DA update installed lfd/csf, can I disable this?

[CrazyFrog]

After doing a routine DirectAdmin / custombuild, I noticed that my server generated a "The service 'lfd' is currently down" message. I have never heard of lfd so I looked into it a bit and apparently, lfd/csf was installed and it had deleted my iptables firewall rules, putting the box wide open.

On this forum I found a way to uninstall it with `/etc/csf/uninstall.sh`, this got rid of the /etc/csf and the lfd program. After rebooting, my firewall was back to normal.

Now I want to prevent this situation happening when I upgrade other servers. Is there a proper way to tell DirectAdmin that I don't want lfd/csf?

Thanks!

 

[Richard G]

and it had deleted my iptables firewall rules, putting the box wide open.

CSF/LFD does not delete anything. It just configures iptables rules which might overwrite existing ones. Also it does never put the box wide open, unless CSF is in testing mode.
Or maybe in your case, if there is a conflicting situation with another iptables service being active.

To answer your question, with the new version you can use the DA_SKIP_CSF commandline option. Check this:

Overview | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

Just out of curiosity, what specific rules are you using that you think your iptables would be better then csf/lfd? Or why don't you use CSF/LFD?

 

[CrazyFrog]

Thank you for the quick reply! Where would I add this DA_SKIP_CSF? As an environment variable in my script that runs the custombuild, e.g. `DA_SKIP_CSF=true /usr/local/directadmin/custombuild/build all` ?

I really haven't dug into csf/lfd and how it may help me. Right now, I use Puppet to write /etc/iptables.save and load that. So I have my firewall rules defined centrally as code and pushed to the nodes. Admittedly I should at some point look into auto-blocking brute force bots, but I haven't had the time for it.

 

[Richard G]

Where would I add this DA_SKIP_CSF?

You might check the link to the docs I pointed to. And I did say commandline option.
You ask for preventing this on installation, so on installation ofcourse. So if I understand the documentation correctly it should be like:
./setup.sh LICENSE_KEY DA_SKIP_CSF
but don't pin me down on this, because the new installation method was changed this week.

License Key hashes: New method for installs/setup.sh and getLicense.sh

DirectAdmin is now powered by a more efficient, more secure, and more feature-rich licensing system. Instead of relying on the traditional Client ID / License ID / IP address combination, we now offer a secure license key that is used to install DirectAdmin freely wherever you go. There's no...

forum.directadmin.com

Thank you for your explanation.
If you have time, I would suggest taking a look at csf. It's not difficult to create a couple of csf configuration files (csf.conf csf.pignore for example) to push over to other systems. It's a great firewall.

 

[CrazyFrog]

Yeah, I know that docs page was about the installation, but this is not a new installation - it just happened while updating an existing box that did never have CSF.

I also see in the `build` script:

31095: if [ "${OS}" != "FreeBSD" ] && [ ! -e /root/.skip_csf ] && [ -z "${DA_SKIP_CSF}" ]; then

So maybe I should touch the `/root/.skip_csf` file?

Edit: Ah, you already replied quicker than me. That `./setup.sh LICENSE_KEY DA_SKIP_CSF` command sounds good. I'll try it.

 

[Richard G]

it just happened while updating an existing box that did never have CSF.

??? Exactly how did you update? Because this seems a bug to me. If CSF is not installed, it should not get installed automatically on existing installations.

That `./setup.sh LICENSE_KEY DA_SKIP_CSF` command sounds good. I'll try it.

Yes but that is on fresh installations, the setup.sh script is not used for updating/upgrading Directadmin.
So this would not help on an existing box which never had csf.

 

[factor]

31095: if [ "${OS}" != "FreeBSD" ] && [ ! -e /root/.skip_csf ] && [ -z "${DA_SKIP_CSF}" ]; then

You know They drop support for FreeBSD in January https://forum.directadmin.com/threa...ng-systems-january-1st-2022.63705/post-330907

What is the OS?

 

[CrazyFrog]

??? Exactly how did you update? Because this seems a bug to me. If CSF is not installed, it should not get installed automatically on existing installations.

I'm not exactly sure where in the process it went wrong because I only noticed it too late - my update script first updates DirectAdmin:

url="https://www.directadmin.com/cgi-bin/daupdate?redirect=ok&uid=${uid}&lid=${lid}"

cd /usr/local/directadmin
[ -f update.tar.gz ] && {
    mv update.tar.gz OLD.update.tar.gz
}

wget -O update.tar.gz $url || exit 1
tar xvzf update.tar.gz
./directadmin p
cd scripts
./update.sh
/etc/init.d/directadmin restart

Then I do a custombuild with:

/usr/local/directadmin/custombuild/build update
/usr/local/directadmin/custombuild/build all

 

[CrazyFrog]

You know They drop support for FreeBSD in January https://forum.directadmin.com/threa...ng-systems-january-1st-2022.63705/post-330907

Yeah, that's sad but understandable. I don't use DA on FreeBSD anymore. I always was a big FreeBSD fan, but I'm phasing out the last BSD machines I got left, because the work load of supporting multiple OSes and keeping up with ports updates was not worth it anymore.

Edit: my OS is Ubuntu 18.04 LTS.

 

[factor]

On Linux machines they auto install CSF now. I suppose they have writen in the build script to add it if its not installed. Might be a bug.

 

[Richard G]

my update script first updates DirectAdmin:

There is no need for that if you do this one:

/usr/local/directadmin/custombuild/build update
/usr/local/directadmin/custombuild/build all

This will also update Directadmin. By the way... this will recompile everything.
You can also use ./build update_versions after the ./build update command, then only things which can be updated will be updated. Including directadmin if there is a new version.

 

[factor]

/etc/init.d/directadmin restart

Also why are you using init.d?

Old OS?

 

[CrazyFrog]

Also why are you using init.d?

Old OS?

Haha, that line is there probably for years. I'm now on Ubuntu 18.04 LTS.

 

[CrazyFrog]

For those stumbling on this page, who don't want CSF: it worked for me to create an empty /root/.skip_csf file. Now my firewall rules are untouched during DA/custombuild updates.

 

[BillyS]

I respect your opinion in terms of using a firewall you are comfortable with, but anyone considering skipping CSF installation should do so only if they understand what they are not installing. CSF / LFD are great services and there is a good reason they are installed by default on panels like DA and CPanel. CSF is actively developed and automatically creates firewall rules that are unique to the panel you're using.