CSF Ignoring Configuration

[SockThief]

I have done a look through the forum and (amazingly) didn't find anything that matched - so, I guess I used the wrong search term!

I am testing (hence the seemingly strange restrictive values) my SSH Configuration and have these settings:

LF_TRIGGER = "1" (I don't care what service you try to access)
LF_TRIGGER_PERM = "1" (permanently block)
LF_SELECT = "0" (complete block)
LF_SSHD = "1" (active)
LF_SSHD_PERM = "1" (permanent, but shouldn't have any effect due to LF_TRIGGER_PERM)
LF_INTERVAL = 86400 (1 failed login in the last 24 hours)
LF_PARSE = 1 (scan logs every second)

After changing the settings, I run csf -r to re-read the config, and I know this is successful, because it gives me warnings about crazy values (in this case LF_PARSE, but I can put a crazy value in for LF_INTERVAL and it will warn me as well) -> so I know the latest changes are read.

I then tail -f on /var/log/lfd.log, fire up another machine, and start trying to SSH in. My SSHD will let me try a password 3 times - I guess, like fail2ban, 3 password fails == 1 attempt to login?

In any case, I am expecting after 1 failure to be blocked. But no matter what I set the above values to, it always takes 5 SSH attempts to block myself.... In actuality, the block message comes to lfd.log in the middle of the 5th login attempt (i.e.: after two password prompts/inputs, I see the block message in lfd.log and I see from my ssh terminal that I am actually blocked.

I thought this might be due to the LF_PARSE value (hence I set it to 1), but after a failed login, I wait, go make a cup of coffee, watch some cricket, and nope! still not blocked. Which when looking at the lfd.log file is not surprising, as the output on that is:

Failed SSH login from <ip> (hostname): 5 in the last 3600 sec - *Block in csf* [LF_SSHD]

... what? wait! I said 1 failure, in 86400 secs! But at least the actions of CSF match the log, however, it appears CSF is completely ignoring what I want it to do!

In another test, I have two terminals open to the server, one tail -f /var/log/auth.log and one tail -f /var/log/lfd.log, and also the system console tail -f /var/log/lfd.log. From a local terminal on my laptop, I start trying to ssh into the server.

(remember for each ssh user@ip i do, I get 3 password attempts)

after each login attempt (not password entry, but actual calls to ssh user@ip) i put a couple of new lines in the auth.log. I can therefore clearly see the different ssh attempts. And indeed, I do not get blocked until after first password attempt in the 5th ssh session; no matter what I change.

As I said earlier, when re-reading the config, the sanity parser is at least running on the latest config, but it definitely appears as if csf is not using the config - is it using a cached copy? or am I modifying the wrong values? is this a bug?

[SockThief]

Ok! so, turns out I needed to restart lfd (/etc/init.d/lfd restart) - I would love to fall on my sword and say I should have read the manual - but on returning to the readme.txt I can find only veiled references that suggest your should, perhaps restart lfd. About the only mention I can find is thi (which is in the section of IP Blocklists)

Uncomment the line starting with the rule name to use it, then restart csf and
then lfd

So, in short, it all works great, and unlike fail2ban, one password attempt is enough to block! So I'm a happy man right now, but perhaps the docs could be improved

cheers!