HOWTO: CSF Firewall + LFD Login Failure Daemon

DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:520
DROP udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:520
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_OUT Blocked* '
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '
LOG udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_OUT Blocked* '
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '
LOG icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_OUT Blocked* '
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
INVDROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 state INVALID



nothing will work, its blocking. i have tried re-installed it, all the options..
 
The hald daemon is used by your OS. You probably just need to have an exception for it so it won't get reported.

For mysql possibly the same, though I'd think it would get excepted by default.

Hopefully others who use CSF will reply, as I have little experience with it and I've never seen that. However on my systems it's called haldaemon not hald. (Though the configuration file is called hald.conf.)O

Jeff

hm i think those are already ignored, but still i receive the messages :O

-edit-
this is the csf.pignore

###############################################################################
# Copyright 2006-2009, Way to the Web Limited
# URL: http://www.configserver.com
# Email: [email protected]
###############################################################################
# The following is a list of executables (exe) command lines (cmd) and
# usernames (user) that lfd process tracking will ignore.
#
# You must use the following format:
#
# exe:/full/path/to/file
# user:username
# cmd:command line
#
# It is strongly recommended that you use command line ignores very carefully
# as any process can change what is reported to the OS.
#
# For more information see readme.txt

exe:/usr/sbin/sshd
exe:/usr/sbin/proftpd
exe:/usr/libexec/gam_server
exe:/usr/sbin/named
exe:/usr/sbin/exim
exe:/usr/sbin/mysqld
exe:/usr/sbin/mysqld_safe
exe:/usr/libexec/hald-addon-acpi
exe:/usr/sbin/hald
exe:/bin/dbus-daemon
exe:/usr/bin/dbus-daemon-1
exe:/usr/libexec/hald-addon-keyboard
exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/dovecot/imap-login
exe:/usr/local/directadmin/directadmin
exe:/usr/sbin/httpd
exe:/usr/libexec/dovecot/imap
exe:/usr/bin/perl
exe:/usr/sbin/mysqld\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00
exe:/usr/sbin/hald\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00
 
Last edited:
Hello,

I have installed andt it works ok.
But after delete the csf.conf file and redownlod it from http://www.oakdns.net/downloads/csf.conf I cant restart csf and lfd in directadmin.

In ssh he says:
/usr/sbin/csf -r
Undefined subroutine &Cpanel::Version::gettree called at /usr/sbin/csf line 140.
 
Last edited:
i have been using for a long time csf firewall but now something i dont know i did not do nothing this is the second time that im hacving this problem we i enable the firewall it blocks everything ssh ftp httpd

and everything all the ports are open it have been working fine but now something did go wrong

i dont know what

i am using centos 5.3 with DA and i tryed resintallig it same problem

can anyone help me to fox this thank you
 
Hi guys I have a problem with CSF. Whenever CSF is active I can't send or receive emails.
Every other service works fine.
When I disable it mail works like a charm again.
What could be wrong? I use the csf.conf that is in the first page.
 
Check your CSF configuration to make sure it's allowing outbound and inbound traffic on ports 25, 110, 143, and 587.

Jeff
 
Security

Hello, Me to look for a security as CSF or LFD for CENTOS 5.2 32BITS I found nothing Have you a tuto for it?
Because in The section CENTOS I have nothing above.
If a person would like to make us a tuto it shall be magnificent :D
 
Hello, Me to look for a security as CSF or LFD for CENTOS 5.2 32BITS I found nothing Have you a tuto for it?
Because in The section CENTOS I have nothing above.
If a person would like to make us a tuto it shall be magnificent :D

The first page of this thread explains it quite well I think.
It's for every distro so you shouldn't have any problems installing.
 
Is there a way we can export ALL the setting of CSF so i can have same setting for 3 servers.

This can also work as a backup of the settings
 
Is there a way we can export ALL the setting of CSF so i can have same setting for 3 servers.

This can also work as a backup of the settings
You can use the option below in csf.conf
# The follow Global options allow you to specify a URL where csf can grab a
# centralised copy of an IP allow or deny block list of your own. You need to
# specify the full URL in the following options, i.e.:
# http://www.somelocation.com/allow.txt
#
# The actual retrieval of these IP's is controlled by lfd, so you need to set
# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd
# will perform the retrieval when it runs and then again at the specified
# interval. A sensible interval would probably be every 3600 seconds (1 hour)
#
# You do not have to specify both an allow and a deny file
#
# You can also configure a global ignore file for IP's that lfd should ignore
LF_GLOBAL = "3600"

GLOBAL_ALLOW = "http://www.domain.tld/global-allow.conf"
GLOBAL_DENY = "http://www.domain.tld/global-deny.conf"
GLOBAL_IGNORE = "http://www.domain.tld/global-ignore.conf"
 
Hi,

I've sucesfully installed CSF. The issue I have is that it drops legit packets and thus decreases the load speed of the pages and ssh. Basically, it created delay when I use SSH and websites- they definitely work much slower. Any idea what could be the cause and how to solve it?

It is def. the firewall as I have yet to host users.
 
Problem With Start CSF in DA

Starting csf...


Undefined subroutine &Cpanel::Version::gettree called at /etc/csf/csf.pl line 155.

...Done.

:(
 
Hello everybody: during upgrade from v. 5.0.3 to 5.0.5 I've seen difference between v. 5.0.5 fresh install.

5.0.5 have complete interface (new) to configure cluster: 5.0.5 "upgraded" have not this part.

There's a bug in upgrade system?
 
Csf

what ports do i have to open in CSF to allow passive ftp

in proftpd.conf i have found what ports it uses for passive ftp but not sure how to or where to put them into the csf.conf file
 
@twaern:

The file is no longer at that URL. You should attempt to contact the poster who was hosting the file.

ProFTPd can be set to choose passive FTP ports dynamically, or to choose only specific ports for passive FTP.

I, and others, use the dynamic selection, and use a firewall which opens what's called related ports, so any port chosen will be automatically open.

I no longer have a ProFTPd configuration for static passive ftp ports, so I'd have to read the ProFTPD documentation. If no one else posts an answer, then of course you can do that.

Once you set ProFTPd for the ports you're going to use, you open those ports in your firewall.

The best way, however, is to open related ports in CSF. Is that not documented anywhere?

Note that before you can open related ports in CSF you must (presuming Linux, not FreeBSD) have the ip_conntrack_ftp.ko module loaded in the kernel; perhaps others as well.

Here's how we do it in the kiss firewall; similar code should be in CSF, but perhaps commented out:
Code:
##############################################################################
# Use Connection State to Bypass Rule Checking
#
# By accepting established and related connections, we don't need to
# explicitly set various input and output rules. For example, by accepting an
# established and related output connection, we don't need to specify that
# the firewall needs to open a hole back out to client when the client
# requests SSH access.
#
$IPTABLES -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT  -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

Jeff
 
I'm running into a problem with LFD sending a notification email every hour that freshclam has been running too long. Of course it is, it's a daemon. I can't figure out how to tell LFD to not report on it.

Any ideas?

Jeff
 
Back
Top