Whitelisting an IP Address in CSF Print

  • CSF, Security, Firewall, Whitelisting, ConfigServer Security & Firewall
  • 1


Using the Quick Allow (csf.allow) option will allow the IP address access to all ports, using Quick Ignore (csf.ignore) will allow the IP address access to all ports and will bypass lfd and modsec rules from locking it out due to malicious behavior and failed login attempts.

Whitelisting an IP address is a temporary measure for troubleshooting and working to correct an underlying issue for the reason the IP address is blocked. It is not recommended as a long-term solution and the IP address can still be blocked by the Login Failure Daemon (lfd) for multiple failed logins or repeated ModSecurity rule violation.

Whitelist using WHM

Use Quick Allow (csf.allow)

  1. Navigate to the Quick Allow section on the CSF home page. 

  2. Enter the IP address you'd like to allow. This will allow the IP address through all ports, but it can still trigger lfd and multiple modsec rule voilations. 

  3. Click on Quick Allow to allow the IP address. 

Use Quick Ignore (csf.ignore)

  1. Enter the IP address in the Quick Ignore section of CSF. 


    Only use this setting for trusted IP addresses. This allows the IP address to bypass all modsec rules, lfd and access all ports to your server.

  2. Click Quick Ignore to allow the IP address through your firewall. lfd will restart after the IP address is whitelisted. 

Whitelist via Command Line

CSF has two main files for whitelisting:




Both files perform different functions, csf.allow is where you add an IP to be allowed through the firewall. If a users IP address is in csf.allow it can still be blocked for login failures in LFD (login failure daemon). If you find that a user is blocked because of LFD, you will need to add the IP address to csf.ignore. With an IP listed in both of these places, it will not be touched by CSF.

To whitelist an IP through csf.allow, run the following command: (replace the example IP address with the one that is blocked)

csf -a

To add the IP to the csf.ignore, you will need to edit the csf.ignore file.

vim /etc/csf/csf.ignore
	#Monitoring Ranges
(add your IP here at the end)

Then restart CSF:

csf -r

The IP address will now be ignored by CSF and LFD and allowed through.

Was this answer helpful?

« Back