How to Block and Manage IPs in CSF via Command Line

How to Block and Manage IPs in CSF via Command Line

CSF (ConfigServer Security & Firewall) is one of the most widely used firewalls on servers running cPanel/WHM. It allows advanced server access management, blocking or allowing IP addresses from the command line.

In this article, you will learn how to block, unblock, query, and manage IP addresses in CSF via SSH, including an efficient method for bulk blocking multiple IPs.

Prerequisites

  1. SSH access to the server with root privileges.
  2. CSF installed and active on the server. You can verify it with the command csf -v.

Block a single IP

To block (deny) an individual IP address, run:

csf -d 1.2.3.4

Optionally, you can add a comment to identify the reason for the block:

csf -d 1.2.3.4 "Brute force attack detected"

Block an IP range (CIDR)

CSF allows blocking entire IP ranges using CIDR notation. Run any of the following commands according to your needs:

csf -d 111.0.0.0/8
csf -d 111.111.0.0/16
csf -d 111.111.111.0/24

Difference between CIDR ranges

  1. /8 — Blocks all IPs sharing the first octet. Example: 111.0.0.0/8 blocks from 111.0.0.0 to 111.255.255.255 (over 16 million IPs). This is the broadest range.
  2. /16 — Blocks all IPs sharing the first two octets. Example: 111.111.0.0/16 blocks from 111.111.0.0 to 111.111.255.255 (65,536 IPs).
  3. /24 — Blocks all IPs sharing the first three octets. Example: 111.111.111.0/24 blocks from 111.111.111.0 to 111.111.111.255 (256 IPs). This is the most specific and most commonly used range.

Bulk block multiple IPs

When you need to block a large number of IPs, there are two methods:

Method 1: TXT file with for loop

  1. Create a text file with the IPs you want to block (one IP per line):
nano block.txt

Example file content:

1.2.3.4
5.6.7.8
9.10.11.12

  1. Run the following command to block all IPs from the file at once:
for i in $(cat block.txt); do csf -d $i; done
If you need to block hundreds or thousands of IPs, the previous method can be slow because CSF restarts iptables rules with each IP. A more efficient alternative is to add the IPs directly to the deny file and restart CSF once:
  1. Append the IPs to the csf.deny file:
cat block.txt >> /etc/csf/csf.deny

  1. Restart CSF to apply the changes:
csf -r

Important: Make sure the block.txt file contains only valid IPs (one per line, no extra spaces or empty lines) before appending it to csf.deny.

Temporary blocking

If you want to block an IP for a specific time and have it automatically unblocked, use the -td option. Time is specified in seconds:

csf -td 1.2.3.4 3600 -p 80 "Temporary block 1 hour"

In this example, IP 1.2.3.4 will be blocked for 3600 seconds (1 hour) on port 80. You can omit -p 80 to block all ports.

Unblock an IP

To remove an IP from the permanent block list:

csf -dr 1.2.3.4

To remove an IP from the temporary block list:

csf -tr 1.2.3.4

Allow an IP (whitelist)

To ensure an IP is never blocked (for example, your office IP or an external service), add it to the allow list:

csf -a 1.2.3.4 "Office IP"

To remove an IP from the allow list:

csf -ar 1.2.3.4

Check IP status

Before blocking an IP, it is useful to check if it is already in any CSF list (blocked, allowed, or temporary):

csf -g 1.2.3.4

This command will show which lists the IP appears in and the associated iptables rules.

List all blocked IPs

To view all permanently blocked IPs:

cat /etc/csf/csf.deny

To view temporarily blocked IPs:

csf -t

To view allowed IPs (whitelist):

cat /etc/csf/csf.allow

Quick command reference

  1. csf -d IP — Block IP permanently.
  2. csf -dr IP — Unblock permanent IP.
  3. csf -td IP seconds — Block IP temporarily.
  4. csf -tr IP — Unblock temporary IP.
  5. csf -a IP — Allow IP (whitelist).
  6. csf -ar IP — Remove IP from whitelist.
  7. csf -g IP — Check IP status.
  8. csf -t — List temporary blocks.
  9. csf -r — Restart CSF.
  10. csf -v — Check CSF version.

Recommendations

  1. Always check an IP's status with csf -g before blocking it to avoid duplicates or conflicts with the whitelist.
  2. Use temporary blocks (csf -td) when you're not sure the traffic is permanently malicious.
  3. For lists of more than 50 IPs, prefer editing csf.deny directly and restarting CSF once.
  4. Always add your office or primary connection IP to the whitelist with csf -a to avoid locking yourself out.
  5. Periodically review csf.deny to clean up old blocks that are no longer needed.
  6. CSF has a default entry limit in csf.deny (controlled by DENY_IP_LIMIT in /etc/csf/csf.conf). If you block many IPs, verify this value is sufficient.

    • Related Articles

    • How to Block IPs and Ranges in Imunify360: CLI & GUI Master Guide

      Imunify360 is the ultimate defense for web servers. While its automated firewall is excellent, manual intervention is sometimes necessary to stop botnets or targeted attacks. In this guide, you will learn how to manage blocks precisely using commands ...

    • How to change File Permissions and Ownership via Command Line

      Files and folders with incorrect permissions or ownership can be vulnerable to unauthorized access, potentially compromising the integrity of your data and the security of your website. Additionally, these issues can cause read, write, or execution ...

    • How to Export and Import a MySQL Database Using Command Line

      Having an up-to-date backup of your database is essential to protect your critical information and ensure business continuity. In this tutorial, we will show you how to export a database using the command line. It is important to perform a complete ...

    • How to Install cPanel on Your Server or VPS: Updated Guide by Distribution

      cPanel & WHM is the most widely used control panel in the web hosting industry. If you have a dedicated server or VPS with Webzi (or any other provider), this guide shows you how to install cPanel from scratch on the currently supported operating ...

    • Basic SSH commands

      FILE MANAGEMENT Copy file cp -a archivo.zip archivocopia.zip Create a 404.html file touch /home/usuario/public_html/404.html Compress directory zip -r archivo.zip /home/usuario/public_html/directorio Extract file unzip archivo.zip View contents of a ...