CSF Firewall Situation

[DrWizzle]

I believe CSF firewall was donated to the open source community, there are a few projects but I believe the official project can be found here:

GitHub - Aetherinox/csf-firewall: ConfigServer Security & Firewall (CSF) - Robust linux iptables/nftables firewall & free ipset blocklist service.

ConfigServer Security & Firewall (CSF) - Robust linux iptables/nftables firewall & free ipset blocklist service. - Aetherinox/csf-firewall

github.com

Documentation here:

ConfigServer Firewall - ConfigServer Security & Firewall

docs.configserver.dev

If you want any further info on this popular fork, join his Discord channel. He's very responsive and helpful. There's a few guys there that know the ins and outs of it all so maybe pop across there for a quick chat? And always test it out on a non production server first with data that's not important, or a copy of something you'll be running.

 

[Richard G]

After a while, his ip gets blocked. But the hackscripts don't care about that, and switch to your next server and simply continue.

Yes that's the fun of still using CSF. We have the CSF clustering option in place, if one gets blocked on 1 server, they get blocked on almost all servers (the ones we want added in the cluster).

However I do understand wht you're saying. But using an attack with another ip can always be done, as we've seen in the past from flood attacks coming from 1000's of ip's but one at a time so it would not be seen as flood attack.
CSF can also use community blocklists, so that might not be that different than Crowdsec. Exactly these kind of things were what I liked and still like about CSF. It's still working great and has all kinds of options.
The only problem is the future, something which will be fully nftables compatible and if possible something to replace ipset. Or indeed a complete other system which can use all of this.

It would be nice if a block/unblock by csf/BFM would also trigger a hookscript.

This is already possible if I'm not mistaken.
I'm using a hookscript myself where a BMF block triggers a script which creates a CSF block.

 

[sysdev]

Yes that's the fun of still using CSF. We have the CSF clustering option in place, if one gets blocked on 1 server, they get blocked on almost all servers (the ones we want added in the cluster).

However I do understand wht you're saying. But using an attack with another ip can always be done, as we've seen in the past from flood attacks coming from 1000's of ip's but one at a time so it would not be seen as flood attack.
CSF can also use community blocklists, so that might not be that different than Crowdsec. Exactly these kind of things were what I liked and still like about CSF. It's still working great and has all kinds of options.
The only problem is the future, something which will be fully nftables compatible and if possible something to replace ipset. Or indeed a complete other system which can use all of this.


This is already possible if I'm not mistaken.
I'm using a hookscript myself where a BMF block triggers a script which creates a CSF block.

I'm going to look into the hook scripts again! Didn't see fw related hooks earlier tho.

 

[Richard G]

Didn't see fw related hooks earlier tho.

They might have removed it from the docs. Look for brute_force_notice_ip.sh for example. Might be older but still working.

Ah wait... I found the github link again which has a lot more options and more up to date.

GitHub - poralix/directadmin-bfm-csf: A set of scripts to let Brute Force Monitor in DirectAdmin to block IPs using CSF/LFD. If you need custom installation or support please feel free to request it here or on our site

A set of scripts to let Brute Force Monitor in DirectAdmin to block IPs using CSF/LFD. If you need custom installation or support please feel free to request it here or on our site - poralix/direct...

github.com