ConfigServer Community Forum

I am trying to figure out why the LFD is not showing or catching any ips that have been failing authentication. I have had a lot of unauthorized ips trying to log in to mail, ftp, ssh etc but they never show up in the LFD log nor do they appear in the CSF deny list. I can manually add them to the deny list and they are then blocked but I can't figure out why this is not being done automatically. This is what I see in the LFD log after restarting it.

Sep 2 08:25:27 server lfd[30221]: Main Process: TERM
Sep 2 08:25:27 server lfd[30221]: daemon stopped
Sep 2 08:25:28 server lfd[11076]: daemon started on server.mydomain.net - csf v14.04 (generic)
Sep 2 08:25:29 server lfd[11076]: LF_APACHE_ERRPORT: Set to [2]
Sep 2 08:25:29 server lfd[11076]: Restricting syslog/rsyslog socket acccess to group [mysyslog]...
Sep 2 08:25:29 server lfd[11076]: CSF Tracking...
Sep 2 08:25:29 server lfd[11076]: IPv6 Enabled...
Sep 2 08:25:29 server lfd[11076]: LOAD Tracking...
Sep 2 08:25:29 server lfd[11076]: Country Code Lookups...
Sep 2 08:25:29 server lfd[11076]: System Integrity Tracking...
Sep 2 08:25:29 server lfd[11076]: Exploit Tracking...
Sep 2 08:25:29 server lfd[11076]: Directory Watching...
Sep 2 08:25:29 server lfd[11076]: Temp to Perm Block Tracking...
Sep 2 08:25:29 server lfd[11076]: Netblock Tracking...
Sep 2 08:25:29 server lfd[11076]: Process Tracking...
Sep 2 08:25:29 server lfd[11076]: Account Tracking...
Sep 2 08:25:29 server lfd[11076]: SSH Tracking...
Sep 2 08:25:29 server lfd[11076]: Webmin Tracking...
Sep 2 08:25:29 server lfd[11076]: SU Tracking...
Sep 2 08:25:29 server lfd[11076]: Console Tracking...
Sep 2 08:25:29 server lfd[11076]: Watching /var/log/maillog...
Sep 2 08:25:29 server lfd[11076]: Watching /var/log/messages...
Sep 2 08:25:29 server lfd[11076]: Watching /var/log/secure...
Sep 2 08:25:29 server lfd[11076]: Watching /var/log/customlog...
Sep 2 08:25:29 server lfd[11076]: Watching /var/log/httpd/error_log...

This was restarted 1.5 hours ago. it is now 10:05
The LFD does report changed files and emails me those so I know it is doing part of what it is supposed to do. Just can't figure out the issue with not reporting abusive ips.

My other server appears to be working as expected. Both are Centos 7
I'm pretty sure it was working properly previously but I have no idea when it stopped working as expected. I only realized the problem when I was investigating a spamming issue.

Does anyone have any suggestions?

After making quite a few changes in the CSF/LFD config I appear to be having some of the SMTP login failure IPs being tagged and placed in the Deny file. These are permanent blocks but I still can't see any temp blocks happening in the log nor do I see any file in CSF that holds the temporary blocked ips?

I believe that my LFD issue (Log not displaying any blocks) was due to a change in the log files used for SMTP and ProFTP.
Both had been set for var/logs/messages but the proper log files were var/log/maillog (SMTP) and var/log/secure (ProFTP) not sure if they had never been set correctly or if it was an update that changed things.

Managed to set up a custom 'Failed SASL login' IP block and it is showing a temporary block as expected.
I think I have finally got it figured out. Now I just need to monitor my logs and the CFS/LFD blocks to ensure its working as expected.