CFS and logging/reports/email why?

[spacecabbie]

So running CSF since always,

Now after cleaning about 500k emails I was wondering...

Why receive emails about blocked ?
If csf job is to auto block attacks and ban ip's and logs it why would, I want to receive emails ? If need be i can lookup in logs what happend ?

Thoughts ? What do you do and what process should be followed.

 

[Erulezz]

It’s just the default option. When i configure CSF i always turn off all alerts. Just search for “EMAIL” or “ALERT” in the settings and turn it off?
The same for su login email alerts etc, i use Pushover for that.

 

[spacecabbie]

It’s just the default option. When i configure CSF i always turn off all alerts. Just search for “EMAIL” or “ALERT” in the settings and turn it off?
The same for su login email alerts etc, i use Pushover for that.

Yup I have done for some ATM I was just wondering the philosophy behind it. Before I decide to turn it off.

 

[factor]

Some like to watch the fun and excitement of possible break ins.

 

[Richard G]

Well it's not only fun, but it's also good if you have a small companies and you're monitoring certain users having issues and getting in the firewall every time.
You can see when they temp block and unblock them when they get a non-temp block and investigate what's wrong.

I had this a couple of time with some business customers and then it's good to get those mails and be able to unblock them at once before they go running off to another company.
Ofcourse we investigated the issue and it was solved. At this moment we only get mail when definitive blocks are made.

Why receive emails about blocked ?

Probably because you don't have a root forward so root mails are forwarded to your email address, which might be wise to do anyway.

 

[spacecabbie]

Well it's not only fun, but it's also good if you have a small companies and you're monitoring certain users having issues and getting in the firewall every time.
You can see when they temp block and unblock them when they get a non-temp block and investigate what's wrong.

I had this a couple of time with some business customers and then it's good to get those mails and be able to unblock them at once before they go running off to another company.
Ofcourse we investigated the issue and it was solved. At this moment we only get mail when definitive blocks are made.


Probably because you don't have a root forward so root mails are forwarded to your email address, which might be wise to do anyway.

Yea agree with that anychange you want to share config/settings so i only recieve perma blocks ?

 

[Richard G]

Sure, it's quite easy.
Just search for email_alert in csf.conf and disable the ones you do not want to get.

Just 1 thing is strange. I've got this:
LF_EMAIL_ALERT = "0"
and
# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails
LF_TEMP_EMAIL_ALERT = "1"

Note the line above. It says the first one has to be enabled to get permanent block emails.
However I've got it like this and set lots of other xx_email_alert settings to 0 (so disabled) and I do only get SSH and SU attempts (which I left enabled) and permanent block mails.
I don't get any temp block.

However, you can play around with this.
Dont forget to reload CSF and LFD after changing.

 

[mxroute]

I am of the opinion that the philosophy behind defaulting to these alerts being enabled is faulty, no matter what it is. If you don’t get 50,000 SSH login failures in a day, do you even internet?

In my experience it only serves to create two situations:

1. Stress out new admins and make them think they’re under attack 24/7. I mean they are but that’s the life.

2. Overwhelm queues, flood inode usage with maildir, increase bounce rates from IP to Gmail (because if you’re not receiving root emails at Gmail, you’re one of the rare intelligent few who get it).

There’s always exceptions. Richard pointing out a good one. I’m just jaded from answering HostGator support tickets back in the day after VPS customers asked for CSF to be installed ?

 

[Richard G]

1. Stress out new admins and make them think they’re under attack 24/7. I mean they are but that’s the life.

I look at it another way. I liked it as new admin in my time to see and learn what was going on. Also I could see things getting blocked due to the fact that I had my settings too strict. After that when things were as I like them, I stopped the mails from temp blocks, because they weren't interesting anymore.

But I agree lots of new admins just want a firewall and don't learn from it.
So looking at it this way, to me it seems good policy to enable those and giving admins the choice to disable what they don't need anymore. However, one should be a good admin then and learn. Not a click and play admin like a lot of admins out there, not even knowing or wanting to know or learn, about what's going on beneath a panel.

As for the permanent blocks... I have my mail settings very strict and sometimes some of my customers change things, forget to change a password on their mobile advice or something. Since we have a small company, often I recognize those and can give some extra service to get them out of the firewall and contact them about the issue.

HostGator support tickets back in the day after VPS customers asked for CSF to be installed ?

??? LoL if you want to give your support department a lot of work to do.. hahahaha.