HOWTO: CSF Firewall + LFD Login Failure Daemon

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Of course it is, it's a daemon. I can't figure out how to tell LFD to not report on it.
Big chance there will be notifications of multiple daemons.

Have a look at the csf.pignore.
Or take your DA, choose the firewall, look almost completely at the bottom under lfd - Login Failure Daemon.
There you will see a couple of dropdown things, first one called csf.ignore.
Choose the dropdown, select csf.pignore (because you want to ignore a process).
Click Edit.

Then add the exe or whatever... there are some examples like:
exe:/usr/sbin/freshclam

Restart csf/lfd and restart freshclam and you should be fine.
Same goes for other things, like dovecot, pop3, mysql and such, if necessary.
 

NoBaloney2

NoBaloney Internet Svcs.
Joined
Jun 17, 2007
Messages
498
Location
California
First the good news; it appears the problem is gone; it hasn't hit since my post to this thread. I did try the exe entry in csf.pignore. It didn't work. So I looked at other choices.

This didn't work:
Code:
# /exe:/usr/bin/freshclam
This one appears to have worked:
Code:
cmd:/usr/bin/freshclam -p /var/run/clamav/freshclam.pid -d
Note I haven't tried the block by user, because the block by command worked.

The other daemons I run are already in csf.pignore by default.

Jeff
 

NoBaloney2

NoBaloney Internet Svcs.
Joined
Jun 17, 2007
Messages
498
Location
California
Warning: The Latest version of CSF does not work properly with DirectAdmin on CentOS 5 machines with Apache 2+
Can you explain in what way it doesn't work? I'd like to switch to CSF+LFD on all our servers, but many of them are still running CentOS5.

Thanks.

Jeff
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,789
Location
A Coruña, Spain
Jeff im using CentOS 5.7 32/64Bit with CSF/LFD since at least 1 year without any kind of issue at all.

You can switch to CSF/LFD on CentOS without pain and risks.

Regards
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,789
Location
A Coruña, Spain
Also, in your post there is a mistake...

the correct line to use should be:

Code:
exe:/usr/local/bin/freshclam
or

Code:
exe:/usr/bin/freshclam
depending on where is the executable (i use both for be sure :p)

Without the starting / (and of course not commented as it look)

Regards
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
This one appears to have worked:
I had just given an example and pointed to the csf.pignore file, there are other examples in there.
Mostly you can take the commandline out of the message you get from CSF. Mostlly this points to the correct line to place there (cmd or exe).
Glad to be of help.

First the good news;
First the good news? Where's the bad news then? :)

@Littleoak: I would also like to know what you are pointing to. We are running almost all our servers on Centos 5 with Apache 2.x and we did not encounter any problems with csf.
Unless you are pointing to this (click) problem. Which isn't really a problem but a minor issue.
 

NoBaloney2

NoBaloney Internet Svcs.
Joined
Jun 17, 2007
Messages
498
Location
California
He meant the starting / before exe. I just noticed that; I've copied it from lines already in the file, and that may have been my initial error. It's working now, and I know how to add the required line. so for me the problem is solved.

No bad news; just an executive summary at the top; I called it the good news. For people not interested in the details stop reading there :).

Jeff
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
There shouldn't be a trailing / in front of exe or cmd indeed.

As for Jeff I understand he has it working without the starting / now.
Nobaloney2 said:
It's working now, and I know how to add the required line. so for me the problem is solved.
 

NoBaloney2

NoBaloney Internet Svcs.
Joined
Jun 17, 2007
Messages
498
Location
California
You are correct, Richard.

I'm having two issues now, neither of which are important because I can handle them with email filtering.

I'm always logged into the server (ssh). How can I manage to get rid of this notice about bash coming in every hour?
Code:
Time:         Mon Feb 20 18:00:57 2012 -0500
Account:      username
Resource:     Process Time
Exceeded:     244099 > 1800 (seconds)
Executable:   /bin/bash
Command Line: -bash
PID:          7700
Killed:       No
I can filter it out using local mailbox filtering, and one per hour is hardly a problem, but I'd like an easy way to do this kind of filtering of messages at the LFD side.

And another issue:

There will be many more spam mailboxes once the server goes live. Is there an easy way to filter these out?

Code:
Time:   Sun Feb 19 02:10:18 2012 -0500
File:   /tmp/admin/username/backup/example.com/email/data/imap/mailboxname/Maildir/.INBOX.spam
Reason: Suspicious directory
Owner:  username:username (507:509)
Action: No action taken
I suppose I could filter on .INBOX.spam, on my desktop, but I'd like to see a way to handle these on the server as well. Even though they only happen while a backup is occurring, I'd like to not see them.

Ideas anyone?

Jeff
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,789
Location
A Coruña, Spain
Ignore exe:/bin/bash or, if the username is the one you use to become root and only you have that access, exclude that username from check in pignore file using user:username.

Should work also for user:admin but will stop telling you everything about user admin, so, if a website get hacked on user admin you will not notice any suspicious directory and/or process.

Regards
 

NoBaloney2

NoBaloney Internet Svcs.
Joined
Jun 17, 2007
Messages
498
Location
California
Of course, but:
Ignore exe:/bin/bash or, if the username is the one you use to become root and only you have that access, exclude that username from check in pignore file using user:username.
I could ignore bash, but if I do that I don't find out about anyone who's somehow managed to get a shell on the server. I could ignore my user (yes, that's the one), but even though I use a very secure password (I run a linux system in my office for creating passwords and I probably use a very similar command to the one used in DirectAdmin) I'd rather know if someone logs in as me.

Nevertheless, I think I will ignore my username as a better option than ignoring bash.
Should work also for user:admin but will stop telling you everything about user admin, so, if a website get hacked on user admin you will not notice any suspicious directory and/or process.
Are you writing about the backup process issue? I'm not sure if that's going to work, as it doesn't show up in the report; only the user who owns the file. I don't know why the spam inboxl is being reported as suspicious, but it appears there's no easy way to exclude it without excluding the file owner or the user, and I'm not going to do that; I'll either live with these emails or filter them out in my email client.

Thanks.

Jeff
 

AudiAddict

Verified User
Joined
Oct 10, 2008
Messages
62
I'm using the CSF + LFD plugin as wel. Great stuff!
Thanks for the howto.

Two quick questions:

1) I am running a php based portal on the user "portal" and it does a command every 30 minutes to refresh/get new content. I'm getting spammed by LFD now with suspicious proces and high usage .

Code:
Executable:

/usr/local/bin/php

Command Line (often faked in exploits):

php retrieve.php
I know there is a ignore file but I don't want to ignore this user completely, I just want to ignore this specific cronjob. How do I do this? ignoring /usr/local/bin/php will ignore all PHP commands and that's not what I want.

the retrieve.php file is located in /home/portal/mydomain/portal/retrieve.php

2) How does LFD and CSF relate/work with the brute force attack monitor from directadmin? My server is being hammered by brute force attacks on dovecot (pop3) and imap . Shouldn't it block this by ... attempts?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
@Jeff: Sorry for the late reply.
There are 2 options in csf to have your ip address ignored. I merged them by using this option:
IGNORE_ALLOW = "1"
in the csf.conf file.
Next to that, enter your ip addresses in csf.allow and you will not get noticed anymore about processes you are using yourself when logging in via SSH, FTP or anyhow with that ip.

There will be many more spam mailboxes once the server goes live. Is there an easy way to filter these out?
This is a known problem which somebody told me a regexp would help, but it didn't.
http://forum.configserver.com/viewtopic.php?f=6&t=3629

Only other options are not to use the temp dir for the backups (if possible) or else disable the directory watching.

@Audiaddict:
1.) I don't think this is possible.
2.) Not everything is check by csf/lfd, hammering can still be a problem for some daemons.
Check how you configured bruteforces on pop3 and imap in csf.conf.

If nobody else knows, try the configserver support forums.
 

NoBaloney2

NoBaloney Internet Svcs.
Joined
Jun 17, 2007
Messages
498
Location
California
Thanks, might try that but my IP# is configured by my ISP by DHCP and changes from time to time.

I may just decide to filter out at my desktop system; not really that hard.

Jeff
 

NoBaloney2

NoBaloney Internet Svcs.
Joined
Jun 17, 2007
Messages
498
Location
California
I don't think that's easily doable; I think to do that you have to use rDNS to get the hostname. With DHCP from your ISP you generally don't get to set that.

How else would CSF get your hostname?

I know when I log in, I see my ISP's rDNS.

I used to have DSL, 3 mbps, static IP, with my own subnet. I gave it up for cable Internet, 50 mbps, dynamic IP, for about the same monthly fee. Tradeoff.

Jeff
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
I've got a question. If to disable lfd and remove it from list of services of Directadmin... as some time passes it comes back to the list, and a lot of warnings comes about, that lfd is stopped. Does anybody know how to stop lfd from getting into the list, since I don't want to use it at all.
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,789
Location
A Coruña, Spain
I think you should remove it from:

Code:
/usr/local/directadmin/data/admin/services.status
Remove the lfd=ON line or change it to OFF for just disable notifications.

Regards
 
Top