Enable CSF Block Lists To Block Bots Malicious Traffic

What is CSF Block Lists & how does it protect the VPS from bots?

CSF or Config Server Firewall is an essential firewall that every VPS should have in order to protect the server from being bombarded by thousands of malicious bots. The bots do various nefarious activities such as ‘port scanning’ (looking for which ports are open and vulnerable for intrusion), ‘Brute force login’ (guessing various combinations of username and password) etc.

If the bots are not stopped, they can create enormous load on the VPS and affect its performance.

If CSF detects any nefarious activity, it ‘drops’ the IP involved which means that the IP is blocked. The server does not respond to any requests from the IP address for a predetermined period. This prevents the bot or human from carrying on nefarious activities on the VPS.

The procedure for installing CSF is very simple and is explained here.

In fact, a good idea is also to disable root login and change the default port for SSH from Port 22 to some other random port which the bots cannot guess. This is called hardening the VPS and is explained here.

CSF Block Lists

One little known feature of CSF is that of its Block lists. If enabled, CSF obtains the list of banned IPs from various anti-bot and anti-spam organisations such as spamhaus.org, dshield.org, torproject.org, bogons, projecthoneypot.org, ciarmy.com, bruteforceblocker, openbl.org, maxmind.com, blocklist.de, stopforumspam.com etc.

All the IPs referred to in these lists are blocked from accessing the server by CSF.

Does CSF Block Lists affect the performance of the VPS?

I have used the CSF Block lists on VPS with upto 1 GB RAM and have had no noticable degradation of performance.

Of course, I now have a Scaleway VPS with 8GB RAM which is costing me less than $10 a month and so there is no question of any lag in performance. The VPS is blazing fast. You can check my review of the Scaleway VPS.

The other good thing is that I have loaded the VPS with Centmin Mod. This is an autoinstaller that installs Nginx, PhP, MySQL etc on the VPS. Nginx is very lightweight and Centmin Mod is configured perfectly to ensure that everything uses minimal resources of the VPS.

I have written a detailed guide on how to install Centmin Mod with WordPress.

How to enable CSF Block Lists?

The CSF Block Lists can be accessed with this command:

 nano /etc/csf/csf.blocklists 

This opens the configuration page.

Remove the # mark on the line starting with the rule name to use it.

Restart csf with the command

 csf -r 

Restart LFD (Login Failure Daemon) with the command

 service lfd restart

Here is the entire CSF Block Lists configuration page:

[root@vps356233 lists]# nano /etc/csf/csf.blocklists
  GNU nano 2.3.1                                                              File: /etc/csf/csf.blocklists

###############################################################################
# Copyright 2006-2016, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# This file contains definitions to IP BLOCK lists.
#
# Uncomment the line starting with the rule name to use it, then restart csf
# and then lfd
#
# Each block list must be listed on per line: as NAME|INTERVAL|MAX|URL
#   NAME    : List name with all uppercase alphabetic characters with no
#             spaces and a maximum of 25 characters - this will be used as the
#             iptables chain name
#   INTERVAL: Refresh interval to download the list, must be a minimum of 3600
#             seconds (an hour), but 86400 (a day) should be more than enough
#   MAX     : This is the maximum number of IP addresses to use from the list,
#             a value of 0 means all IPs
#   URL     : The URL to download the list from
#
# Note: Some of thsese lists are very long (thousands of IP addresses) and
# could cause serious network and/or performance issues, so setting a value for
# the MAX field should be considered
#
# After making any changes to this file you must restart csf and then lfd
#
# If you want to redownload a blocklist you must first delete
# /var/lib/csf/csf.block.NAME and then restart csf and then lfd
#
# Each URL is scanned for an IPv4/CIDR address per line and if found is blocked
#
# The downloaded list can be a zip file. The zip file MUST only contain a
# single text file of a single IP/CIDR per line

# Spamhaus Don't Route Or Peer List (DROP)
# Details: http://www.spamhaus.org/drop/
SPAMDROP|86400|0|http://www.spamhaus.org/drop/drop.lasso

# Spamhaus Extended DROP List (EDROP)
# Details: http://www.spamhaus.org/drop/
SPAMEDROP|86400|0|http://www.spamhaus.org/drop/edrop.lasso

# DShield.org Recommended Block List
# Details: http://dshield.org
DSHIELD|86400|0|http://www.dshield.org/block.txt

# TOR Exit Nodes List
# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: https://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList
TOR|86400|0|https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.2.3.4

# Alternative TOR Exit Nodes List
# Details: http://torstatus.blutmagie.de/
ALTTOR|86400|0|http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv

# BOGON list
# Details: http://www.team-cymru.org/Services/Bogons/
BOGON|86400|0|http://www.cymru.com/Documents/bogon-bn-agg.txt

# Project Honey Pot Directory of Dictionary Attacker IPs
# Details: http://www.projecthoneypot.org
HONEYPOT|86400|0|http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1

# C.I. Army Malicious IP List
# Details: http://www.ciarmy.com
CIARMY|86400|0|http://www.ciarmy.com/list/ci-badguys.txt

# BruteForceBlocker IP List
# Details: http://danger.rulez.sk/index.php/bruteforceblocker/
BFB|86400|0|http://danger.rulez.sk/projects/bruteforceblocker/blist.php

# OpenBL.org 30 day List
# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: https://www.openbl.org
OPENBL|86400|0|https://www.openbl.org/lists/base_30days.txt

# MaxMind GeoIP Anonymous Proxies
# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: https://www.maxmind.com/en/anonymous_proxies
MAXMIND|86400|0|https://www.maxmind.com/en/anonymous_proxies

# Blocklist.de
# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: https://www.blocklist.de
# This first list only retrieves the IP addresses added in the last hour
BDE|3600|0|https://api.blocklist.de/getlast.php?time=3600
# This second list retrieves all the IP addresses added in the last 48 hours
# and is usually a very large list (over 10000 entries), so be sure that you
# have the resources available to use it
BDEALL|86400|0|http://lists.blocklist.de/lists/all.txt

# Stop Forum Spam
# Details: http://www.stopforumspam.com/downloads/
# Many of the lists available contain a vast number of IP addresses so special
# care needs to be made when selecting from their lists
STOPFORUMSPAM|86400|0|http://www.stopforumspam.com/downloads/listed_ip_1.zip

# GreenSnow Hack List
# Details: http://greensnow.co
GREENSNOW|86400|0|http://blocklist.greensnow.co/greensnow.txt

One thought on “Enable CSF Block Lists To Block Bots Malicious Traffic

  1. Ben

    Great tutorial on using CSF. Be careful though, because one typo in a command could lock you out of your server for good. Instead, you could use a service like HeatShield, which will automatically configure your firewall and enable SSH brute force blocking. Check it out at https://heatshield.io.

Leave a Reply

Your email address will not be published. Required fields are marked *