How can I block IP ranges using CSF Firewall?

CSF Firewall is one of the most complete server security suites around. It can help you to harden the security of your cPanel server up to the max. CSF is an iptables based firewall, and as such, it allows the server administrator to block offending incoming connections.

One of the advanced things it allows is the ability to block IP ranges. Days ago we published a post where we learned how to calculate IP address on Specific CDIR Subnet Ranges, and today we will show you how to block IP ranges using CSF firewall.

How to Block IP Ranges in CSF Firewall?

If you want to block a complete IP range in CSF firewall, please follow these steps:

Let’s say you want to block following IP range:

188.143.xxx.xxx

1.- Login as root into the WHM panel

2.- Search forWHM >> Plugins >> ConfigServer Security & Firewall

3.- Find the “Quick Deny” box and add the following:

188.143.0.0/16

That’s all.

In order for CSF to pick up the changes, you need to restart the firewall.

This kind of IP block can be done from the linux terminal using the ‘csf -d’ command, as you see below

csf -d 188.143.0.0/16

Then csf -r to apply changes:

csf -r

How can I block a /8 range?

To block 188.xxx.xxx.xxx range use this:

188.0.0.0/8

To block 188.143.232.xxx range use this:

188.143.232.0/24

How can I check the range was blocked proplery?

You can run this command to check if your blocking is active and working as expected:

[[email protected]:~]iptables -L -n | grep 188.143.232
DROP all -- 188.143.232.0/24 0.0.0.0/0
LOGDROPOUT all -- 0.0.0.0/0 188.143.232.0/24
[[email protected]:~]

Just replace “188.143.232” with the IP number in your blocked range, that should do the trick.

How can I Block Country IP Ranges in CSF Firewall?

CSF allows you to block an entire country if you want, just edit csf.conf file from terminal.

nano -w /etc/csf/csf.conf

find this variable:

CC_DENY = ""

and set the country codes you want to block separated with a comma.

Example if you want to block UK and Russia:

CC_DENY = "UK,RU"

Restart CSF to apply changes

csf -r

Conclusion

As you see, if you need to block ip ranges in CSF Firewall you can do it from the command line using ‘csf -d’ or from the ConfigServer Security & Firewall interface in WHM control panel.

You can even block country IP ranges if you want, just make sure you or your users don’t receive any traffic from there, otherwise none will be able to reach your server.

About the Author: Martin Keler

Leave a Reply

Your email address will not be published. Required fields are marked *