Zion Ahead

Well-Known Member
Nov 10, 2006
347
0
166
First, anyone dislike csf/lfd over apf/bfd? Why? Share your experience. Just curious.

Second, many legitmate clients get blocked. I don't know what to adjust that I haven't yet. Please help

csf.conf below

TESTING = "0"
TESTING_INTERVAL = "5"
AUTO_UPDATES = "0"

ETH_DEVICE = ""
ETH_DEVICE_SKIP = ""

TCP_IN = "20,21,22,25,53,80,110,143,443,465,953,993,995,2083,2087,2096,3306"
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,953,2087,2089,2703"

UDP_IN = "20,21,53,953"
UDP_OUT = "20,21,53,113,123,873,953,6277"

ICMP_IN = "1"
ICMP_OUT = "1"
SMTP_BLOCK = "0"
SMTP_ALLOWLOCAL = "0"
MONOLITHIC_KERNEL = "0"

DROP_LOGGING = "1"
DROP_IP_LOGGING = "0"
DROP_ONLYRES = "0"
DROP_NOLOG = "67,68,111,113,135:139,445,513,520,1026,1027,1234,1433,1434,1524,3127"

PACKET_FILTER = "1"
VERBOSE = "1"
DYNDNS = "0"
ALLOW_RES_PORTS = "1"
DENY_IP_LIMIT = "100"

GLOBAL_ALLOW = ""
GLOBAL_DENY = ""
LF_GLOBAL = ""

LF_DAEMON = "1"
LF_TRIGGER = "0"
LF_SELECT = "1"

LF_SSHD = "2"
LF_FTPD = "10"
LF_POP3D = "10"
LF_IMAPD = "10"
LF_HTACCESS = "0"
LF_MODSEC = "0"
LF_CPANEL = "5"
LF_CSF = "1"
LF_SSH_EMAIL_ALERT = "1"
LF_SU_EMAIL_ALERT = "1"

LF_SCRIPT_ALERT = "0"
LF_SCRIPT_LIMIT = "100"
LF_SCRIPT_PERM = "0"
LF_DIRWATCH = "60"

LF_DIRWATCH_DISABLE = "0"
LF_DIRWATCH_FILE = "0"
LF_INTERVAL = "300"
LF_PARSE = "5"
LF_EMAIL_ALERT = "1"

LT_EMAIL_ALERT = "1"
LT_POP3D = "0"
LT_IMAPD = "0"
LF_DSHIELD = "0"
LF_DSHIELD_URL = "http://feeds.dshield.org/block.txt"
LF_SPAMHAUS = "0"
LF_SPAMHAUS_URL = "http://www.spamhaus.org/drop/drop.lasso"

CT_LIMIT = "0"
CT_INTERVAL = "90"
CT_EMAIL_ALERT = "1"
CT_PERMANENT = "0"
CT_BLOCK_TIME = "300"

PT_LIMIT = "60"
PT_SKIP_HTTP = "1"
PT_USERPROC = "0"
PT_SMTP = "0"

IPTABLES = "/sbin/iptables"
MODPROBE = "/sbin/modprobe"
IFCONFIG = "/sbin/ifconfig"
SENDMAIL = "/usr/sbin/sendmail"
NETSTAT = "/bin/netstat"
PS = "/bin/ps"
FUSER = "/sbin/fuser"
Edit/Delete Message
 

jayh38

Well-Known Member
Mar 3, 2006
1,213
0
166
You probably get notifications that tells you why they were blocked.
Either too many connections or too many failed login attempts.

The whm has a detailed explanation of each setting.
 

hodfords

Active Member
Feb 22, 2002
43
1
308
We are constantly getting legitimate clients not being able to access webmail or smtp server being blocked out.

Resource is scarce on Google to deal with false positives...

(1) Where to check why clients are locked out? /var/log/messages? Hard to distinguish between legitimate or illegitimate without knowing client's ip address...

(2) Any solutions to circumvent?

Thanks
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
Friendly Moderator Note

Best place to seek support is at configserver ConfigServer Scripts Forum - Powered by vBulletin
I have moved this thread into the cPanel and WHM Security forums area. I agree with what was posted by Zepplin, that the best place to find more specific information regarding the specified third-party software is directly on the applicable vendor web site and via the vendor's official methods of support.

Reference links for "ConfigServer Security & Firewall" (CSF):
 

Spiral

BANNED
Jun 24, 2005
2,020
8
193
We are constantly getting legitimate clients not being able to access webmail or smtp server being blocked out.

Resource is scarce on Google to deal with false positives...

(1) Where to check why clients are locked out? /var/log/messages? Hard to distinguish between legitimate or illegitimate without knowing client's ip address...

(2) Any solutions to circumvent?

Thanks
CSF / LFD is vastly superior to APF / BFD .....

If clients are getting blocked, you may have a two fold issue ---

On one hand you might have some configuration settings that might
be set better and on the other hand your clients may be doing something
that they really shouldn't be doing and might need to be slapped a bit.

Give me 5 minutes with your server or email me your csf.conf and
/var/log logs and I can tell you exactly the reason why your clients
are getting blocked and also make it so it's no longer an issue. ;)

My email incidentally is quite literally my name at myself dot com :D
 

Data 1

Well-Known Member
May 25, 2008
113
0
66
Columbus Ohio
cPanel Access Level
DataCenter Provider
I have a lot of clients that get blocked also. It always has ended up being something they did!

This is an amazing product and it is incredible that it is free. There is almost crystal clear documentation and articles all over the internet on the usage of this tool. I'm a monthly contributor I was so impressed.
 

Spiral

BANNED
Jun 24, 2005
2,020
8
193
I have a lot of clients that get blocked also. It always has ended up being something they did!
You can adjust the trigger levels and change permanent blocks over to temporary ones so any blocks "self expire" after a short period.

You can also configure CSF / LFD to only block just the service where the bad activity occurred instead of blocking the IP entirely from the server.

Both of the above would be a good idea too ....

See the "LF_TRIGGER" section in /etc/csf/csf.conf

Regarding clients doing something wrong ---

The most common blocking is when clients check their email too many times in an hour and inevitably you have people who set there email clients to check mail at "1" minute or less intervals which is not only unnecessary but also causes substantial loads to the server. Ideally, mail checks should not be performed less than "3" minutes between checks on any given mail server and heavier loaded ones I'd make it more around "5" minimum between checks as the baseline.

The next most common mistake has nothing to do with CSF/LFD but rather the client's own firewall on their computers at home. What they will do is upload files via FTP but fail to set "passive mode" and in doing so their own computer at home mistakes the outbound FTP connection as an incoming hacking attack and cuts the connection and then the host gets blamed for "being down" or "blocking them" and in reality it's their own computer blocking themselves.

The third most common mistake made by clients is using the wrong login or password on accounts and retrying over and over again and this will also get them blocked quickly because it is essentially a "brute force" attack and that is what this technology is trying to prevent. The most common "wrong login" mistake is to fail to use the domain name with email accounts and "extra" ftp accounts. These types of triggers need not be permanent blocks as even a short duration of say 5 minutes would kill the viability of most any legitimate brute force attacks.

I have never known CSF / LFD to make any "false triggers" for anything other than script process detection so if a client gets blocked, they are definitely doing something wrong and the solution at that point is either to get the client to change their behavior (which is sometimes good for them to learn) or adjust the sensitivity settings to make it more difficult for the client to trigger that particular detection item.
 

anton_latvia

Well-Known Member
PartnerNOC
May 11, 2004
392
12
168
Latvia
cPanel Access Level
Root Administrator
anyway, even if you don't get notification emails, please look in /var/log/lfd.log for the reason why IPs are being blocked. when you have error description it would be easier to help you.