CSF Firewall Management
File: assistant/csf_management.go
The CSF (ConfigServer Security & Firewall) management tool provides agent-scoped firewall control for hosting infrastructure. It is restricted to the sysafe agent via IsServerAllowedForAgent() security checks.
Actions
| Action | Aliases | Description |
|---|---|---|
deny |
block |
Add IP to CSF deny list |
allow |
unblock |
Add IP to CSF allow list |
remove |
- | Remove IP from both deny and allow lists |
temp_unblock |
- | Remove from deny + add to allow list with monitoring note |
status |
- | Show deny/allow IP counts (`csf -s |
search |
- | Search csf.deny, csf.allow, csf.ignore files and LFD log |
Safety Features
- Owner IP Protection:
IsOwnerIP()check prevents blocking the server owner's IP address - IP Validation:
isValidIPOrCIDR()validates IP format before executing commands - Agent ACL: Only
sysafeagent can access servers with CSF management enabled
Default Target
hosting.sysafe.co.uk — all commands execute via SSH using dpersistantssh.RunCommand()
Self-Registration
The tool self-registers via init():
func init() {
RegisterFunction("csf_management", handleCSFManagement)
}
Integration
Used by the Nightly Security Audit system (sysafe_security_audit.go) to autonomously block persistent offenders identified during security scans.
See also: Nightly Security Audit, Infrastructure Tools