LFD failing to block IPs in csf.allow but not in csf.ignore

Post Reply
kevinv1896
Junior Member
Posts: 1
Joined: 22 Aug 2019, 10:30

LFD failing to block IPs in csf.allow but not in csf.ignore

Post by kevinv1896 »

I'm trying trying out CSF using vagrant to test out how it works and testing out the configuration I need to do before I apply to my actual VMs.

I deployed two sandbox VMs. 192.168.33.10 (with CSF) and 192.168.33.11 (VM that will try to brute force SSH to 192.168.33.10)

Given /etc/csf.allow

Code: Select all

10.10.10.10
192.168.33.1
172.16.1.1/29
192.168.33.11
And /etc/csf.ignore

Code: Select all

127.0.0.1
10.10.10.10
172.16.1.1/29
And csf.conf

Code: Select all

LF_SSHD = "5"
LF_SSHD_PERM = "1"
I have expected, LFD to block the IPs but I after more than 5 force failed SSH attempts, I can still login. I expected the firewall to drop all my packets but I was still receiving prompts for password after failed SSH attempts earlier

Checking out LFD log, I see this:

Code: Select all

Aug 22 09:16:39 ubuntu-bionic lfd[8682]: (sshd) Failed SSH login from 192.168.33.11 (-): 5 in the last 3600 secs - *Blocked in csf* [LF_SSHD]
Aug 22 09:16:44 ubuntu-bionic lfd[8715]: *Error*: csf output: deny failed: 192.168.33.11 is in the allow file /etc/csf/csf.allow

Aug 22 09:16:44 ubuntu-bionic lfd[8715]: (sshd) Failed SSH login from 192.168.33.11 (-): 5 in the last 3600 secs - *Blocked in csf* [LF_SSHD]
Aug 22 09:17:19 ubuntu-bionic lfd[8839]: *SSH login* from 192.168.33.11 into the kevinv account using password authentication
I am SUPER confused. I read the README and it doesn't tell me much. I thought everything was just straightforward but I it's not doing what I read that it's supposed to do.

The IP is not in /etc/csf.ignore so not sure why LFD is failing to deny the ip. LFD is not supposed to ignore /etc/csf.allow unless you specify IGNORE_ALLOW="1" which in my case is set to 0.

I've been sinking my nights into the drain figuring this out. This is one of those rare occasion I created a Forum account so I can ask this question, for which I couldn't find the answer to with all the forum posts already out there.

Is there a magical setting that I forgot about? Anyone else have this issue? Or is this actually a bug? Or I just don't understand CSF correctly?

Some points of interests as well, that could help:
* I've used likg.csf ansible playbook to install CSF on my VMs
* My CSF blocks all IPs by default, that's not in /etc/csf.allow. It sounds like this is expected behaviour but I'm not sure if it is right now.
Post Reply