""" Command-builder module for ConfigServer Security & Firewall (CSF). Each function returns a bash command string suitable for execution on a Linux VPS. CSF installs to /etc/csf/. """ def status_cmd() -> str: """Check if CSF is installed, show version and rule summary.""" return ( "if [ -x /usr/sbin/csf ]; then " "echo '=== CSF Version ===' && csf -v && " "echo '=== Rule Summary ===' && csf -l | head -60; " "else echo 'CSF is not installed'; fi" ) def install_cmd() -> str: """Download and install CSF from configserver.com (requires perl, iptables).""" return ( "apt-get install -y perl iptables libwww-perl && " "cd /tmp && " "rm -rf csf csf.tgz && " "wget https://download.configserver.com/csf.tgz && " "tar -xzf csf.tgz && " "cd csf && " "sh install.sh && " "rm -rf /tmp/csf /tmp/csf.tgz" ) def start_cmd() -> str: """Start CSF firewall.""" return "csf -s" def stop_cmd() -> str: """Flush/stop all CSF firewall rules.""" return "csf -f" def restart_cmd() -> str: """Restart CSF firewall.""" return "csf -r" def list_cmd() -> str: """List all current firewall rules.""" return "csf -l" def allow_ip_cmd(ip: str, comment: str = "") -> str: """Allow an IP address through the firewall.""" if comment: return f"csf -a {ip} {comment}" return f"csf -a {ip}" def deny_ip_cmd(ip: str, comment: str = "") -> str: """Deny/block an IP address.""" if comment: return f"csf -d {ip} {comment}" return f"csf -d {ip}" def remove_ip_cmd(ip: str) -> str: """Remove an IP from both allow and deny lists.""" return f"csf -ar {ip} && csf -dr {ip}" def allow_port_cmd(port: int, protocol: str = "tcp", direction: str = "in") -> str: """Add a port to the appropriate directive in csf.conf, then restart.""" directive = f"{protocol.upper()}_{direction.upper()}" return ( f"if grep -q '^{directive}' /etc/csf/csf.conf; then " f"sed -i 's/^{directive} = \"\\(.*\\)\"/'{directive}' = \"\\1,{port}\"/' /etc/csf/csf.conf && " f"csf -r; " f"else echo 'Directive {directive} not found in csf.conf'; fi" ) def deny_port_cmd(port: int, protocol: str = "tcp", direction: str = "in") -> str: """Remove a port from the appropriate directive in csf.conf, then restart.""" directive = f"{protocol.upper()}_{direction.upper()}" return ( f"sed -i 's/,{port},/,/g; s/,{port}\"/\"/g; s/\"{port},/\"/g; s/\"{port}\"/\"\"/g' " f"/etc/csf/csf.conf && csf -r" ) def temp_allow_cmd(ip: str, ttl: int = 3600) -> str: """Temporarily allow an IP for a given number of seconds.""" return f"csf -ta {ip} {ttl}" def temp_deny_cmd(ip: str, ttl: int = 3600) -> str: """Temporarily deny an IP for a given number of seconds.""" return f"csf -td {ip} {ttl}" def temp_list_cmd() -> str: """Show all temporary allow/deny rules.""" return "csf -t" def grep_ip_cmd(ip: str) -> str: """Search all firewall rules for a specific IP.""" return f"csf -g {ip}" def config_cmd() -> str: """Display key CSF configuration directives.""" return ( "grep -E '^(TCP_IN|TCP_OUT|UDP_IN|UDP_OUT|TCP6_IN|TCP6_OUT|UDP6_IN|UDP6_OUT|" "TESTING|AUTO_UPDATES|SYSLOG|RESTRICT_SYSLOG|LF_ALERT_TO|LF_DSHIELD|" "LF_SPAMHAUS|LF_DIRWATCH|LF_INTEGRITY|LF_PARSE|CT_LIMIT|PORTFLOOD|" "SYNFLOOD|CONNLIMIT|PORTKNOCKING|CC_DENY|CC_ALLOW) ' /etc/csf/csf.conf" ) def log_cmd(lines: int = 50) -> str: """Tail the LFD log file.""" return f"tail -n {lines} /var/log/lfd.log" def test_cmd() -> str: """Test iptables modules required by CSF.""" return "csf --test" def uninstall_cmd() -> str: """Uninstall CSF.""" return "/etc/csf/uninstall.sh"