Portal Home > Knowledgebase > Articles Database > CSF's LFD not banning?
CSF's LFD not banning?
| Posted by Magistar, 09-22-2014, 11:02 PM |
| Hi there. I am new to using a VPS and I *thought* I had succesfully applied CSF to my DirectAdmin.
However from the Bruteforce monitor in DA I notice a lot of brute force attempts from the same ip. Now I know fromt he DA support pages that it is designed to only warn and not communicate with a firewall by default.
However it is my understanding that my enabled LFD should have banned this user a long time ago.
Is there someone with CSF experience that would be willing to check with me if I have missed some setting?
Example from DA:
(Where 174 is the number of attempts)
Most of this stuff seems to be aimed at "exim2" which I assume is the webmail? However there are also attempts on "proftpd2" and "proftpd1".
Also I have not found a file/page in CSF that lists currenltly banned ip's.
I hope someone is willing to educate me.
|
| Posted by @Jesse, 09-22-2014, 11:15 PM |
| Login as admin to DA. Near the footer I think it's under Admin settings or something like that. You can set max attempts to block and for how long.
|
| Posted by Magistar, 09-23-2014, 12:09 AM |
| Actually I did set the value in DA but I would like LFD to actually work .
|
| Posted by Promex, 09-23-2014, 01:58 AM |
| Hello,
CSF's LFD will not block DirectAdmin's Bruteforce attempts. You will need to configure a custom script in DirectAdmin to do so. It's being explained in this thread: http://forum.directadmin.com/showthread.php?t=44839
CSF's list of current banned IP can be found in csf - Firewall Deny IPs.
Regards
|
| Posted by my247webhosting, 09-23-2014, 01:40 PM |
| First check if firewall is working correctly using command perl /etc/csf/csftest.pl
If all results are fine then check the configuration in /etc/csf/csf.conf
Normally it does block brute force
|
| Posted by Magistar, 09-23-2014, 06:03 PM |
| All test show OK. There are some ip's in the deny list. Does not seem to include exim though.
The Deny list:
The config:
Anything wrong there?
|
| Posted by WPCYCLE, 09-24-2014, 12:34 AM |
| Your port numbers could be an issue. If your using default numbers, they will be hit first.
ssh, change from 22
ftp, change from 21
That's a start towards slowing down those hits. Also....the host your vps is from....do they offer any one-time hardening? Some will do this when you buy a vps, or may do it has a paid service.
Also, search through the sections on here. Lots of information that's very helpful. Just be careful to not leave anything too open that could result in bigger issues.
|
| Posted by Magistar, 09-24-2014, 12:18 PM |
| I know you are trying to help and the thought is appreciated. However I have already changed the ssh port.
My question is specific to the banning operation of LFD which seems to not be counting "exim" attempts because some ip's have tried this 170+ times without getting banned. Even though my blocking configuration uses 5 attempts for most services.
|
| Posted by WPCYCLE, 09-25-2014, 09:36 AM |
| You're Welcome. Sometimes it's the little things that get overlooked that can cause big issues later on.
Have you tried using Fail2Ban with your setup? Setting up Fail2Ban regex that will work with csf and block offending IP after X amount of attempts. Just like WordPress, there are attacks specific to WordPress that will go past cst and other similar setups. Fail2ban allows you create your own rules for your needs.
Here's a quick link that could get you started. I haven't used the information from this link, but I do use Fail2Ban for other projects with their own custom rules and it does what you're looking for.
https://github.com/fail2ban/fail2ban...er.d/exim.conf
|
Add to Favourites 
Print this Article
Also Read
DNS newbie (Views: 703)
Shared Hosting
Shared Hosting
