CSF not working properly, doesnt ban IMAP and FTP login failures!

Suurbier

Verified User
Joined
Apr 23, 2007
Messages
246
I installed CSF and setup the configuration to ban login failures for Portscans, SSH, IMAP, POP, SMTP and FTP. I tested the security to proof it's working. But CSF is not working properly, IMAP and FTP login failures are not detected or banned. However all other services are functioning normal...

I've ran csftest.pl and nothing is wrong. I enabled LFD in the configuration and it is blocking login failures but not all. So I tested this on another server and guess what, exact the same problem(!)

I am wondering if anyone can confirm this? Or am I the only one having this problem :confused:
 
I will take a look at it, should I disable LFD if I am using BFM?

And is it true that LFD doesn't recognize/block brute force attacks for IMAP and FTP on DirectAdmin installations?
 
I will take a look at it, should I disable LFD if I am using BFM?

In most cases, I'd say, yes, you should disable LFD. But for sure, it is not that simple to do, as CSF adds continuously LFD into /usr/local/directadmin/data/admin/services.status on upgrade. So you might need to chattr it immutable, otherwise directadmin will sent repeatedly notifications about stopped LFD.

And is it true that LFD doesn't recognize/block brute force attacks for IMAP and FTP on DirectAdmin installations?

I've never used LFD, maybe Andrea can answer your question.
 
LFD recognize ssh attempts, i would suggets you to use both, they dont conflict, worst you will have, is more security and checks :)

Regards
 
Thans for all replies! My problem is solved. I enabled BFM and modified the notice template to ban IPs with CSF.

I did the following (fastest way):

/usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh
Code:
#!/bin/sh
/etc/csf/csf.pl -td $value 24h BFM IP Block
exit $?;

Code:
chown diradmin:diradmin /usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh
chmod 700 /usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh
 
what user do you have on your block_ip.sh script?

I'm trying to do this with APF and APF can only be run as root
 
Thans for all replies! My problem is solved. I enabled BFM and modified the notice template to ban IPs with CSF.

I did the following (fastest way):

/usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh
Code:
#!/bin/sh
/etc/csf/csf.pl -td $value 24h BFM IP Block
exit $?;

Code:
chown diradmin:diradmin /usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh
chmod 700 /usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh

Hello Suurbier,
I tried to do that but no ip are banned by lfd
 
Last edited:
Normally you don't use the block_ip.sh but if you want you can use it like I do.
I created a block_ip.sh with this content:
Code:
#!/bin/sh

/etc/csf/csf.pl -td $ip 86400 BFM IP Block

exit 0;

Next to that I created the brute_force_notice_ip.sh like this:
Code:
#!/bin/sh
SCRIPT=/usr/local/directadmin/scripts/custom/block_ip.sh
ip=$value $SCRIPT
exit $?;

This way nothing passes by my attention.
However, check which logfiles your system is using. It could be you have to use another logfile in your csf.conf to have CSF check things.
 
You're welcome!

Just out of curiosity, how did you fix it? Did you use the scripts like I have or did you only change logfile paths?
 
I think it didn't work because I have BFM notifications off, after putting your block_ip.sh code I checked after some hours and the IP are added in the CSF -Temporary IP entries- list with comment "BFM IP Block".
I also put your file brute_force_notice_ip.sh but with notifications off I think it is not executed.

Greetings
Jonium
 
Back
Top