Are you looking for a fast and secure hosting plan with 24/7 Technical Support? Contact us today for a free trial account.

How to whitelist hostnames in ConfigServer Security & Firewall (CSF)

Post author:Editorial Staff
Post published:July 16, 2021
Post category:Server
Post comments:0 Comments

CSF offers the option to whitelist fully qualified domain names (FQDN). This can be useful if you want to allow connections from hostnames with IPs that change frequently. The CSF file with the allowed hostnames is /etc/csf.dyndns

The content of the /etc/csf.dyndns file:

###############################################################################
# The following FQDN's will be allowed through the firewall. This is controlled
# by lfd which checks the DNS resolution of the FQDN and adds the ip address
# into the ALLOWDYNIN and ALLOWDYNOUT iptables chains. lfd will check for IP
# updates every DYNDNS seconds if set.
#
# If the FQDN has multiple A records then all of the IP addresses will be
# processed. If IPV6 is enabled and the perl module Socket6 from cpan.org is
# installed, then all IPv6 AAAA IP address records will also be allowed.
#
# Only list fully qualified domain names (FQDN's) in this file, either on their
# own to allow full access, or using Advanced Allow/Deny Filters (see
# readme.txt)
#

To whitelist a domain in CSF:

1. Connect to the server

2. Edit the /etc/csf.dyndns and add the hostnames you want to whitelist, one per line. Example:

host22.plothost.com
web.plothost.com

Another option here is to use CSF Advanced Allow/Deny Filters . Read more on this in the CSF readme.txt file. Example:

#allow connections on port 3306 from host host22.plothost.com
tcp|in|d=3306|s=host22.plothost.com

3. Edit the CSF configuration file /etc/csf.conf and set the DYNDNS value to 600 (or other value per your needs). DYNDNS value controls how often to check for IP changes for the domains listed in the /etc/csf.dyndns file.

# If you wish to allow access from dynamic DNS records (for example if your IP
# address changes whenever you connect to the internet but you have a dedicated
# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN
# records in csf.dyndns and then set the following to the number of seconds to
# poll for a change in the IP address. If the IP address has changed iptables
# will be updated.
#
# If the FQDN has multiple A records then all of the IP addresses will be
# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will
# also be allowed.
# 
# A setting of 600 would check for IP updates every 10 minutes. Set the value
# to 0 to disable the feature
DYNDNS = "0"

4. Restart the server

csf -r

To whitelist a domain in CSF:

You Might Also Like

domain.com redirected you too many times. ERR_TOO_MANY_REDIRECTS

Error while sending QUERY packet

Most used wp-cli commands

Leave a Reply Cancel reply