LFD failing to block IPs in csf.allow but not in csf.ignore
Posted: 22 Aug 2019, 10:49
I'm trying trying out CSF using vagrant to test out how it works and testing out the configuration I need to do before I apply to my actual VMs.
I deployed two sandbox VMs. 192.168.33.10 (with CSF) and 192.168.33.11 (VM that will try to brute force SSH to 192.168.33.10)
Given /etc/csf.allow
And /etc/csf.ignore
And csf.conf
I have expected, LFD to block the IPs but I after more than 5 force failed SSH attempts, I can still login. I expected the firewall to drop all my packets but I was still receiving prompts for password after failed SSH attempts earlier
Checking out LFD log, I see this:
I am SUPER confused. I read the README and it doesn't tell me much. I thought everything was just straightforward but I it's not doing what I read that it's supposed to do.
The IP is not in /etc/csf.ignore so not sure why LFD is failing to deny the ip. LFD is not supposed to ignore /etc/csf.allow unless you specify IGNORE_ALLOW="1" which in my case is set to 0.
I've been sinking my nights into the drain figuring this out. This is one of those rare occasion I created a Forum account so I can ask this question, for which I couldn't find the answer to with all the forum posts already out there.
Is there a magical setting that I forgot about? Anyone else have this issue? Or is this actually a bug? Or I just don't understand CSF correctly?
Some points of interests as well, that could help:
* I've used likg.csf ansible playbook to install CSF on my VMs
* My CSF blocks all IPs by default, that's not in /etc/csf.allow. It sounds like this is expected behaviour but I'm not sure if it is right now.
I deployed two sandbox VMs. 192.168.33.10 (with CSF) and 192.168.33.11 (VM that will try to brute force SSH to 192.168.33.10)
Given /etc/csf.allow
Code: Select all
10.10.10.10
192.168.33.1
172.16.1.1/29
192.168.33.11
Code: Select all
127.0.0.1
10.10.10.10
172.16.1.1/29
Code: Select all
LF_SSHD = "5"
LF_SSHD_PERM = "1"
Checking out LFD log, I see this:
Code: Select all
Aug 22 09:16:39 ubuntu-bionic lfd[8682]: (sshd) Failed SSH login from 192.168.33.11 (-): 5 in the last 3600 secs - *Blocked in csf* [LF_SSHD]
Aug 22 09:16:44 ubuntu-bionic lfd[8715]: *Error*: csf output: deny failed: 192.168.33.11 is in the allow file /etc/csf/csf.allow
Aug 22 09:16:44 ubuntu-bionic lfd[8715]: (sshd) Failed SSH login from 192.168.33.11 (-): 5 in the last 3600 secs - *Blocked in csf* [LF_SSHD]
Aug 22 09:17:19 ubuntu-bionic lfd[8839]: *SSH login* from 192.168.33.11 into the kevinv account using password authentication
The IP is not in /etc/csf.ignore so not sure why LFD is failing to deny the ip. LFD is not supposed to ignore /etc/csf.allow unless you specify IGNORE_ALLOW="1" which in my case is set to 0.
I've been sinking my nights into the drain figuring this out. This is one of those rare occasion I created a Forum account so I can ask this question, for which I couldn't find the answer to with all the forum posts already out there.
Is there a magical setting that I forgot about? Anyone else have this issue? Or is this actually a bug? Or I just don't understand CSF correctly?
Some points of interests as well, that could help:
* I've used likg.csf ansible playbook to install CSF on my VMs
* My CSF blocks all IPs by default, that's not in /etc/csf.allow. It sounds like this is expected behaviour but I'm not sure if it is right now.