Sign In
Access your IPWhois.net account
No account? Create one
Home / Blacklist / Docs / CSF Firewall Integration

CSF Firewall Integration

Block blacklisted IPs with ConfigServer Firewall. Step-by-step setup guide with code examples.
186,817 IPs 8,269 reports Free API
Quick Install
CentOS RHEL CloudLinux AlmaLinux Rocky Ubuntu Debian Fedora openSUSE Amazon Linux cPanel/WHM DirectAdmin

Run this command as root to configure CSF blocklist + auto-reporting:

No API key needed (500 reports/day):
curl -sL https://bl.ipwhois.net/api/csf/install | sudo bash
No curl? Use wget:
wget -qO- https://bl.ipwhois.net/api/csf/install | sudo bash

Adds IPWhois blocklist to CSF, creates LFD report script (cron every 30 min), increases deny limit if needed.

Sign in for a personalized command with 1,000 reports/day and profile attribution.

Requires: CSF/LFD cPanel/WHM or standalone Root access
What is CSF?

ConfigServer Security & Firewall (CSF) is a firewall management tool for Linux servers, widely used on cPanel/WHM hosting environments. It provides an iptables-based firewall with a built-in Login Failure Daemon (LFD) that detects brute-force attacks.

CSF has a native blocklist feature that can pull IP lists from external sources (like IPWhois.net Blacklist) and automatically deny them at the firewall level. One line of config, zero scripts.

Block (incoming)
Pull blacklisted IPs and deny them at firewall. Free: 500 req/day, with API key: 1,000/day.
Report (outgoing)
Send LFD blocks back to the blacklist. Free: 500/day, with API key: 1,000/day.
Method 1: CSF Blocklist (Recommended)

Add to /etc/csf/csf.blocklists:

/etc/csf/csf.blocklists
# IPWhois.net Blacklist - high-confidence IPs only IPWHOIS|21600|0|https://bl.ipwhois.net/api/browse?format=plaintext&min_confidence=80

Parameters: 21600 = refresh every 6 hours. Then restart: csf -r

Method 2: Script with Reporting
/usr/local/bin/ipwhois-csf-sync.sh
#!/bin/bash # Sync IPWhois.net Blacklist to CSF deny list # Cron: 0 */6 * * * API="https://bl.ipwhois.net/api" LOG="/var/log/ipwhois-csf.log" echo "$(date) - Starting sync" >> "$LOG" COUNT=0 for ip in $(curl -s "$API/browse?format=plaintext&min_confidence=80"); do if ! grep -q "^$ip$" /etc/csf/csf.deny 2>/dev/null; then csf -d "$ip" "IPWhois.net Blacklist" >/dev/null 2>&1 COUNT=$((COUNT+1)) fi sleep 0.3 done echo "$(date) - Added $COUNT new IPs to CSF deny" >> "$LOG"
sudo chmod +x /usr/local/bin/ipwhois-csf-sync.sh echo "0 */6 * * * root /usr/local/bin/ipwhois-csf-sync.sh" | sudo tee /etc/cron.d/ipwhois-csf
Troubleshooting
  • CSF deny list full: Increase DENY_IP_LIMIT in /etc/csf/csf.conf.
  • Script not running: Check cron logs: grep CRON /var/log/syslog.
  • LFD issues: Set TESTING = "0" in /etc/csf/csf.conf.