What to use? CSF+LFD or Fail2ban or both?

[Aar]

I'm going to install a server with DirectAdmin this week. And I wonder what the best combination is. I know you have CSF which works with iptables so you can manage the firewall through DirectAdmin. This one also has LFD (Login Failure Deamon) on board.

You also have Fail2Ban which is separate from DirectAdmin, but is easy to set up, and can also scan other log files for IP ranges that should be blocked when bruteforcing. (Nice for phpMyAdmin or the admin panel of your CMS). And also you have BFD in Directadmin that only monitors the calls on DA's port 2222. (However?)

Now I wondered:
What is the best combination?
Can you use CSF+LFD together with Fail2Ban?
Or can you use CSF (for the webinterface) without LFD, but with Fail2ban?

Of course I disable the use of the root login and I use SSH keys.

 

[Richard G]

also scan other log files

What other logfiles can Fail2Ban scan which CSF/LFD combined with DA's BFM can't?

And also you have BFD in Directadmin that only monitors the calls on DA's port 2222. (However?)

That was in the old days. Have you read the recent docs?

Securing with Brute Force Monitor | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

On a fresh installation, you can get CSF/LFD combined with DA's BFM to get an optimal defense.

I thought CSF/LFD can't be used in combination with Fail2Ban because both use iptables to block connections, so this could cause conflicting issues. But I could be wrong. But you wouldn't need Fail2Ban anyway.

Of course I disable the use of the root login and I use SSH keys.

If you also move the SSH port to some other port, your logs and attacks will be more quiet too.

 

[Aar]

Fine! Then I stick to the method from this tutorial, and therefore to the CSF integration. ?

 

[Ohm J]

in logic, you can't.
if you want, you can load rules from fail2ban when csf firewall have restart signal with custom pre/post shell script

/etc/csf/csfpre.sh
/etc/csf/csfpost.sh

these 2 file will trigger when restart signal

anyway, you don't need fail2ban

 

[Aar]

@jamgames2
I already read something like that. Through a search on google I came across this page, and search for the heading 'Add CSF integration':
Apparently it is possible, with Fail2Ban passing it directly to csf. But I think this makes it quite complex. So I wil use CSF with BFD.

If I still want to block separate things, such as brute force attempts in my CMS, I can always do this:

csf -d 123.123.123.123 Added by My SuperDuper CMS

 

[Richard G]

You can also use custom regexp things with CSF/LFD like this for example:

# WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(wp-login\.php|xmlrpc\.php).* (200|401)/)) {
    return ("Unauthorized, please leave",$1,"WPLOGINorWHATEVER","10","80,443","14400");
    }

You can add custom logfiles to check in CSF, so as you can see, the custom1_log is used for this one. And you can define this in the csf.conf file like this:
CUSTOM1_LOG = "/var/log/httpd/domains/*"

So as you can see, CSF/LFD is very flexible too.