ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

CSF not blocking brute-force attempt.

https://mail.forum.configserver.com/viewtopic.php?t=7290

Page 1 of 1

CSF not blocking brute-force attempt.

Posted: 29 Dec 2013, 22:24
by goluhaque
We are currently undergoing a brute-force attempt by various IP addresses(looks like a botnet to me). CSF has blocked all IPs whenever the no. of authentication failures due to wrong password exceeds 3. However, since recently, we are getting a different type of error, and despite of lots of attempts from the same IP, it is not getting blocked by CSF.

Code: Select all

Dec 29 15:22:44 ud01 sshd[8459]: Received disconnect from 114.80.246.194: 11: Normal Shutdown, Thank you for playing
Dec 29 15:22:46 ud01 sshd[8465]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=114.80.246.194  user=root

P.S.I have, recently, added a custom lfd rule to regex.custom.pm. Is that causing the problem(of CSF not blocking those IPs)?

Re: CSF not blocking brute-force attempt.

Posted: 30 Dec 2013, 17:11
by ForumAdmin
I just tested the second line that you posted and it is detected by lfd, so do not know where your problem is so long as you are pointing SSHD_LOG to the correct log file in /etc/csf/csf.conf unless it's being ignored in which case see /var/log/lfd.log

Re: CSF not blocking brute-force attempt.

Posted: 30 Dec 2013, 20:52
by goluhaque
Checked csf.conf. SSHD_LOG is correct pointed to /var/log/secure. /var/log/lfd.log is completely empty. Is this strange?

EDIT: Just decided to check whether lfd was running. IT WAS NOT. BIG MISTAKE. Turns out that the custom rule had a compilation error and lfd did not restart because of that. Thanks anyway.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited