Integrating RBL Database with CSF Firewall

ConfigServer Security & Firewall (CSF) has a function that allows it to import blocklists and save them to IPTABLES, which is the Linux firewall utility upon which CSF is based.

Requirements

First we recommended you install and enable IPSET to CSF Firewall.

Also we need increasing the maxelem in csf.conf, if not we would see this kind error:

Apr  8 06:01:00 localhost lfd[6849]: *Error* [new_MERBL] IPSET: [ipset v7.1: Error in line 131074: Hash is full, cannot add more elements]
nano -w /etc/csf/csf.conf
# The following sets the maxelem for ipset sets.
# 
# Note: Increasing this value will consume more memory for all sets
# Default: "65536"
LF_IPSET_MAXELEM = "16777216"

Importing Blocklists into CSF Firewall

First would simply log into the server as root and open the blocklists file in your preferred editor. Here we are using nano editor to start edit the file /etc/csf/csf.blocklists to include the following three lines:

# Malware.Expert blacklist
# Details: https://malware.expert/howto/integrating-rbl-database-with-csf-firewall
MERBL|86400|0|https://rbl.malware.expert/SERIAL_KEY_HERE/ip.txt

The basic syntax is:

NAME|INTERVAL|MAX|URL
  • NAME List name with all uppercase alphabetic characters with no spaces and a maximum of 25 characters – this will be used as the iptables chain name
  • INTERVAL Refresh interval to download the list, must be a minimum of 3600 seconds (an hour), but 86400 (a day) should be more than enough
  • MAXThis is the maximum number of IP addresses to use from the list, a value of 0 means all IPs.
  • URLThe URL to download the list from

After you finish editing the file, save it and restart CSF and lfd using:

csf -ra

You should see similar lines, if Malware.Expert RBL Database loaded successful to CSF Firewall:

csf: IPSET creating set bl_MERBL
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   match-set bl_MERBL src
csf: IPSET creating set bl_6_MERBL
DROP  all opt    in * out *  ::/0  -> ::/0   match-set bl_6_MERBL src
csf: IPSET loading set bl_MERBL with 165311 entries
csf: IPSET loading set bl_6_MERBL with 0 entries
MERBL  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  
MERBL  all opt    in !lo out *  ::/0  -> ::/0  

You may also check the log files to see more details:

tail -f /var/log/lfd.log

A successful entry will look something like this:

Apr  8 06:01:00 localhost lfd[6849]: IPSET: loading set new_MERBL with 165311 entries
Apr  8 06:01:00 localhost lfd[6849]: IPSET: switching set new_MERBL to bl_MERBL
Apr  8 06:01:00 localhost lfd[6849]: IPSET: loading set new_6_MERBL with 0 entries
Apr  8 06:01:00 localhost lfd[6849]: IPSET: switching set new_6_MERBL to bl_6_MERBL