lfd alerts sent for allowed IPs

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
Post Reply
webignition
Junior Member
Posts: 2
Joined: 19 Feb 2007, 22:06

lfd alerts sent for allowed IPs

Post by webignition »

I've allowed an IP of a client who often generates pop3 login failures due to there being many users at a single location.

If they do something that would result in them getting blocked, such as repeat pop3 login failures, lfd still picks this behaviour up and sends me an email as would be received when an IP gets blocked.

It doesn't really matter since the IP doesn't get blocked, however I think this still counts as a problem for two reasons:

1) It's a bug as the alert email specifically states that the IP was blocked when it wasn't

2) It's inefficient. Since an email alert is generated, I assume lfd is still taking into consideration log file lines that contain an allowed IP. Should lfd not ignore log file lines if an allowed IP is present? Or would doing so end up needing further resources (by having to check each log file line against a list of allowed IPs)?

It's not really much of a concern at all but thought I'd bring it up in case it hasn't be spotted before.
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

In those cases you should really add the IP address to /etc/csf/csf.ignore as well so that lfd ignores them.

The reasoning is that csf.allow and csf.deny are used to generate the iptables chains. In contrast, csf.ignore (and all the other ignore files) are used by lfd to determine whether to block/alert based on the ignore file contents.
webignition
Junior Member
Posts: 2
Joined: 19 Feb 2007, 22:06

Post by webignition »

Thanks for the advice Chirpy!
Post Reply