In CSF firewall, old IP addresses will be automatically removed from /etc/csf/csf.deny file when the ‘DENY_IP_LIMIT ‘ is reached. An example is given below :
root@srv [~]# csf -d ip.add.re.ss csf: DENY_IP_LIMIT (200), the following IP’s were removed from /etc/csf/csf.deny
In the above example you can see that DENY_IP_LIMIT is 200 so the oldest IP in csf.deny was removed when you tried to add a new IP to deny list.
Setting DENY limit to a very high value will slow down network and website. Make sure there is sufficient resources on the server before you increase this value.
To set new limit edit CSF configuration using nano editor
Change the below lines
DENY_IP_LIMIT = “200” to DENY_IP_LIMIT = “500” DENY_TEMP_IP_LIMIT = “100” to DENY_TEMP_IP_LIMIT = “500”
Save the configuration file.
root@srv[~]# csf -r
- CSF: disable icmp ping
- CSF CLI (Command Line Interface) Cheat Sheet
- basic csf commands
- How To List and Delete Iptables Firewall Rules
- HOW TO BLOCK AN IP ADDRESS ON A LINUX SERVER