HOWTO: CSF Firewall + LFD Login Failure Daemon

Sc0rian

Verified User
Joined
Jul 26, 2009
Messages
18
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:520
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:520
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_OUT Blocked* '
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_OUT Blocked* '
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_OUT Blocked* '
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
INVDROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 state INVALID



nothing will work, its blocking. i have tried re-installed it, all the options..
 

tuumke

Verified User
Joined
Jul 21, 2009
Messages
5
The hald daemon is used by your OS. You probably just need to have an exception for it so it won't get reported.

For mysql possibly the same, though I'd think it would get excepted by default.

Hopefully others who use CSF will reply, as I have little experience with it and I've never seen that. However on my systems it's called haldaemon not hald. (Though the configuration file is called hald.conf.)O

Jeff
hm i think those are already ignored, but still i receive the messages :O

-edit-
this is the csf.pignore

###############################################################################
# Copyright 2006-2009, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following is a list of executables (exe) command lines (cmd) and
# usernames (user) that lfd process tracking will ignore.
#
# You must use the following format:
#
# exe:/full/path/to/file
# user:username
# cmd:command line
#
# It is strongly recommended that you use command line ignores very carefully
# as any process can change what is reported to the OS.
#
# For more information see readme.txt

exe:/usr/sbin/sshd
exe:/usr/sbin/proftpd
exe:/usr/libexec/gam_server
exe:/usr/sbin/named
exe:/usr/sbin/exim
exe:/usr/sbin/mysqld
exe:/usr/sbin/mysqld_safe
exe:/usr/libexec/hald-addon-acpi
exe:/usr/sbin/hald
exe:/bin/dbus-daemon
exe:/usr/bin/dbus-daemon-1
exe:/usr/libexec/hald-addon-keyboard
exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/dovecot/imap-login
exe:/usr/local/directadmin/directadmin
exe:/usr/sbin/httpd
exe:/usr/libexec/dovecot/imap
exe:/usr/bin/perl
exe:/usr/sbin/mysqld\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00
exe:/usr/sbin/hald\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00
 
Last edited:

snaaps

Verified User
Joined
Jan 29, 2005
Messages
230
Location
Netherlands
Hello,

I have installed andt it works ok.
But after delete the csf.conf file and redownlod it from http://www.oakdns.net/downloads/csf.conf I cant restart csf and lfd in directadmin.

In ssh he says:
/usr/sbin/csf -r
Undefined subroutine &Cpanel::Version::gettree called at /usr/sbin/csf line 140.
 
Last edited:

zbv2net

Verified User
Joined
Feb 11, 2009
Messages
12
i have been using for a long time csf firewall but now something i dont know i did not do nothing this is the second time that im hacving this problem we i enable the firewall it blocks everything ssh ftp httpd

and everything all the ports are open it have been working fine but now something did go wrong

i dont know what

i am using centos 5.3 with DA and i tryed resintallig it same problem

can anyone help me to fox this thank you
 

skorpio3000

Verified User
Joined
Feb 22, 2010
Messages
9
Hi guys I have a problem with CSF. Whenever CSF is active I can't send or receive emails.
Every other service works fine.
When I disable it mail works like a charm again.
What could be wrong? I use the csf.conf that is in the first page.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Check your CSF configuration to make sure it's allowing outbound and inbound traffic on ports 25, 110, 143, and 587.

Jeff
 

empereur

Verified User
Joined
Nov 16, 2005
Messages
11
Security

Hello, Me to look for a security as CSF or LFD for CENTOS 5.2 32BITS I found nothing Have you a tuto for it?
Because in The section CENTOS I have nothing above.
If a person would like to make us a tuto it shall be magnificent :D
 

skorpio3000

Verified User
Joined
Feb 22, 2010
Messages
9
Hello, Me to look for a security as CSF or LFD for CENTOS 5.2 32BITS I found nothing Have you a tuto for it?
Because in The section CENTOS I have nothing above.
If a person would like to make us a tuto it shall be magnificent :D
The first page of this thread explains it quite well I think.
It's for every distro so you shouldn't have any problems installing.
 

congkai

Verified User
Joined
Dec 12, 2005
Messages
146
Location
Singapore
Is there a way we can export ALL the setting of CSF so i can have same setting for 3 servers.

This can also work as a backup of the settings
 

daveyw

Verified User
Joined
Jan 5, 2008
Messages
702
Location
/dev/null
Is there a way we can export ALL the setting of CSF so i can have same setting for 3 servers.

This can also work as a backup of the settings
You can use the option below in csf.conf
# The follow Global options allow you to specify a URL where csf can grab a
# centralised copy of an IP allow or deny block list of your own. You need to
# specify the full URL in the following options, i.e.:
# http://www.somelocation.com/allow.txt
#
# The actual retrieval of these IP's is controlled by lfd, so you need to set
# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd
# will perform the retrieval when it runs and then again at the specified
# interval. A sensible interval would probably be every 3600 seconds (1 hour)
#
# You do not have to specify both an allow and a deny file
#
# You can also configure a global ignore file for IP's that lfd should ignore
LF_GLOBAL = "3600"

GLOBAL_ALLOW = "http://www.domain.tld/global-allow.conf"
GLOBAL_DENY = "http://www.domain.tld/global-deny.conf"
GLOBAL_IGNORE = "http://www.domain.tld/global-ignore.conf"
 

sokolkapl

Verified User
Joined
Mar 12, 2010
Messages
42
Hi,

I've sucesfully installed CSF. The issue I have is that it drops legit packets and thus decreases the load speed of the pages and ssh. Basically, it created delay when I use SSH and websites- they definitely work much slower. Any idea what could be the cause and how to solve it?

It is def. the firewall as I have yet to host users.
 

shervin114

New member
Joined
Apr 25, 2010
Messages
1
Problem With Start CSF in DA

Starting csf...


Undefined subroutine &Cpanel::Version::gettree called at /etc/csf/csf.pl line 155.

...Done.

:(
 

carlo_gra

Verified User
Joined
Aug 7, 2007
Messages
49
Hello everybody: during upgrade from v. 5.0.3 to 5.0.5 I've seen difference between v. 5.0.5 fresh install.

5.0.5 have complete interface (new) to configure cluster: 5.0.5 "upgraded" have not this part.

There's a bug in upgrade system?
 

twaern

Verified User
Joined
Feb 23, 2006
Messages
10
Location
Greater Sudbury, Canada
Csf

what ports do i have to open in CSF to allow passive ftp

in proftpd.conf i have found what ports it uses for passive ftp but not sure how to or where to put them into the csf.conf file
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
@twaern:

The file is no longer at that URL. You should attempt to contact the poster who was hosting the file.

ProFTPd can be set to choose passive FTP ports dynamically, or to choose only specific ports for passive FTP.

I, and others, use the dynamic selection, and use a firewall which opens what's called related ports, so any port chosen will be automatically open.

I no longer have a ProFTPd configuration for static passive ftp ports, so I'd have to read the ProFTPD documentation. If no one else posts an answer, then of course you can do that.

Once you set ProFTPd for the ports you're going to use, you open those ports in your firewall.

The best way, however, is to open related ports in CSF. Is that not documented anywhere?

Note that before you can open related ports in CSF you must (presuming Linux, not FreeBSD) have the ip_conntrack_ftp.ko module loaded in the kernel; perhaps others as well.

Here's how we do it in the kiss firewall; similar code should be in CSF, but perhaps commented out:
Code:
##############################################################################
# Use Connection State to Bypass Rule Checking
#
# By accepting established and related connections, we don't need to
# explicitly set various input and output rules. For example, by accepting an
# established and related output connection, we don't need to specify that
# the firewall needs to open a hole back out to client when the client
# requests SSH access.
#
$IPTABLES -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT  -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
Jeff
 

NoBaloney2

NoBaloney Internet Svcs.
Joined
Jun 17, 2007
Messages
498
Location
California
I'm running into a problem with LFD sending a notification email every hour that freshclam has been running too long. Of course it is, it's a daemon. I can't figure out how to tell LFD to not report on it.

Any ideas?

Jeff
 
Top