CSF (ConfigServer Security & Firewall) is widely used for Linux server security. While CSF automatically blocks suspicious IPs, managing blacklists manually in production environments can be tedious and error-prone.
An automated CSF blacklist management system provides:
Real-time alerts when IPs are blocked
Safe automated whitelisting of trusted IPs
Logs and reports for audit purposes
Prevention of accidental downtime
This guide walks you through creating a production-ready, automated CSF monitoring and management system.
Scenario:
Your server hosts a web application accessed by multiple teams worldwide.
CSF occasionally blocks legitimate users after failed login attempts.
Manually checking and whitelisting IPs is slow and error-prone.
Solution:
Automate blacklist monitoring
Alert admins immediately via email or Slack
Auto-whitelist pre-approved trusted IPs
Maintain logs for audit and compliance
Linux server with CSF & LFD installed
Root or sudo access
mail or SMTP configured for email alerts
Optional: Slack webhook for real-time alerts
Basic Bash scripting knowledge
Verify CSF:
csf -v
systemctl status csf
Create a simple file to store pre-approved IPs:
mkdir -p /etc/csf/whitelist
nano /etc/csf/whitelist/trusted_ips.txt
Example content:
198.51.100.10 # Monitoring Server
203.0.113.25 # Corporate VPN
Set permissions:
chmod 600 /etc/csf/whitelist/trusted_ips.txt
chown root:root /etc/csf/whitelist/trusted_ips.txt
Create a Bash script /usr/local/bin/csf-monitor.sh:
#!/bin/bash
# File with trusted IPs
WHITELIST="/etc/csf/whitelist/trusted_ips.txt"
# Get recently blocked IPs
BLOCKED_IPS=$(csf -g | grep "found" | awk '{print $1}')
for IP in $BLOCKED_IPS; do
# Skip if IP is trusted
if grep -q "$IP" $WHITELIST; then
echo "Trusted IP $IP is blocked. Removing..."
csf -dr $IP
csf -r
echo "$(date): Auto-whitelisted $IP" >> /var/log/csf-auto-whitelist.log
# Optional: send alert email
echo "Trusted IP $IP was auto-whitelisted" | mail -s "CSF Auto-Whitelist Alert" [email protected]
else
# Send alert for unknown IP
echo "$(date): $IP is blocked by CSF" >> /var/log/csf-blocked.log
echo "$IP is blocked by CSF" | mail -s "CSF Block Alert" [email protected]
fi
done
Make it executable:
chmod +x /usr/local/bin/csf-monitor.sh
Schedule the script to run every 5 minutes:
crontab -e
Add:
*/5 * * * * /usr/local/bin/csf-monitor.sh
Why: Ensures real-time monitoring without manual intervention.
A monitoring server IP 198.51.100.10 gets blocked after SSH failures.
Script detects that IP is trusted → auto-whitelists it → logs action → sends email alert.
Unknown IP 203.0.113.200 is blocked → logged → email sent to admin.
This keeps production services running smoothly while maintaining security.
Create Slack webhook URL
Add function to send alerts:
send_slack_alert() {
WEBHOOK="https://hooks.slack.com/services/XXXX/XXXX/XXXX"
MESSAGE="$1"
curl -X POST -H 'Content-type: application/json' --data "{\"text\":\"$MESSAGE\"}" $WEBHOOK
}
Call this function inside the loop:
send_slack_alert "Trusted IP $IP was auto-whitelisted"
send_slack_alert "$IP is blocked by CSF"
Logs for auto-whitelisted IPs:
cat /var/log/csf-auto-whitelist.log
Logs for blocked IPs:
cat /var/log/csf-blocked.log
Alerts via email/Slack keep admins proactive.
Limit whitelist to only trusted IPs
Monitor logs daily for unusual patterns
Do not auto-whitelist unknown IPs
Keep CSF and LFD updated
Test cron and alerts in a staging server before production
Minimizes downtime for trusted services
Provides real-time alerts for blocked IPs
Ensures compliance and audit logs
Automates repetitive firewall management tasks
Reduces risk of human error in production
💡 Pro Tip: Combine this with fail2ban integration to proactively manage repeated failed login attempts across services like SSH, FTP, and email servers, and auto-whitelist critical systems.