ConfigServer Security & Firewall (csf)

After giving up with IP tables, configserver is a great tool to manage what can get in and out of production servers.

What is LFD?

Login Failure Daemon (lfd) process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. Such attempts are often called "Brute-force attacks" and the daemon process responds very quickly to such patterns and blocks offending IP's quickly

 Main files to understand

csf.conf - the main configuration file, it has helpful comments explaining what each option does
csf.allow - a list of IP's and CIDR addresses that should always be allowed through the firewall
csf.deny - a list of IP's and CIDR addresses that should never be allowed through the firewall
csf.ignore - a list of IP's and CIDR addresses that lfd should ignore and not not block if detected
csf.*ignore - various ignore files that list files, users, IP's that lfd should ignore.

csf on the command line

csf is your friend, these are the main terminal commands I use to easily troubleshoot firewall issues

csf -d <IP> : block IP
csf -a <IP> : allow IP
csf -dr <IP> : Removal IP from blocklist
csf -ar <IP> : Remove IP from allow list

lfd doesn't have any command line options of its own but is controlled through the init script /etc/init.d/lfd which stops and starts the daemon. It is configured using the /etc/csf/csf.conf file. For logs see /var/log/lfd.log.

Watch IP addresses

csf -w [ip]

Recommended method to use this function:

1. Enable WATCH_MODE

2. Restart csf

3. Restart lfd

4. Use the following to watch an IP:

csf -w

5. Watch the kernel iptables log for hits from the watched IP address (/var/log/kern.log || /var/log/messages)

Once you have finished watching an IP address you should:

1. Disable WATCH_MODE

2. Restart csf (which will also remove the watched ip rules)

3. Restart lfd

Prevent Email Alerts

nano /etc/csf/csf.ignore
add: exe:/user/lib/dovecot/pop3-login
/etc/init.d/lfd restart