| Current File : //usr/local/bin/csf-lockdown.sh |
#!/bin/bash
set -e
# From internal-addresses.txt
csf_whitelist_internal=(
"10.10.4.0/22"
"10.20.4.0/22"
"10.20.4.0/23"
"10.20.44.0/22"
"10.20.6.128/27"
"10.20.6.192/28"
"10.20.6.208/28"
"10.20.6.224/28"
"10.20.6.64/27"
"10.20.6.96/27"
"10.255.227.0/24"
"10.255.234.128/25"
"10.255.235.0/25"
"10.255.235.128/26"
"10.255.235.192/26"
"10.255.236.128/26"
"10.255.236.192/26"
"10.255.236.64/26"
"10.30.104.0/24"
"10.30.105.0/24"
"10.30.2.0/24"
"10.30.4.0/22"
"10.30.4.0/24"
"10.30.4.25/32"
"10.30.5.0/25"
"10.30.5.128/26"
"10.30.5.192/26"
"10.30.6.0/26"
"10.30.6.128/27"
"10.30.6.160/27"
"10.30.6.192/27"
"10.30.6.224/27"
"10.30.6.64/27"
"10.30.6.96/27"
"10.30.7.128/27"
"10.30.7.160/28"
"10.30.7.176/28"
"10.30.7.240/28"
"104.207.242.179/32"
"10.64.0.13/32"
"10.64.0.215/32"
"10.64.0.9/32"
"10.64.128.23/32"
"10.64.144.12/32"
"10.64.160.20/32"
"10.64.16.34/32"
"10.64.32.173/32"
"10.64.32.43/32"
"10.64.64.16/32"
"10.64.96.24/32"
"10.67.2.78/32"
"10.72.66.194/32"
"10.75.112.2/32"
"10.75.128.110/32"
"10.75.145.159/32"
"10.75.16.13/32"
"10.75.32.15/32"
"10.75.48.21/32"
"10.75.64.25/32"
"10.75.96.12/32"
"10.79.118.251/32"
"10.79.165.30/32"
"172.17.194.102/32"
"172.17.194.11/32"
"172.17.194.116/32"
"172.17.196.114/32"
"172.17.202.105/32"
"172.27.224.3/32"
"185.145.13.79/32"
"192.168.94.0/24"
"192.240.191.2/32"
"192.240.191.51/32"
"207.32.190.51/32"
"208.69.120.26/32"
"208.69.120.31/32"
"208.69.120.33/32"
"209.126.24.34/32"
"209.126.25.175/32"
"209.126.25.207/32"
"209.126.31.103/32"
"2607:fad0:32:a02::/64"
"2607:fad0:32:a03::/64"
"50.28.37.114/32"
"50.28.76.132/32"
"50.28.99.244/32"
"65.183.185.186/32"
"66.51.154.178/32"
"69.160.55.103/32"
"69.167.129.192/28"
)
# Add each whitelist entry
for ip in "${csf_whitelist_internal[@]}"; do
csf -a "$ip" "2026-05-03 CVE mitigation"
done
sed -i.2026-05-03_CVE.bak -E '/^(TCP_IN|TCP6_IN)[[:space:]]*=/ {
s/\b(22|522)\b//g;
s/[[:space:]]*,[[:space:]]*/,/g;
s/,,+/,/g;
s/"[[:space:]]*,?/"/;
s/,?[[:space:]]*"/"/g;
}' /etc/csf/csf.conf
csf -r