The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

csf / lfd headaches

Discussion in 'Security' started by Zion Ahead, Nov 21, 2006.

  1. Zion Ahead

    Zion Ahead Well-Known Member

    Joined:
    Nov 10, 2006
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    First, anyone dislike csf/lfd over apf/bfd? Why? Share your experience. Just curious.

    Second, many legitmate clients get blocked. I don't know what to adjust that I haven't yet. Please help

    csf.conf below

    TESTING = "0"
    TESTING_INTERVAL = "5"
    AUTO_UPDATES = "0"

    ETH_DEVICE = ""
    ETH_DEVICE_SKIP = ""

    TCP_IN = "20,21,22,25,53,80,110,143,443,465,953,993,995,2083,2087,2096,3306"
    TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,953,2087,2089,2703"

    UDP_IN = "20,21,53,953"
    UDP_OUT = "20,21,53,113,123,873,953,6277"

    ICMP_IN = "1"
    ICMP_OUT = "1"
    SMTP_BLOCK = "0"
    SMTP_ALLOWLOCAL = "0"
    MONOLITHIC_KERNEL = "0"

    DROP_LOGGING = "1"
    DROP_IP_LOGGING = "0"
    DROP_ONLYRES = "0"
    DROP_NOLOG = "67,68,111,113,135:139,445,513,520,1026,1027,1234,1433,1434,1524,3127"

    PACKET_FILTER = "1"
    VERBOSE = "1"
    DYNDNS = "0"
    ALLOW_RES_PORTS = "1"
    DENY_IP_LIMIT = "100"

    GLOBAL_ALLOW = ""
    GLOBAL_DENY = ""
    LF_GLOBAL = ""

    LF_DAEMON = "1"
    LF_TRIGGER = "0"
    LF_SELECT = "1"

    LF_SSHD = "2"
    LF_FTPD = "10"
    LF_POP3D = "10"
    LF_IMAPD = "10"
    LF_HTACCESS = "0"
    LF_MODSEC = "0"
    LF_CPANEL = "5"
    LF_CSF = "1"
    LF_SSH_EMAIL_ALERT = "1"
    LF_SU_EMAIL_ALERT = "1"

    LF_SCRIPT_ALERT = "0"
    LF_SCRIPT_LIMIT = "100"
    LF_SCRIPT_PERM = "0"
    LF_DIRWATCH = "60"

    LF_DIRWATCH_DISABLE = "0"
    LF_DIRWATCH_FILE = "0"
    LF_INTERVAL = "300"
    LF_PARSE = "5"
    LF_EMAIL_ALERT = "1"

    LT_EMAIL_ALERT = "1"
    LT_POP3D = "0"
    LT_IMAPD = "0"
    LF_DSHIELD = "0"
    LF_DSHIELD_URL = "http://feeds.dshield.org/block.txt"
    LF_SPAMHAUS = "0"
    LF_SPAMHAUS_URL = "http://www.spamhaus.org/drop/drop.lasso"

    CT_LIMIT = "0"
    CT_INTERVAL = "90"
    CT_EMAIL_ALERT = "1"
    CT_PERMANENT = "0"
    CT_BLOCK_TIME = "300"

    PT_LIMIT = "60"
    PT_SKIP_HTTP = "1"
    PT_USERPROC = "0"
    PT_SMTP = "0"

    IPTABLES = "/sbin/iptables"
    MODPROBE = "/sbin/modprobe"
    IFCONFIG = "/sbin/ifconfig"
    SENDMAIL = "/usr/sbin/sendmail"
    NETSTAT = "/bin/netstat"
    PS = "/bin/ps"
    FUSER = "/sbin/fuser"
    Edit/Delete Message
     
  2. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    You probably get notifications that tells you why they were blocked.
    Either too many connections or too many failed login attempts.

    The whm has a detailed explanation of each setting.
     
  3. hodfords

    hodfords Active Member

    Joined:
    Feb 22, 2002
    Messages:
    43
    Likes Received:
    1
    Trophy Points:
    6
    We are constantly getting legitimate clients not being able to access webmail or smtp server being blocked out.

    Resource is scarce on Google to deal with false positives...

    (1) Where to check why clients are locked out? /var/log/messages? Hard to distinguish between legitimate or illegitimate without knowing client's ip address...

    (2) Any solutions to circumvent?

    Thanks
     
  4. Zepplin

    Zepplin Well-Known Member

    Joined:
    Oct 23, 2006
    Messages:
    93
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Blue Mountains, Australia
    cPanel Access Level:
    Root Administrator
    cPanelDon likes this.
  5. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Friendly Moderator Note

    I have moved this thread into the cPanel and WHM Security forums area. I agree with what was posted by Zepplin, that the best place to find more specific information regarding the specified third-party software is directly on the applicable vendor web site and via the vendor's official methods of support.

    Reference links for "ConfigServer Security & Firewall" (CSF):
     
  6. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    CSF / LFD is vastly superior to APF / BFD .....

    If clients are getting blocked, you may have a two fold issue ---

    On one hand you might have some configuration settings that might
    be set better and on the other hand your clients may be doing something
    that they really shouldn't be doing and might need to be slapped a bit.

    Give me 5 minutes with your server or email me your csf.conf and
    /var/log logs and I can tell you exactly the reason why your clients
    are getting blocked and also make it so it's no longer an issue. ;)

    My email incidentally is quite literally my name at myself dot com :D
     
  7. DomineauX

    DomineauX Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    414
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Agree that posting on the ConfigServer forum is best but I would suggest you start out reviewing the cause for blocks in /var/log/lfd.log
     
  8. Data 1

    Data 1 Well-Known Member

    Joined:
    May 25, 2008
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Columbus Ohio
    cPanel Access Level:
    DataCenter Provider
    I have a lot of clients that get blocked also. It always has ended up being something they did!

    This is an amazing product and it is incredible that it is free. There is almost crystal clear documentation and articles all over the internet on the usage of this tool. I'm a monthly contributor I was so impressed.
     
  9. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    You can adjust the trigger levels and change permanent blocks over to temporary ones so any blocks "self expire" after a short period.

    You can also configure CSF / LFD to only block just the service where the bad activity occurred instead of blocking the IP entirely from the server.

    Both of the above would be a good idea too ....

    See the "LF_TRIGGER" section in /etc/csf/csf.conf

    Regarding clients doing something wrong ---

    The most common blocking is when clients check their email too many times in an hour and inevitably you have people who set there email clients to check mail at "1" minute or less intervals which is not only unnecessary but also causes substantial loads to the server. Ideally, mail checks should not be performed less than "3" minutes between checks on any given mail server and heavier loaded ones I'd make it more around "5" minimum between checks as the baseline.

    The next most common mistake has nothing to do with CSF/LFD but rather the client's own firewall on their computers at home. What they will do is upload files via FTP but fail to set "passive mode" and in doing so their own computer at home mistakes the outbound FTP connection as an incoming hacking attack and cuts the connection and then the host gets blamed for "being down" or "blocking them" and in reality it's their own computer blocking themselves.

    The third most common mistake made by clients is using the wrong login or password on accounts and retrying over and over again and this will also get them blocked quickly because it is essentially a "brute force" attack and that is what this technology is trying to prevent. The most common "wrong login" mistake is to fail to use the domain name with email accounts and "extra" ftp accounts. These types of triggers need not be permanent blocks as even a short duration of say 5 minutes would kill the viability of most any legitimate brute force attacks.

    I have never known CSF / LFD to make any "false triggers" for anything other than script process detection so if a client gets blocked, they are definitely doing something wrong and the solution at that point is either to get the client to change their behavior (which is sometimes good for them to learn) or adjust the sensitivity settings to make it more difficult for the client to trigger that particular detection item.
     
  10. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    348
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    anyway, even if you don't get notification emails, please look in /var/log/lfd.log for the reason why IPs are being blocked. when you have error description it would be easier to help you.
     
Loading...

Share This Page