CSF Firewall with Login Failure Detection + Brute Force Monitor

Status
Not open for further replies.
BFM checks some brute force login's that CSF does not like for example login tries/failures to DA it self.
BFM can do some automatic blocking for that part too, so I wouldn't stop running it.

I would like to add that the following thing is the main reason why BFM should be still enabled: http://forum.configserver.com/viewtopic.php?f=5&t=7821#p22968. Otherwise you could get email/mysql databases passwords bruteforced easily :) I hope they will add support for that in the future.
 
I too agree :)
in the past I could have sworn there was a place in csf to add other logs to also scan :confused:
 
I would like to add that the following thing is the main reason why BFM should be still enabled: http://forum.configserver.com/viewtopic.php?f=5&t=7821#p22968. Otherwise you could get email/mysql databases passwords bruteforced easily :) I hope they will add support for that in the future.

CSF (LFD) already checks for login failures to DA. Login failures to /phpMyAdmin, /roundcube, /squirrelmail should be added into the next release of CSF (LFD).
 
thanks Martynas
so they took the suggestion and will include them, thats great!!
just need to go see when they plan on releasing the next version
seems a lot of smtpauth failures lately
 
csf just updated. 7.15 to7.52
part of the changelog

On DA servers, if LF_DIRECTADMIN is enabled, DIRECTADMIN_LOG_* will be
scanned for login failures to Roundcube, SquirrelMail and phpMyAdmin
if installed and logging enabled via CustomBuild v2+. Failures will
contribute to the LF_DIRECTADMIN trigger level for that IP

On DA servers, FTPD_LOG now defaults to /var/log/messages on new
installs
 
Yes, CSF 7.50 secures DA servers much better due to the changes listed in the previous post :) BFM blocking is not mandatory with it anymore.
 
I was surprised they added it so soon, and I am real happy about the changes.
Thanks Martynas for posting the request over on CSF forums :)
 
My thoughts were just to turn off BFM and let CSF handle all the work :eek:
 
Well yes, but BFM is a nice graphic interface to check logs and attempts, so maybe is nice to keep it enabled just for analyze.

CSF is called from BFM just from the script brute_force_notice_ip.sh, so, without that, you have BFM enabled but no action done.

Regards
 
Ive left it on for just that :)
but since the csf updates, I no longer receive any BFM notifications because lfd has already taken care of the problem before the BFM level was reached, so all good here
BFM does give us that 'look and see' place so leaving it on is just an extra measure of monitoring :)
 
hey guys?
Seems BFM has picked up on a failure that csf (lfd) missed, this is the 1st from BFM since the update to include mail
does this mean that dovecot1 is not being watched?
also was proftpd1 , same IP

it didnt seem to trigger the lfd at all

I looked in csf and the IP was not banned/blocked so I added it

151.250.128.150 noreply@g*********ing.net 1 dovecot1 Sep 27 13:42:22 theserv dovecot[2608]: pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<noreply@g******ing.net>, method=PLAIN, rip=151.250.128.150, lip=xx.xx.xxx.xxx, session=<Z+HsERIEdACX+oCW>
 
Last edited:
Should be my opinion but 1 attempts rarely can be caught as a brute-force, maybe BFM does only show you, but didnt act on that cause if have to act on each failury would mean that no one can make a mistake, never :)

Regards
 
Well apparently the changelog pasted from Martynas doesn menthion dovecot, should be better ask to CSF support i suppose.

Regards
 
actually I pasted it :)
and that IP is showing up in var/log/messages and that is being watched.

I also just received another email from BFM again about the same IP
I would think if the IP is banned/blocked, why is BFM still seeing the attempts?
that IP is not any clients
 
Ops XD
Have you checked if the IP is present in csf.deny list?

If so, somehow BFM still notice that from logs and "think" he didnt yet notice you about that.

The things to do would be:
1 - check if CSF has already blocked it, if yes, disable BFM notification since should be pretty not useful at all
2 - If CSF didnt blocked the IP check if CSF is running fine and if the csf.conf is up2date (try also a csf -u to update)
3 - If CSF is fine but didnt block the IP, maybe contact CSF staff

Regards
 
Please check your FTPD_LOG setting in /etc/csf/csf.conf. If you're running pure-ftpd, it should be set to /var/log/messages.
 
thanks guys for responding, I like the new csf but the missed IP for trying to hack concerned me
maybe Im too paranoid lol but after the 1st ever server I had was rooted, I never want to go thru that again (2005)

@SeLLeRoNe
CSF had not blocked it, I manually added to block list
CSF is at latest version 7.53

@smtalk
I did not look directly at /etc/csf/csf.conf but in the plugin I can look at /etc/csf/csf.logfiles
(remember I am not a "command line guy")
I am not using pure I am using proftp, I had too many problems with pureftp and not being able to login ftp

so all are being caught by lfd for ftpd, smtpauth, pop3d just seems dovecot1 and this one for proftp1 is being ignored?
can we add here the other places to scan? (/etc/csf/csf.logfiles )

listed are
# All:
/var/log/messages
/var/log/lfd.log
/var/log/cxswatch.log

# RedHat:
/var/log/secure

# Debian/Ubuntu:
/var/log/auth.log
/var/log/daemon.log

# cPanel:
/usr/local/cpanel/logs/error_log
/var/log/exim_paniclog

# DirectAdmin:
/var/log/directadmin/error.log
/var/log/directadmin/security.log
/var/log/exim/paniclog
 
Hello. It doesnt seem that csf/lfd is blocking the IP's that DA detects for me. I have it enabled in DA and CSF however when I check the IP's are never blocked.

See below conf
# [*]Enable login failure detection of DirectAdmin connections
# This option also detects login failures on DA for Roundcube, SquirrelMail and
# phpMyAdmin if installed and logging enabled via CustomBuild v2+
#
# If you do not want to scan for one or more of DIRECTADMIN_LOG_*, simply set
# the respective option to ""
LF_DIRECTADMIN = "5"
LF_DIRECTADMIN_PERM = "1"

Also note:
/usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh

Doesnt exist. Should it?
 
Status
Not open for further replies.
Back
Top