CSF/LFD not tracking SSH brute force on Debian 11

[k1l0b1t]

Hello, I noticed that on debian 11, ssh failures are not tracked by the brute force monitor (csf/lfd). Does anyone know what changes I have to make for this?

 

[Ohm J]

maybe log format has been change when update some OS/Package ?

could you check logging in folder "/var/log/" compare between old log. and new log.

 

[k1l0b1t]

I can't realy do that, since it's a new box with debian. (and, it's the first box with debian where the SSH ports are actualy publicly accessible)

 

[kristian]

Is LFD reading the correct logfile (defined with SSHD_LOG in /etc/csf/csf.conf)?

 

[k1l0b1t]

yes, and it's sending ssh login notices (of successfull logins) so that's working as intended.
it's just not picking up failed login attempts.

 

[k1l0b1t]

in fact, the reporting of successfull logins is working realy good, seeing tons of successfull logins on the git user (I got a gitea instance installed next to DA)

 

[k1l0b1t]

okay, got some progress:
Time: Tue Dec 14 16:43:54 2021 +0100
IP: 81.244.xx.xx (BE/Belgium/)
Failures: 1 (sshd)
Interval: 3600 seconds
Blocked: Permanent Block [LF_TRIGGER] (IP match in csf.allow, block may not work)

Log entries:

Dec 14 16:43:52 webserver sshd[4128986]: Invalid user sdf from 81.244.xx.xx port 60894

this is my ip, from testing.
this does mean it works, the block isn't working however.

It also isn't showing up in the DirectAdmin BFM

- nvm didn't read i whitlisted that ip

 

[k1l0b1t]

so, blocking works, except it's not showing up in the BFM from DirectAdmin yet

 

[laraaj]

Debian uses /var/log/auth.log for SSH login events instead of /var/log/secure, while csf.conf is setup to monitor the SSH login events in the file /var/log/secure, run the following command to replace the log file in CSF configuration :

sed -i 's|/var/log/secure|/var/log/auth.log|g' /etc/csf/csf.conf