CSF/LFD Does not automatically block IPs

[iodisciple]

General info:
Fresh installations, no other firewall running
Linux Debian 9.3 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux
CSF/LFD version 11.05 or 11.06

Config file excerpt:
LF config from /etc/csf/csf.conf

LF_DAEMON = "1"
LF_CSF = "1"
LF_TRIGGER = "0"
LF_TRIGGER_PERM = "1"
LF_SELECT = "0"
LF_EMAIL_ALERT = "1"
LF_SSHD = "5"
LF_SSHD_PERM = "1"
LF_FTPD = "10"
LF_FTPD_PERM = "1"
LF_SMTPAUTH = "5"
LF_SMTPAUTH_PERM = "1"
LF_EXIMSYNTAX = "10"
LF_EXIMSYNTAX_PERM = "1"
LF_POP3D = "0"
LF_POP3D_PERM = "1"
LF_IMAPD = "0"
LF_IMAPD_PERM = "1"
LF_HTACCESS = "5"
LF_HTACCESS_PERM = "1"
LF_MODSEC = "5"
LF_MODSEC_PERM = "1"

Expected behavior:
When people try to bruteforce one of the above services, IPs get automatically blocked by CSF/LFD, by putting them in the /etc/csf/csf.deny file and making the appropriate changes in IPtables.

Actual behavior:
Nothing happens. No changes are being made in the csf.deny or IPtables.

[ForumAdmin]

We're unable to recreate issues on Debian v9.3, you need to provide technical information about where the issue is.

If you're having issues with the regex's then you need to post examples where lfd is not picking up the login failures from the logs. For example, in the log that you have configured for SSHD_LOG, provide a log line from that log that shows the login failure and the IP address that lfd is not showing in /var/log/lfd.log

I just tested SSH login failures for SSHD_LOG pointing to /var/log/auth.log and the following log lines were detected correctly and the IP is blocked in iptables:

Code: Select all

Feb 15 09:36:42 debian sshd[1692]: Invalid user bob from 192.168.254.60 port 33242
Feb 15 09:36:44 debian sshd[1692]: Failed password for invalid user bob from 192.168.254.60 port 33242 ssh2

Blocked IP:

Code: Select all

root@debian:~# csf -g 192.168.254.60

Chain            num   pkts bytes target     prot opt in     out     source               destination         

DENYIN           1        0     0 DROP       all  --  !lo    *       192.168.254.60       0.0.0.0/0

DENYOUT          1        0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            192.168.254.60

[iodisciple]

Thank you for your reply. This example is not SSHD, it's SMTPD.

From /etc/csf/csf.conf:

Code: Select all

SMTPAUTH_LOG = "/var/log/secure"
POP3D_LOG = "/var/log/mail.log"
IMAPD_LOG = "/var/log/mail.log"

From /var/log/mail.log:

Code: Select all

Feb 6 05:32:48 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 6 05:32:48 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 6 05:32:32 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 6 05:32:32 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 6 05:32:13 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 6 05:32:13 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 6 05:31:57 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 6 05:31:57 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

From the /var/log/lfd.log:

Code: Select all

Feb  6 00:00:02 mail02 lfd[28773]: Main Process: TERM
Feb  6 00:00:02 mail02 lfd[28773]: daemon stopped
Feb  6 00:00:03 mail02 lfd[29627]: daemon started on mail02 - csf v11.05 (generic)
Feb  6 00:00:03 mail02 lfd[29627]: LF_APACHE_ERRPORT: Set to [2]
Feb  6 00:00:03 mail02 lfd[29627]: Restricting syslog/rsyslog socket acccess to group [mysyslog]...
Feb  6 00:00:03 mail02 lfd[29627]: CSF Tracking...
Feb  6 00:00:03 mail02 lfd[29627]: IPv6 Enabled...
Feb  6 00:00:03 mail02 lfd[29627]: LOAD Tracking...
Feb  6 00:00:03 mail02 lfd[29627]: Country Code Lookups...
Feb  6 00:00:03 mail02 lfd[29627]: Exploit Tracking...
Feb  6 00:00:03 mail02 lfd[29627]: Temp to Perm Block Tracking...
Feb  6 00:00:03 mail02 lfd[29627]: Account Tracking...
Feb  6 00:00:03 mail02 lfd[29627]: SSH Tracking...
Feb  6 00:00:03 mail02 lfd[29627]: Webmin Tracking...
Feb  6 00:00:03 mail02 lfd[29627]: SU Tracking...
Feb  6 00:00:03 mail02 lfd[29627]: Console Tracking...
Feb  6 00:00:03 mail02 lfd[29627]: Watching /var/log/messages...
Feb  6 00:00:03 mail02 lfd[29627]: Watching /var/log/customlog...
Feb  6 00:00:03 mail02 lfd[29627]: Watching /var/log/apache2/error.log...
Feb  6 00:00:03 mail02 lfd[29627]: Watching /var/log/auth.log...
Feb  6 00:00:03 mail02 lfd[29627]: Watching /var/log/secure...

No blocked IP:

Code: Select all

root@mail02:~# csf -g 90.152.53.250

Chain            num   pkts bytes target     prot opt in     out     source               destination         
No matches found for 90.152.53.250 in iptables


ip6tables:

Chain            num   pkts bytes target     prot opt in     out     source               destination         
No matches found for 90.152.53.250 in ip6tables

[ForumAdmin]

That format is not currently picked up by the regexes. We will put it on the development list. For now, you would have to create custom regexes to block those log lines.

[iodisciple]

Do you have any tips for this workaround? How to create these regexes?

[iodisciple]

I apologize for opening a bug report what was not a bug, but was indeed a misconfiguration. I did not know anything about these regexes. For people who have the same problem like me:

- I've edited the /etc/csf/csf.conf and at the bottom added a custom log

Code: Select all

CUSTOM1_LOG = "/var/log/mail.log"

- Then I've added the regex in /usr/local/csf/bin/regex.custom.pm. In my case it looks like this

Code: Select all

if (($globlogs{CUSTOM1_LOG} {$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/submission\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
	    return ("Failed SASL login from",$1,"mysaslmatch","10","25,465,587","1");
    }

This will permanently block an IP that has 10 failed SASL login attempts. You can check your regexes here:

https://regex101.com/

- Restart CSF

Code: Select all

# csf -r

- Restart CSF and LFD

Code: Select all

# systemctl restart csf lfd

I've tested this and it works.

[pesho]

or simply change SMTPAUTH_LOG in csf.conf

SMTPAUTH_LOG = "/var/log/mail.log"