CSF Firewall with Login Failure Detection + Brute Force Monitor

Status
Not open for further replies.

bartkob

Verified User
Joined
Sep 12, 2007
Messages
27
Hi,

I have problem that LFD (Login Failure Detection), part of plugin CSF Firewall doesn't block any unwanted activity.

My config (almost all default):
Code:
LF_DEAMON = 1
LF_TRIGGER = 0
LF_TRIGGER_PERM = 1
LF_SELECT = 0
LF_EMAIL_ALERT  = 1
LF_SSHD = 5
LF_SSHD_PERM = 1
LF_FTPD = 10
LF_FTPD_PERM = 1

Brute Force Monitor very often send emails about failure logins (hundreds tries), but LFD doesn't block it. I also tried by myself login to ssh with wrong password. I wasn't blocked and my IP wasn't white listed.
I have two servers and on both is the same situation. I don't have any idea why it all happened.

Csf.pignore:
Code:
exe:/usr/sbin/named
exe:/usr/sbin/exim
exe:/usr/sbin/mysqld
exe:/usr/sbin/mysqld_safe
exe:/usr/libexec/hald-addon-acpi
exe:/usr/sbin/hald
exe:/bin/dbus-daemon
exe:/usr/bin/dbus-daemon-1
exe:/usr/libexec/hald-addon-keyboard
exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/dovecot/imap-login
exe:/usr/libexec/dovecot/anvil
exe:/usr/local/directadmin/directadmin
exe:/usr/local/directadmin/dataskq
exe:/usr/sbin/httpd

user:mysql
user:postgres
user:myusername
user:dovecot

cmd:/usr/sbin/dovecot
cmd:/sbin/portmap
 
Last edited:
You need to create scripts for integrate bfm and csf firewall:

files are:
/usr/local/directadmin/scripts/custom/block_ip.sh
Code:
#!/bin/sh

/etc/csf/csf.pl -d $ip BFM IP Block

exit 0;
/usr/local/directadmin/scripts/custom/unblock_ip.sh
Code:
#!/bin/sh

/etc/csf/csf.pl -dr $ip

exit 0;
/usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh
Code:
#!/bin/sh
SCRIPT=/usr/local/directadmin/scripts/custom/block_ip.sh
ip=$value $SCRIPT
exit $?;

Then chmod 700 and chown diradmin:diradmin those files

Regards
 
Integration bfm and csf? Ok. i could try.

But what about other options from LFD, for example: email when someone login to root? In my opinion my LFD doesn't work but I don't know why.
 
Well, maybe email are not configured in csf.conf ... on my csf/lfd/bfm everythuing is working correctly, you should check the web-part of csf and check if any value is "red" in configuration for any miss-configuration.

And also check csf.conf for check if you had correctly set from/to mail addresses.

Regards
 
I set email correctly. I received email from Connection Tracking module.
In csf.conf I set LF_ALERT_TO = "[email protected]"
Other configuration settings seem fine.
 
All others email arrive aswell to gmail? Have you tryed with a local mail instead of gmail?

Regards

We don't need talk about email alerts. For some reasons failure login attempts aren't blocked. As I said I tried by myself from not white listed IP. I wasn't blocked. Attackers also aren't blocked.
 
Ok, dunno so.. cause my is working fine.. maybe the csf staff should suggest you some try to do... Ive no idea about that sorry.

Regards
 
You need to create scripts for integrate bfm and csf firewall:

files are:
/usr/local/directadmin/scripts/custom/block_ip.sh
Code:
#!/bin/sh

/etc/csf/csf.pl -d $ip BFM IP Block

exit 0;
/usr/local/directadmin/scripts/custom/unblock_ip.sh
Code:
#!/bin/sh

/etc/csf/csf.pl -dr $ip

exit 0;
/usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh
Code:
#!/bin/sh
SCRIPT=/usr/local/directadmin/scripts/custom/block_ip.sh
ip=$value $SCRIPT
exit $?;

Then chmod 700 and chown diradmin:diradmin those files

Regards

thanks for this SeLLeRoNe
 
You have to change the default log file locations in CSF. SSHD_LOG = /var/log/secure
 
hi
with your solution we need block ip manually
do you have any solution automatically ?
thanks

You need to create scripts for integrate bfm and csf firewall:

files are:
/usr/local/directadmin/scripts/custom/block_ip.sh
Code:
#!/bin/sh

/etc/csf/csf.pl -d $ip BFM IP Block

exit 0;
/usr/local/directadmin/scripts/custom/unblock_ip.sh
Code:
#!/bin/sh

/etc/csf/csf.pl -dr $ip

exit 0;
/usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh
Code:
#!/bin/sh
SCRIPT=/usr/local/directadmin/scripts/custom/block_ip.sh
ip=$value $SCRIPT
exit $?;

Then chmod 700 and chown diradmin:diradmin those files

Regards
 
Actually no, this solution allow you to manually block the IP from BFM and also ban automatically on BFM notification using this script: /usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh

Regards
 
we get a lot of emails from BFM but anytime I go look, csf already has that ip blocked
so maybe the cfs needs attention to work, but I dont remember doing anything special to make csf ban those ip's
also Im assuming that BFM is only a notifying system and if csf is already taking care of those would be hackers, then what is the use of letting BFM run?
Im thinking of just turning off BFM but think , what if? what if csf miss one :(
 
BFM checks some brute force login's that CSF does not like for example login tries/failures to DA it self.
BFM can do some automatic blocking for that part too, so I wouldn't stop running it.
 
When an attack is detected DA will notify the Admins on the box that the attack is in progress.
DA will not block the IPs since that would require a firewall, and DA doesn't manage firewalls .
CSF takes care of port 2222 and BFM only blocks attempts on that port
am I wrong?
http://help.directadmin.com/item.php?id=404

BFM checks some brute force login's that CSF does not like for example login tries/failures to DA it self.
BFM can do some automatic blocking for that part too, so I wouldn't stop running it.
 
Definitly wrong :)

CSF and BFM has common check, CSF is the firewall side and check different kind of attacks, he block if he notice, BFM is lets say an "analyzer", it does check BruteForce on many services and notify admin if he does notice something wrong, the scripts are called on admin notify, so, once called the script just tell CSF to ban an IP and so CSF create the firewall rules for that IP.

Regards
 
DA will not block the IPs since that would require a firewall, and DA doesn't manage firewalls.
Wrong. DA by means of BFM does block ip's without a firewall... Check this option in DA's administor settings.
Blacklist IPs for excessive DA login attempts
 
No, that's a DA internal thing that did exist before BFM, and block just access to DA once an attack on DA login get notifced

Regards
 
Now I'm confused. What about that link that Andy included in his post? Does it need to be changed to clarify anything?

Jeff
 
Status
Not open for further replies.
Back
Top