ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

How to automatically block IPs

https://mail.forum.configserver.com/viewtopic.php?t=10682

Page 1 of 1

How to automatically block IPs

Posted: 06 Feb 2018, 07:16
by iodisciple
Hi all,

I have a Debian 9 server with all the latest patches and CSF/LFD the latest version. Just a standard configuration with one IP number, no crazy things.

I want to automatically block IPs when they try to break in. I thought CSF/LFD did out of the box, but still I wake up with 600 of the below alert mails:

Feb 6 05:32:48 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 6 05:32:48 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 6 05:32:32 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 6 05:32:32 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 6 05:32:13 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 6 05:32:13 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 6 05:31:57 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 6 05:31:57 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

I do not understand because I thought the below configuration would automatically block. What am I doing wrong?

LF_DAEMON = "1"
LF_CSF = "1"
LF_TRIGGER = "0"
LF_TRIGGER_PERM = "1"
LF_SELECT = "0"
LF_EMAIL_ALERT = "1"
LF_SSHD = "5"
LF_SSHD_PERM = "1"
LF_FTPD = "10"
LF_FTPD_PERM = "1"
LF_SMTPAUTH = "5"
LF_SMTPAUTH_PERM = "1"
LF_EXIMSYNTAX = "10"
LF_EXIMSYNTAX_PERM = "1"
LF_POP3D = "0"
LF_POP3D_PERM = "1"
LF_IMAPD = "0"
LF_IMAPD_PERM = "1"
LF_HTACCESS = "5"
LF_HTACCESS_PERM = "1"
LF_MODSEC = "5"
LF_MODSEC_PERM = "1"

Any help is greatly appreciated.

Re: How to automatically block IPs

Posted: 12 Feb 2018, 07:15
by iodisciple
Please let me rephrase this question (I really do not want to switch all servers to something else than CSF/LFD): is there someone out there, that has Debian 9 fully updated and CSF/LFD the latest version, where automatically blocking of rogue IP numbers just works?

On non-DirectAdmin servers that is, I have 2 DirectAdmin servers that do automatically block (with the DirectAdmin specific scripts).
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited