lfd Dynamic DNS entries are generating remote access reports

MindStar · Post by **MindStar** » 01 Jun 2008, 12:13

Hi,

A couple of versions ago, something changed with the way that CSF treats hostnames listed in the lfd Dynamic DNS.

I am now receiving email alerts of the form[INDENT] lfd: SSH login alert for user XXXXX from AAA.BBB.CCC.DDD (Unknown)
[/INDENT]each time I login to the server from this IP addresss, which one of the hostnames listed in the lfd Dynamic DNS list resolves to.

I've double-checked the IP addresses and that I can resolve the dynamic dns hostname on the server. Is there some other configuration option that I need to set?

Thanks.

Post by **chirpy** » 05 Jun 2008, 10:33

That's perfectly normal. The DYNDNS feature allows the IP through iptables, it doesn't affect lfd at all.

MindStar · Post by **MindStar** » 05 Jun 2008, 11:59

Hmmm. The thing is that it wasn't generating access reports/alerts until recently

i.e. I could log in from a remote IP that was registered with a DynDNS hostname and CSF did not send an access report/alert.

Post by **chirpy** » 11 Jun 2008, 16:46

That's because the regex's were recently improved to pick up SSH logins correctly.

MindStar · Post by **MindStar** » 11 Jun 2008, 16:56

OK. Would it be possible to whitelist some or all of the DynDNS hosts?

Thanks.

Post by **chirpy** » 11 Jun 2008, 17:08

Not at present, because lfd doesn't support ignoring of DYNDNS entries - that only applies to csf and the building of the iptables rules. I'll look a adding an option to csf.conf to additionally ignore DYNDNS entries.

MindStar · Post by **MindStar** » 11 Jun 2008, 17:26

Thanks, I think it could be a popular feature

MindStar · Post by **MindStar** » 12 Jun 2008, 21:51

I see that you've incorporated this into the latest release, and it works a treat. Thanks!

:):)