'll need to check the documentation for the firewall that you use to determine whether it can use my blocklists.

 

Are you in business? Create an Amazon Business Account.