Nikhil Raj's blog
How to Secure Your Server from HTTP/HTTPS Attacks Using CSF (ConfigServer Firewall)

How to Secure Your Server from HTTP/HTTPS Attacks Using CSF (ConfigServer Firewall)

Nikhil Raj's photo
Nikhil Raj
·

4 min read

Table of contents

Server security has never been more critical than it is today. Among the most prevalent threats server administrators/DevOps engineers face are DDoS attacks and brute force attempts targeting HTTP (port 80) and HTTPS (port 443). These attacks, often originating from regions like China, Russia, and Japan, can cripple your server if not properly mitigated.

In this technical blog post, I’ll guide you through using CSF (ConfigServer Firewall) to block malicious traffic from specific countries, secure your HTTP and HTTPS ports, and automate the process with a Bash script.

What is CSF?

CSF (ConfigServer Firewall) is a powerful and user-friendly firewall application for Linux servers. It simplifies the management of iptables, the built-in Linux firewall, and provides additional features like:

  • IP blocking and whitelisting

  • Country-based blocking

  • Port flood protection

  • Login failure detection (LFDS)

CSF is widely used to secure servers against brute force attacks, DDoS attacks, and other malicious activities.

2. Identifying the Problem

Imagine this scenario: Your website is down, and your server is under high load. Upon investigation, you notice a massive influx of connections to your HTTP (port 80) and HTTPS (port 443) ports. Many of these connections originate from China, Russia, and Japan. To make matters worse, the attacking IPs keep changing, making it difficult to block them individually.

Here’s how you can diagnose the issue:

Check HTTP and HTTPS Traffic

netstat -an | grep :80 | wc -l   # For HTTP traffic
netstat -an | grep :443 | wc -l  # For HTTPS traffic

List All Connected IPs

netstat -an | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr

Check Established and SYN Connections

netstat -ant | grep ESTABLISHED | wc -l   # Established connections
netstat -ant | grep SYN | wc -l          # SYN flood (DDoS)

If you notice a high number of connections from specific countries, it’s time to take action.

use you cloud provider firewall to block traffic to HTTP (port 80) and HTTPS (port 443) ports and allowing it only form your IP, this will allow you to make changes in the server otherwise server may keep shutting down due to high traffic/server load

To configure CSF (ConfigServer Firewall) and block malicious traffic from specific countries, follow these steps.

  1. Start by creating a backup of the CSF configuration file to ensure you can revert changes if needed — run sudo cp /etc/csf/csf.conf /etc/csf/csf.conf.bak.

  2. Next, modify the configuration file to deny traffic from specific countries (e.g., China, Russia, and Japan) by executing sudo sed -i ‘s/CC_DENY = “”/CC_DENY = “CN,RU,JP”/g’ /etc/csf/csf.conf, where “CN,” “RU,” and “JP” are the ISO country codes for the targeted regions.

  3. Then, restart CSF to apply the new rules with sudo csf -r.

  4. Follow this by restarting the Login Failure Daemon (LFD) to enforce the updated settings using sudo systemctl restart lfd.

Step 3: Update CSF’s GeoIP Database

By default, CSF uses an outdated country database. To ensure accurate blocking, update the GeoIP database:

sudo csf -u

Step 4: Verify CSF Configuration

Check CSF Status:

sudo csf -s

List Blocked IPs:

sudo csf -t

Test Country Blocking:

sudo csf -g <IP_ADDRESS>

4. Automating the Process with a Bash Script

To simplify the process, I’ve created a Bash script that automates all the steps above. Here’s the script:

#!/bin/bash
---

# Script to Secure HTTP/HTTPS Ports and Block IPs from China, Russia, and Japan
# Author: Nikhil Raj
# Date:Feb 27 2025
# Check Server Connections
http_connections=$(netstat -an | grep :80 | wc -l)
https_connections=$(netstat -an | grep :443 | wc -l)
echo "HTTP Connections: $http_connections"
echo "HTTPS Connections: $https_connections"
# Install CSF if not installed
if ! command -v csf &> /dev/null; then
    sudo apt update
    sudo apt install libwww-perl iptables unzip -y
    cd /usr/src
    sudo wget https://download.configserver.com/csf.tgz
    sudo tar -xzf csf.tgz
    cd csf
    sudo sh install.sh
    csf -v
fi
# Configure CSF
sudo cp /etc/csf/csf.conf /etc/csf/csf.conf.bak
sudo sed -i 's/CC_DENY = ""/CC_DENY = "CN,RU,JP"/g' /etc/csf/csf.conf
sudo csf -r
sudo systemctl restart lfd
# Update CSF's GeoIP Database
sudo csf -u

---

By using CSF to block traffic from specific countries and secure your HTTP and HTTPS ports, you can significantly reduce the risk of attacks on your server. The provided Bash script automates the entire process, making it easy to implement these security measures quickly.

Remember, server security is an ongoing process. Regularly update your firewall rules, monitor logs, and stay informed about new threats to keep your server safe.

csfSecure Your Server with CSF Firewallddos attacksDDoS Protection firewallcloud server securityserverserver hostingserver managementDevops