csf / lfd headaches

[Zion Ahead]

First, anyone dislike csf/lfd over apf/bfd? Why? Share your experience. Just curious.

Second, many legitmate clients get blocked. I don't know what to adjust that I haven't yet. Please help

csf.conf below

TESTING = "0"
TESTING_INTERVAL = "5"
AUTO_UPDATES = "0"

ETH_DEVICE = ""
ETH_DEVICE_SKIP = ""

TCP_IN = "20,21,22,25,53,80,110,143,443,465,953,993,995,2083,2087,2096,3306"
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,953,2087,2089,2703"

UDP_IN = "20,21,53,953"
UDP_OUT = "20,21,53,113,123,873,953,6277"

ICMP_IN = "1"
ICMP_OUT = "1"
SMTP_BLOCK = "0"
SMTP_ALLOWLOCAL = "0"
MONOLITHIC_KERNEL = "0"

DROP_LOGGING = "1"
DROP_IP_LOGGING = "0"
DROP_ONLYRES = "0"
DROP_NOLOG = "67,68,111,113,135:139,445,513,520,1026,1027,1234,1433,1434,1524,3127"

PACKET_FILTER = "1"
VERBOSE = "1"
DYNDNS = "0"
ALLOW_RES_PORTS = "1"
DENY_IP_LIMIT = "100"

GLOBAL_ALLOW = ""
GLOBAL_DENY = ""
LF_GLOBAL = ""

LF_DAEMON = "1"
LF_TRIGGER = "0"
LF_SELECT = "1"

LF_SSHD = "2"
LF_FTPD = "10"
LF_POP3D = "10"
LF_IMAPD = "10"
LF_HTACCESS = "0"
LF_MODSEC = "0"
LF_CPANEL = "5"
LF_CSF = "1"
LF_SSH_EMAIL_ALERT = "1"
LF_SU_EMAIL_ALERT = "1"

LF_SCRIPT_ALERT = "0"
LF_SCRIPT_LIMIT = "100"
LF_SCRIPT_PERM = "0"
LF_DIRWATCH = "60"

LF_DIRWATCH_DISABLE = "0"
LF_DIRWATCH_FILE = "0"
LF_INTERVAL = "300"
LF_PARSE = "5"
LF_EMAIL_ALERT = "1"

LT_EMAIL_ALERT = "1"
LT_POP3D = "0"
LT_IMAPD = "0"
LF_DSHIELD = "0"
LF_DSHIELD_URL = "http://feeds.dshield.org/block.txt"
LF_SPAMHAUS = "0"
LF_SPAMHAUS_URL = "http://www.spamhaus.org/drop/drop.lasso"

CT_LIMIT = "0"
CT_INTERVAL = "90"
CT_EMAIL_ALERT = "1"
CT_PERMANENT = "0"
CT_BLOCK_TIME = "300"

PT_LIMIT = "60"
PT_SKIP_HTTP = "1"
PT_USERPROC = "0"
PT_SMTP = "0"

IPTABLES = "/sbin/iptables"
MODPROBE = "/sbin/modprobe"
IFCONFIG = "/sbin/ifconfig"
SENDMAIL = "/usr/sbin/sendmail"
NETSTAT = "/bin/netstat"
PS = "/bin/ps"
FUSER = "/sbin/fuser"
Edit/Delete Message

 

[jayh38]

You probably get notifications that tells you why they were blocked.
Either too many connections or too many failed login attempts.

The whm has a detailed explanation of each setting.

 

[hodfords]

We are constantly getting legitimate clients not being able to access webmail or smtp server being blocked out.

Resource is scarce on Google to deal with false positives...

(1) Where to check why clients are locked out? /var/log/messages? Hard to distinguish between legitimate or illegitimate without knowing client's ip address...

(2) Any solutions to circumvent?

Thanks

 

[Zepplin]

Best place to seek support is at configserver ConfigServer Scripts Forum - Powered by vBulletin

 

[cPanelDon]

Friendly Moderator Note

Best place to seek support is at configserver ConfigServer Scripts Forum - Powered by vBulletin

I have moved this thread into the cPanel and WHM Security forums area. I agree with what was posted by Zepplin, that the best place to find more specific information regarding the specified third-party software is directly on the applicable vendor web site and via the vendor's official methods of support.

Reference links for "ConfigServer Security & Firewall" (CSF):

• ConfigServer Security & Firewall
• ConfigServer Scripts Forum
• ConfigServer by Way to the Web (Contact)
• Way to the Web Technical Support

 

[Spiral]

We are constantly getting legitimate clients not being able to access webmail or smtp server being blocked out.

Resource is scarce on Google to deal with false positives...

(1) Where to check why clients are locked out? /var/log/messages? Hard to distinguish between legitimate or illegitimate without knowing client's ip address...

(2) Any solutions to circumvent?

Thanks

CSF / LFD is vastly superior to APF / BFD .....

If clients are getting blocked, you may have a two fold issue ---

On one hand you might have some configuration settings that might
be set better and on the other hand your clients may be doing something
that they really shouldn't be doing and might need to be slapped a bit.

Give me 5 minutes with your server or email me your csf.conf and
/var/log logs and I can tell you exactly the reason why your clients
are getting blocked and also make it so it's no longer an issue.

My email incidentally is quite literally my name at myself dot com :D

 

[DomineauX]

Agree that posting on the ConfigServer forum is best but I would suggest you start out reviewing the cause for blocks in /var/log/lfd.log

 

[Data 1]

I have a lot of clients that get blocked also. It always has ended up being something they did!

This is an amazing product and it is incredible that it is free. There is almost crystal clear documentation and articles all over the internet on the usage of this tool. I'm a monthly contributor I was so impressed.

 

[Spiral]

I have a lot of clients that get blocked also. It always has ended up being something they did!

You can adjust the trigger levels and change permanent blocks over to temporary ones so any blocks "self expire" after a short period.

You can also configure CSF / LFD to only block just the service where the bad activity occurred instead of blocking the IP entirely from the server.

Both of the above would be a good idea too ....

See the "LF_TRIGGER" section in /etc/csf/csf.conf

Regarding clients doing something wrong ---

The most common blocking is when clients check their email too many times in an hour and inevitably you have people who set there email clients to check mail at "1" minute or less intervals which is not only unnecessary but also causes substantial loads to the server. Ideally, mail checks should not be performed less than "3" minutes between checks on any given mail server and heavier loaded ones I'd make it more around "5" minimum between checks as the baseline.

The next most common mistake has nothing to do with CSF/LFD but rather the client's own firewall on their computers at home. What they will do is upload files via FTP but fail to set "passive mode" and in doing so their own computer at home mistakes the outbound FTP connection as an incoming hacking attack and cuts the connection and then the host gets blamed for "being down" or "blocking them" and in reality it's their own computer blocking themselves.

The third most common mistake made by clients is using the wrong login or password on accounts and retrying over and over again and this will also get them blocked quickly because it is essentially a "brute force" attack and that is what this technology is trying to prevent. The most common "wrong login" mistake is to fail to use the domain name with email accounts and "extra" ftp accounts. These types of triggers need not be permanent blocks as even a short duration of say 5 minutes would kill the viability of most any legitimate brute force attacks.

I have never known CSF / LFD to make any "false triggers" for anything other than script process detection so if a client gets blocked, they are definitely doing something wrong and the solution at that point is either to get the client to change their behavior (which is sometimes good for them to learn) or adjust the sensitivity settings to make it more difficult for the client to trigger that particular detection item.

 

[anton_latvia]

anyway, even if you don't get notification emails, please look in /var/log/lfd.log for the reason why IPs are being blocked. when you have error description it would be easier to help you.