CSF Blacklist Configuration | Cyberpanel

The web is a crazy place to let your server be accessed by anyone. At least known abusive IP addresses shouldn't access your server. For that purpose, you can install CSF from your Cyberpanel dashboard (if you haven't installed it yet) and automate blocking never-ending abusive IPs from a daily updated list.

Find the Security in your side menu and click on CSF. From the newly open page it'll be installed with a single click on to Install now button. You can open the config page either from the newly added ConfigServer Services > ConfigServer Security & Firewall or Security > Firewallwill redirected to it.

From here you have two options;

  1. You can use predefined IP list providers and use the ones you want
  2. You can use a combination of them with this Github repository.

Once you decide go to the config page find LFD Login Failure Daemon section, and press the Lfd Blocklists button.

Option 1

You'll find a lot of commented-out IP list providers. If you pick the first option, you can pick and uncomment the ones that you want to get your IP list from.

Option 2

If you want to use IPSum as your IP list provider pick a level and add these lines to the end of the file and save changes.

Level corresponds to how many diffirent block list providers reported the same IP address. Increasing the level would make sure you'll get less false positives. But also it would mean less ip addresses to block. So I think if 3 different block list provider thinks an IP is malicious, I'd believe them.

# stamparm/ipsum
# Details: https://github.com/stamparm/ipsum#readme
STAMPARM|86400|0|https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt

Don't forget to restart CSF and then LFD after making your changes.

Make sure everything is working

You can check the logs by typing cat /var/log/lfd.log into your console and look for;

testbed lfd[9475]: Retrieved and blocking blocklist STAMPARM IP address ranges
testbed lfd[9475]: IPSET: loading set new_ STAMPARM with 9999 entries
testbed lfd[9475]: IPSET: switching set new_ STAMPARM to bl_ STAMPARM

If you see these lines, the IP list is fetched and being used.

If you see testbed lfd[30409]: Unable to retrieve blocklist STAMPARM - Unable to download: Not Found, you should check the URL and make sure it points to raw text.