Sign In
Access your IPWhois.net account
No account? Create one
CSF Firewall Integration
Automatically sync the IPWhois Blacklist to your ConfigServer Security & Firewall deny list. Block known threats before they reach your services.
5 min setup cPanel / WHM Auto-refresh
Blacklist / Docs / CSF Firewall
Overview

ConfigServer Security & Firewall (CSF) is a popular firewall management tool for Linux servers, especially those running cPanel/WHM. This guide shows how to automatically block IPs from the IPWhois Blacklist and optionally report CSF blocks back to the blacklist.

Installation

CSF is typically pre-installed on cPanel servers. If not installed:

cd /usr/src wget https://download.configserver.com/csf.tgz tar -xzf csf.tgz cd csf sh install.sh
Method 1: CSF Blocklist (Recommended)

CSF has a built-in blocklist feature. Add the IPWhois Blacklist as a block source in /etc/csf/csf.blocklists:

/etc/csf/csf.blocklists
# IPWhois Blacklist - high-confidence IPs only # Format: NAME|INTERVAL|MAX|URL IPWHOIS|21600|0|https://bl.ipwhois.net/api/browse?format=plaintext&min_confidence=80

Parameters: 21600 = refresh every 6 hours, 0 = no limit on number of IPs. Then restart CSF:

csf -r
Method 2: Script with Reporting

This script fetches the blacklist AND reports CSF blocks back to the community:

/usr/local/bin/ipwhois-csf-sync.sh
#!/bin/bash # Sync IPWhois Blacklist to CSF deny list # Cron: 0 */6 * * * API="https://bl.ipwhois.net/api" LOG="/var/log/ipwhois-csf.log" echo "$(date) - Starting sync" >> "$LOG" # Fetch high-confidence IPs and add to CSF deny COUNT=0 for ip in $(curl -s "$API/browse?format=plaintext&min_confidence=80"); do if ! grep -q "^$ip$" /etc/csf/csf.deny 2>/dev/null; then csf -d "$ip" "IPWhois Blacklist" >/dev/null 2>&1 COUNT=$((COUNT+1)) fi sleep 0.3 done echo "$(date) - Added $COUNT new IPs to CSF deny" >> "$LOG"
sudo chmod +x /usr/local/bin/ipwhois-csf-sync.sh echo "0 */6 * * * root /usr/local/bin/ipwhois-csf-sync.sh" | sudo tee /etc/cron.d/ipwhois-csf
Testing
# Run the script manually sudo /usr/local/bin/ipwhois-csf-sync.sh # Verify IPs were added csf -g 185.220.101.34 # Check the log tail -5 /var/log/ipwhois-csf.log
Troubleshooting
  • CSF deny list full: CSF has a default limit. Increase DENY_IP_LIMIT in /etc/csf/csf.conf (e.g., set to 1000).
  • Script not running: Check cron logs with grep CRON /var/log/syslog. Ensure the script has execute permission.
  • LFD issues: If LFD (Login Failure Daemon) conflicts, ensure CSF testing mode is disabled: set TESTING = "0" in /etc/csf/csf.conf.
IPWhois Blacklist — Community-driven IP threat intelligence — ipwhois.net