ConfigServer Community Forum

Managed to set up a custom 'Failed SASL login' IP block and it is showing a temporary block as expected.
I think I have finally got it figured out. Now I just need to monitor my logs and the CFS/LFD blocks to ensure its working as expected.

I believe that my LFD issue (Log not displaying any blocks) was due to a change in the log files used for SMTP and ProFTP. Both had been set for var/logs/messages but the proper log files were var/log/maillog (SMTP) and var/log/secure (ProFTP) not sure if they had never been set correctly or if it w...

After making quite a few changes in the CSF/LFD config I appear to be having some of the SMTP login failure IPs being tagged and placed in the Deny file. These are permanent blocks but I still can't see any temp blocks happening in the log nor do I see any file in CSF that holds the temporary blocke...

You can use this and set it to not send emails but you won't get any blocked alerts # Send an email alert if an IP address is blocked by one of the [*] triggers LF_EMAIL_ALERT = "1" You could also create a special email account just to receive the LFD alerts and redirect the emails there. ...

Failed Imap authorization would be a bad password or username using his real ip address so maybe an incorrect setting in a mail client that attempts to connect every few minutes?
If its an inability to connect after so many tries in a set period of time Login Tracking can do that.

Not sure if this is what you are asking. Can't you just add Port 22 to your allowed list in the csf.conf file? I assume you are talking about the IP address (changing) on the computer you use to access your server and not the Server's IP address. # Allow incoming TCP ports TCP_IN = "20,21,22,25...

I don't know if csf -ra restarts LFD as well.
Did you try restarting LFD after making your changes to pignore just in case?

I read somewhere that LFD had to be restarted as well for it to work properly. Might be worth a try.

Do you mean this?

# Send an email alert if anyone logs in successfully using SSH
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_SSH_EMAIL_ALERT = "1"

I am trying to figure out why the LFD is not showing or catching any ips that have been failing authentication. I have had a lot of unauthorized ips trying to log in to mail, ftp, ssh etc but they never show up in the LFD log nor do they appear in the CSF deny list. I can manually add them to the de...

---Deleted---