What is csf.sips

[onlanka]

I see a new feature named "Deny Server IPs" - Deny access to and from specific IP addresses configured on the server (csf.sips).

After clicking this I can see my own server IPs.

If I deny one of them, will my server be completely inaccessible by itself?

[Aetherinox]

This file is used to basically drop known bad actors that you want to hard-ban from accessing your server. Any IPs in that file will have an iptables DROP rule added for both inbound and outbound traffic so that there is zero communication between your server and the client. The exact DROP rule is:

• -A LOCALINPUT -d <IP> -j DROP

CSF itself doesn't add your own IP to the list, however, it supports adding bad IPs in two ways.

1. Either by adding the string IP to csf.sips, OR;
2. Your csf.sips file can have an Include directive to look in additional folders. An include directive can be placed in the csf.sips file as:

   Include /etc/csf/sips.d/file
   

This means that any IPs in that csf.sips file will be blocked, but it will also look inside the path of your include directive /etc/csf/sips.d/file to block any additional files.

If I deny one of them, will my server be completely inaccessible by itself?

If the DROP rule is the only rule, it could. It greatly depends on how you have your infrastructure set up.

[onlanka]

But in that section I can see my own server IPS listed.

Screenshot

[Aetherinox]

Nevermind, I see what you are asking now. I was thinking the temp deny logic.

Yes, your server IPs should show in the Deny Server tab if you're using the web csf. It will show all network interfaces listed within ifconfig (or similar tools).

The Deny Server interface lists all of the detectable network interfaces on your server. LAN, WAN, etc. Anything detectable by commands such as ifconfig (or similar). This includes docker networks as well (if you run docker).

If you check (enable) one of those and block access, a DROP rule is added at the bottom of your iptables chain.

Rules are ran in order, meaning any rules at the top of the iptables chain, process before any rules below. So if you have whitelisted your own personal IP address which will be accessing the server in csf.allow, that ACCEPT rule takes priority over the global DROP rule for denying access to the server.

If you want to ensure the machine that needs to access the server is whitelisted, add your IP to:

• /etc/csf/csf.allow
• /etc/csf/csf.ignore (for lfd to block scanning)

Then when you cut off access to the server's IP via the Deny Server interface, your whitelisted ACCEPT rules take priority, over the DROP rule. You retain access, and any source IPs that do not trigger a chain's rules, will end up hitting the DROP rule at the bottom and blocking connectivity.

And if you use the CSF web interface, ensure you add your IP to /etc/csf/ui/csf.allow (depending on what UI_* settings you have enabled in the csf config.

[onlanka]

Ok I will whitelist my server IPs as a security measure.

Thank you

[Aetherinox]

Yeah, just drop your IPs inside:

• /etc/csf/csf.allow
• /etc/csf/csf.ignore (for lfd to block scanning)
• /etc/csf/ui/csf.allow (for csf web interface)

Those 3 should ensure your source IP is invisible to whatever blocks you enable.