Still getting blocked notifications despite setting

Post Reply
maestroc
Junior Member
Posts: 13
Joined: 10 Nov 2013, 20:01

Still getting blocked notifications despite setting

Post by maestroc »

I have the LF_PERMBLOCK_ALERT set to OFF and have saved and reloaded CSF. Still, even after turning it off I am getting dozens of PERMBLOCK alerts in my inbox every day like the one pasted below. Am I missing some other setting that I have to change to stop CSF from sending me all of these?

Time: Thu Apr 1 02:45:29 2021 -0400
IP: 186.206.129.189 (BR/Brazil/bace81bd.virtua.com.br)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked: Permanent Block [LF_SSHD]

Log entries:

Apr 1 02:18:11 bravo sshd[10583]: Invalid user deploy from 186.206.129.189 port 48769
Apr 1 02:18:13 bravo sshd[10583]: Failed password for invalid user deploy from 186.206.129.189 port 48769 ssh2
Apr 1 02:42:31 bravo sshd[12569]: Invalid user www from 186.206.129.189 port 32863
Apr 1 02:42:33 bravo sshd[12569]: Failed password for invalid user www from 186.206.129.189 port 32863 ssh2
Apr 1 02:45:28 bravo sshd[12883]: Invalid user ubuntu from 186.206.129.189 port 52332
miels
Junior Member
Posts: 1
Joined: 26 Apr 2021, 07:26

Re: Still getting blocked notifications despite setting

Post by miels »

Same here:

LF_PERMBLOCK_ALERT set to OFF
Restarted CSF and LFD (several times by now)
Still getting the alerts by mail

CentOS 7.9
cPanel v94.0.5
CSF v14.09

Just moved to a new server and installed CSF only 2 days ago, so can't say it worked ok before (nor what has changed since).
Planning to move to non-default SSH-port later today which will reduce the number of alerts anyway, but thought it would be wise to file this anyway.

Still receiving emails like these:

Time: Mon Apr 26 07:43:54 2021 +0200
IP: 179.43.176.42 (BE/Belgium/-)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked: Permanent Block [LF_SSHD]

Log entries:

Apr 26 07:42:59 server sshd[28585]: Did not receive identification string from 179.43.176.42 port 48868
Apr 26 07:43:26 server sshd[28601]: Invalid user admin from 179.43.176.42 port 44226
Apr 26 07:43:32 server sshd[28608]: Invalid user admin from 179.43.176.42 port 54784
Apr 26 07:43:39 server sshd[28610]: Invalid user ubuntu from 179.43.176.42 port 37110
Apr 26 07:43:52 server sshd[28615]: Invalid user user from 179.43.176.42 port 58226
Last edited by miels on 26 Apr 2021, 07:57, edited 1 time in total.
maestroc
Junior Member
Posts: 13
Joined: 10 Nov 2013, 20:01

Re: Still getting blocked notifications despite setting

Post by maestroc »

I'm having this same problem on another server as well, one that just was spun up a few days ago. On both systems I have this in the config:

LF_PERMBLOCK = "1"
LF_PERMBLOCK_INTERVAL = 86400
LF_PERMBLOCK_COUNT = 4
LF_PERMBLOCK_ALERT = "0"

But even after restarting LFD and CSF I still get dozens of notifications every hour from both systems.

Centos 7.9
CSF 14.10
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Still getting blocked notifications despite setting

Post by Sergio »

I did the following:
1. Open webmail
2. Open the email account where the emails are received.
3. Create a new filter.
4. On the filter check for body containing: Blocked: Permanent Block [LF_SSHD]
5. On the action line choose delete.

You can do your filter as you like, mine has a few other things like what countries I really want to know when tried to access SSH.

Doing this you will no receive any more emails like that.

Sergio
maestroc
Junior Member
Posts: 13
Joined: 10 Nov 2013, 20:01

Re: Still getting blocked notifications despite setting

Post by maestroc »

I know I can do the auto-delete thing, however doing so only masks the problem that CSF is still sending stuff out when according to the settings it shouldn't be.

I have been hesitant to do it this way as I am concerned that training gmail to auto-delete stuff from a domain might cause it to classify legitimate, important messages from the server as spam.
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Still getting blocked notifications despite setting

Post by Sergio »

ok,
this has been pointed out since a long time and if it is not set we have to do what we can to fix it our side.

On the other hand, what I wrote is not for google, the filter that I am talking about is made in cPanel and the filter will take precedence before the email leaves the server to google.

Sergio
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: Still getting blocked notifications despite setting

Post by ForumAdmin »

There appears to be a complete lack of understanding of the LF_PERMBLOCK feature. As explained in csf.conf:
###############################################################################
# SECTION:Temp to Perm/Netblock Settings
###############################################################################
# Temporary to Permanent IP blocking. The following enables this feature to
# permanently block IP addresses that have been temporarily blocked more than
# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set
# LF_PERMBLOCK to "1" to enable this feature
This feature is used to permanently block IP's that have already been temporarily blocked in the past based on the configured settings in this section. It has nothing at all to do with other permanent blocks, and setting LF_PERMBLOCK_ALERT will have no effect whatsoever on other options that permanently block IP addresses. It only stops emails alerts for this particular temp to perm option. You have to look elsewhere if you want to disable alert emails from other options that block IP addresses.
Post Reply