Page 1 of 1
Still getting blocked notifications despite setting
Posted: 02 Apr 2021, 02:37
by maestroc
I have the LF_PERMBLOCK_ALERT set to OFF and have saved and reloaded CSF. Still, even after turning it off I am getting dozens of PERMBLOCK alerts in my inbox every day like the one pasted below. Am I missing some other setting that I have to change to stop CSF from sending me all of these?
Time: Thu Apr 1 02:45:29 2021 -0400
IP: 186.206.129.189 (BR/Brazil/bace81bd.virtua.com.br)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked: Permanent Block [LF_SSHD]
Log entries:
Apr 1 02:18:11 bravo sshd[10583]: Invalid user deploy from 186.206.129.189 port 48769
Apr 1 02:18:13 bravo sshd[10583]: Failed password for invalid user deploy from 186.206.129.189 port 48769 ssh2
Apr 1 02:42:31 bravo sshd[12569]: Invalid user www from 186.206.129.189 port 32863
Apr 1 02:42:33 bravo sshd[12569]: Failed password for invalid user www from 186.206.129.189 port 32863 ssh2
Apr 1 02:45:28 bravo sshd[12883]: Invalid user ubuntu from 186.206.129.189 port 52332
Re: Still getting blocked notifications despite setting
Posted: 26 Apr 2021, 07:34
by miels
Same here:
LF_PERMBLOCK_ALERT set to OFF
Restarted CSF and LFD (several times by now)
Still getting the alerts by mail
CentOS 7.9
cPanel v94.0.5
CSF v14.09
Just moved to a new server and installed CSF only 2 days ago, so can't say it worked ok before (nor what has changed since).
Planning to move to non-default SSH-port later today which will reduce the number of alerts anyway, but thought it would be wise to file this anyway.
Still receiving emails like these:
Time: Mon Apr 26 07:43:54 2021 +0200
IP: 179.43.176.42 (BE/Belgium/-)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked: Permanent Block [LF_SSHD]
Log entries:
Apr 26 07:42:59 server sshd[28585]: Did not receive identification string from 179.43.176.42 port 48868
Apr 26 07:43:26 server sshd[28601]: Invalid user admin from 179.43.176.42 port 44226
Apr 26 07:43:32 server sshd[28608]: Invalid user admin from 179.43.176.42 port 54784
Apr 26 07:43:39 server sshd[28610]: Invalid user ubuntu from 179.43.176.42 port 37110
Apr 26 07:43:52 server sshd[28615]: Invalid user user from 179.43.176.42 port 58226
Re: Still getting blocked notifications despite setting
Posted: 29 Jun 2021, 22:41
by maestroc
I'm having this same problem on another server as well, one that just was spun up a few days ago. On both systems I have this in the config:
LF_PERMBLOCK = "1"
LF_PERMBLOCK_INTERVAL = 86400
LF_PERMBLOCK_COUNT = 4
LF_PERMBLOCK_ALERT = "0"
But even after restarting LFD and CSF I still get dozens of notifications every hour from both systems.
Centos 7.9
CSF 14.10
Re: Still getting blocked notifications despite setting
Posted: 01 Jul 2021, 15:10
by Sergio
I did the following:
1. Open webmail
2. Open the email account where the emails are received.
3. Create a new filter.
4. On the filter check for body containing: Blocked: Permanent Block [LF_SSHD]
5. On the action line choose delete.
You can do your filter as you like, mine has a few other things like what countries I really want to know when tried to access SSH.
Doing this you will no receive any more emails like that.
Sergio
Re: Still getting blocked notifications despite setting
Posted: 01 Jul 2021, 16:03
by maestroc
I know I can do the auto-delete thing, however doing so only masks the problem that CSF is still sending stuff out when according to the settings it shouldn't be.
I have been hesitant to do it this way as I am concerned that training gmail to auto-delete stuff from a domain might cause it to classify legitimate, important messages from the server as spam.
Re: Still getting blocked notifications despite setting
Posted: 01 Jul 2021, 17:11
by Sergio
ok,
this has been pointed out since a long time and if it is not set we have to do what we can to fix it our side.
On the other hand, what I wrote is not for google, the filter that I am talking about is made in cPanel and the filter will take precedence before the email leaves the server to google.
Sergio
Re: Still getting blocked notifications despite setting
Posted: 01 Jul 2021, 17:20
by ForumAdmin
There appears to be a complete lack of understanding of the LF_PERMBLOCK feature. As explained in csf.conf:
###############################################################################
# SECTION:Temp to Perm/Netblock Settings
###############################################################################
# Temporary to Permanent IP blocking. The following enables this feature to
# permanently block IP addresses that have been temporarily blocked more than
# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set
# LF_PERMBLOCK to "1" to enable this feature
This feature is used to permanently block IP's that have
already been temporarily blocked in the past based on the configured settings in this section. It has nothing at all to do with other permanent blocks, and setting LF_PERMBLOCK_ALERT will have no effect whatsoever on other options that permanently block IP addresses. It only stops emails alerts for this particular temp to perm option. You have to look elsewhere if you want to disable alert emails from other options that block IP addresses.