root ssh alert ignored ????

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
Post Reply
prabudh
Junior Member
Posts: 33
Joined: 10 Dec 2006, 13:05
Location: India
Contact:

root ssh alert ignored ????

Post by prabudh »

upgraded to v3.01 and now the server doesn't mails the login alert,
happening on 2 of my servers

csf log shows:-
Sun Jan 5 07:45:49 2008 lfd: *SSH login* from xx.xx.119.245 into the root account using password authentication - ignored

nothing else has been changed on the server.

on other boxes running older versions still send alerts properly.

any solutions ?
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

lfd will ignore any ip's that you have listed in csf.ignore, any global ignore file is setup and any ip in /etc/relayhosts at the time if you have the RELAYHOSTS option enabled.
prabudh
Junior Member
Posts: 33
Joined: 10 Dec 2006, 13:05
Location: India
Contact:

Post by prabudh »

chirpy wrote:lfd will ignore any ip's that you have listed in csf.ignore, any global ignore file is setup and any ip in /etc/relayhosts at the time if you have the RELAYHOSTS option enabled.
thanks for the reply, iam not an expert but think this option is expecting any of IP in relayhost as trusted user.

ignoring the IP in /etc/relayhosts can be risky cause if a spammer who compromised an account and sent any mails, and later gains ssh access anyhow, can do enough harm as ADMIN is not notified.

please check on that too,

regards,
p
mediastock4u
Junior Member
Posts: 2
Joined: 08 Jan 2008, 21:31

Post by mediastock4u »

Hi.

This is very contradictory.

You either disable relay-hosts and suddenly and you get the warning and also make your security score go down, or you enable it and cant see who is logging into the server via SSH. I have tried to delete the IP's from the etc/relayhosts log and as soon as i login via ssh, it reputs those ips there.

Can this bug be fixed ASAP.

Cheers,
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

I'll remove RELAYHOSTS from the Server Check report as it shouldn't be considered less secure to enable the option. You cannot simply empty /etc/relayhosts as that file is updated by the cPanel antirelayd process.
mediastock4u
Junior Member
Posts: 2
Joined: 08 Jan 2008, 21:31

Post by mediastock4u »

Nice one Chirpy :)

When do you think this will be updated?

Cheers,
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

It'll be in the next release, but I'm not sure when that will be.
Post Reply