Email share button Facebook Share Button Twitter Share Button Reddit Share Button

As an Amazon Associate I earn from qualifying purchases. All product links on this page are monetized.

Light Theme · Darkish Theme

How to Whitelist a Dynamic IP Address in CSF Firewall

Silhouette of an unlocked padlock on a green circle background

ConfigServer Security and Firewall (CSF) is a popular firewall application for Linux servers. Among the things it is able to do is block IP addresses that repeatedly enter bad passwords or otherwise act suspiciously.

After setting up CSF, one of the first thing server administrators and webmasters do is "whitelist" their own IP addresses so they won't accidentally lock themselves out of the server. This is easy to do when, for example, troubleshooting a mail problem. IP addresses that are whitelisted are ignored by CSF, so they won't be locked out.

Whitelisting your IP address is easy to do if you have a static IP address that never changes. But what about if you have a dynamic IP address? Is there a way to whitelist an IP address that can change at any time?

Fortunately, the answer is yes. CSF provides a way that you can whitelist any number of dynamic IP addresses so you will never have to worry about the firewall locking you out of your own server. All you need is to be the root user and have a hostname associated with your dynamic IP address.

Let me explain it to you.

 

How to Obtain a Hostname for a Dynamic IP Address

In order to tell CSF to ignore your dynamic IP address, you have to obtain a hostname from a Dynamic DNS provider. My personal favorite is NO-IP, but there are others. Once you decide which one you like, open an account and set up a hostname. For example, you may call your hostname

example.example.net.

The next thing you'll need is a router that supports dynamic DNS. Most of them do, but check that the router supports your chosen dynamic DNS provider before buying it.

Once you get your router, look for a setting called "Dynamic DNS" or something quite similar, and enter your dynamic DNS provider account information. Typically this will be your user name, password, and hostname. Once you apply that information, the router will inform your dynamic DNS provider every time your IP address changes.

If you don't have a router, your dynamic DNS provider may have an app that downloads to your device to update your IP address any time it changes.

 

How to Whitelist a Hostname in CSF Firewall

The first thing you have to do to tell CSF to ignore your dynamic IP address is log into the server using SSH, and place your hostname in CSF's dyndns file, typically located at

/etc/csf/csf.dyndns

Use a text editor to open that file for editing. You'll see something that looks like this:


###############################################################################
# Copyright 2006-2018, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following FQDN's will be allowed through the firewall. This is controlled
# by lfd which checks the DNS resolution of the FQDN and adds the ip address
# into the ALLOWDYNIN and ALLOWDYNOUT iptables chains. lfd will check for IP
# updates every DYNDNS seconds if set.
#
# If the FQDN has multiple A records then all of the IP addresses will be
# processed. If IPV6 is enabled and the perl module Socket6 from cpan.org is
# installed, then all IPv6 AAAA IP address records will also be allowed.
#
# Only list fully qualified domain names (FQDN's) in this file, either on their
# own to allow full access, or using Advanced Allow/Deny Filters (see
# readme.txt)
#

Just append your dynamic DNS hostname to that file, and save it, like this:


###############################################################################
# Copyright 2006-2018, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following FQDN's will be allowed through the firewall. This is controlled
# by lfd which checks the DNS resolution of the FQDN and adds the ip address
# into the ALLOWDYNIN and ALLOWDYNOUT iptables chains. lfd will check for IP
# updates every DYNDNS seconds if set.
#
# If the FQDN has multiple A records then all of the IP addresses will be
# processed. If IPV6 is enabled and the perl module Socket6 from cpan.org is
# installed, then all IPv6 AAAA IP address records will also be allowed.
#
# Only list fully qualified domain names (FQDN's) in this file, either on their
# own to allow full access, or using Advanced Allow/Deny Filters (see
# readme.txt)
#
example.example.net

Next, go into CSF's configuration file, either by directly editing

/etc/csf/csf.conf
or by using your server control panel's Web interface for CSF. The two changes you want to make are to set
DYNDNS
to a reasonable interval like 300 (five minutes) or 600 (ten minutes); and set
DYNDNS_IGNORE
to a value of 1. The first setting defines how often CSF will check to see if your IP address has changed, and the second tell it to ignore the IP addresses of every hostname listed in
/etc/csf/csf.dyndns

Once you're done, restart csf and lfd, and you're good to go.

If you don't have a router, or if you access the Internet from public WiFi networks, then you'll need to use your dynamic DNS provider's app to update your IP address. Otherwise, the procedure is exactly the same.