Used the web-based configuration manager to set the config for CSF.
I see that there is a setting to take an IP / IP range from a temporary block to a permanent block.
I've enabled this functionality as such:
LF_PERMBLOCK = 1
LF_PERMBLOCK_INTERVAL = 86400
LF_PERMBLOCK_COUNT = 4
LF_PERMBLOCK_ALERT = 1
However, I am unsure where these settings are used. En general, what I am looking at doing is setting the config so that if there are invalid logins via FTP, SMTP, IMAP, or POP3 that they will be blocked initially for five minutes (300 seconds). But if the offender tries back four times within 24 hours, then they are blocked for 24 hours. I believe the settings noted above are correct for this.
But I have some confusion with the login failure section - because I only see the options to either permanently block - or provide a time. Example in my config:
LF_TRIGGER = 0 (this is because I want to set a different trigger for each item)
LF_TRIGER_PERM = 0
LF_FTPD = 3 (block anyone that tries three invalid logins to FTP)
LF_FTPD_PERM = 1 (this is the setting I'm unsure of)
Hopefully my question is clear enough. I just want to make sure that the configuration is set so that initially, any attacker will be blocked for just five minutes (300 seconds) and then upon the fourth attack, they would then be blocked for 24 hours.
Thank you!
LF Temp to Permanent Ban
Re: LF Temp to Permanent Ban
Was able to answer this on my own after fixing the issue on how to block 401 errors in Apache.
Needless to say, you will set the specific "PERM" setting (such as LF_FTPD_PERM) to the temporary block amount - such as 300 seconds (5 minutes). The the Temp-to-Perm settings will watch and once they are over the LF_PERMBLOCK_COUNT that you have set, it will permanently block that IP to the LF_PERMBLOCK_INTERVAL.
Needless to say, you will set the specific "PERM" setting (such as LF_FTPD_PERM) to the temporary block amount - such as 300 seconds (5 minutes). The the Temp-to-Perm settings will watch and once they are over the LF_PERMBLOCK_COUNT that you have set, it will permanently block that IP to the LF_PERMBLOCK_INTERVAL.