LFD not automatically blocking ips

[yoursrazi]

We are receiving hundreds of email notifications similar to the one pasted below.
-----------------------------------------------------------------------------------------------------
5 failed login attempts to account ACCOUNT NAME
(smtp) -- Large number of attempts from this IP: 61.245.163.1
Origin Country: Sri Lanka (LK)

Please use the following links to add to the black list:

Single IP: https://ADDRESS:2087/cgi/bl.cgi?ip=61.245.163.1
/24: https://ADDRESS:2087/cgi/bl.cgi?ip=61.245.163.0/24
/16: https://ADDRESS:2087/cgi/bl.cgi?ip=61.245.0.0/16

-----------------------------------------------------------------------------------------------------

They were initially coming from China. We blocked China in ConfigServer Firewall using CC_DENY.

Now they are coming from different countries from different IPs. It is not feasible to block each single IP address we receive a notification about.

The status of Login Failure Daemon (LFD) is RUNNING. However, the var/log/lfd.log file does not contain the ip addresses mentioned in the email notifications. The LFD part of CSF Firewall doesn't seem to be blocking any unwanted activity.

Our config (almost all default) is as below:

LF_DEAMON = 1
LF_TRIGGER = 0
LF_TRIGGER_PERM = 1
LF_SELECT = 0
LF_EMAIL_ALERT = 1
LF_SSHD = 5
LF_SSHD_PERM = 1
LF_FTPD = 10
LF_FTPD_PERM = 1

Please advise if there is anything else that we need to set to automatically block attacker ips.

[ssaber]

I'm having the same problem. Every week I've been getting somewhere near 15-25K notification emails from CPHulk saying "Large Number of Failed Login Attempts from" X IP and when I go to block that IP with CSF using csf -d IP it doesn't say that it is already blocked. I have all the default settings set but it doesn't appear that CSF is actually blocking anything. Any tips would be appreciated, I don't have hours to go through pages & pages of emails and blocking IPs automatically. Do I need to make my own script? Isn't this what CSF+LFD is supposed to do on its own?

[Sergio]

CPHulk is not part of CSF, the emails that you are receiving are not from CSF.

Try to dissable CPHulk and let CSF to do the work and see if that corrects the issue.