ConfigServer Security & Firewall (csf)
After giving up with IP tables, configserver is a great tool to manage what can get in and out of production servers.
What is LFD?
Login Failure Daemon (lfd) process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. Such attempts are often called "Brute-force attacks" and the daemon process responds very quickly to such patterns and blocks offending IP's quickly
Main files to understand
csf.conf - the main configuration file, it has helpful comments explaining what each option does
csf.allow - a list of IP's and CIDR addresses that should always be allowed through the firewall
csf.deny - a list of IP's and CIDR addresses that should never be allowed through the firewall
csf.ignore - a list of IP's and CIDR addresses that lfd should ignore and not not block if detected
csf.*ignore - various ignore files that list files, users, IP's that lfd should ignore.
csf on the command line
csf is your friend, these are the main terminal commands I use to easily troubleshoot firewall issues
csf -d <IP> : block IP
csf -a <IP> : allow IP
csf -dr <IP> : Removal IP from blocklist
csf -ar <IP> : Remove IP from allow list
lfd doesn't have any command line options of its own but is controlled through the init script /etc/init.d/lfd which stops and starts the daemon. It is configured using the /etc/csf/csf.conf file. For logs see /var/log/lfd.log.
Watch IP addresses
csf -w [ip]
Recommended method to use this function:
1. Enable WATCH_MODE
2. Restart csf
3. Restart lfd
4. Use the following to watch an IP:
csf -w 126.96.36.199
5. Watch the kernel iptables log for hits from the watched IP address (/var/log/kern.log || /var/log/messages)
Once you have finished watching an IP address you should:
1. Disable WATCH_MODE
2. Restart csf (which will also remove the watched ip rules)
3. Restart lfd
Prevent Email Alerts