LF Temp to Permanent Ban
Posted: 29 Mar 2014, 13:54
Used the web-based configuration manager to set the config for CSF.
I see that there is a setting to take an IP / IP range from a temporary block to a permanent block.
I've enabled this functionality as such:
LF_PERMBLOCK = 1
LF_PERMBLOCK_INTERVAL = 86400
LF_PERMBLOCK_COUNT = 4
LF_PERMBLOCK_ALERT = 1
However, I am unsure where these settings are used. En general, what I am looking at doing is setting the config so that if there are invalid logins via FTP, SMTP, IMAP, or POP3 that they will be blocked initially for five minutes (300 seconds). But if the offender tries back four times within 24 hours, then they are blocked for 24 hours. I believe the settings noted above are correct for this.
But I have some confusion with the login failure section - because I only see the options to either permanently block - or provide a time. Example in my config:
LF_TRIGGER = 0 (this is because I want to set a different trigger for each item)
LF_TRIGER_PERM = 0
LF_FTPD = 3 (block anyone that tries three invalid logins to FTP)
LF_FTPD_PERM = 1 (this is the setting I'm unsure of)
Hopefully my question is clear enough. I just want to make sure that the configuration is set so that initially, any attacker will be blocked for just five minutes (300 seconds) and then upon the fourth attack, they would then be blocked for 24 hours.
Thank you!
I see that there is a setting to take an IP / IP range from a temporary block to a permanent block.
I've enabled this functionality as such:
LF_PERMBLOCK = 1
LF_PERMBLOCK_INTERVAL = 86400
LF_PERMBLOCK_COUNT = 4
LF_PERMBLOCK_ALERT = 1
However, I am unsure where these settings are used. En general, what I am looking at doing is setting the config so that if there are invalid logins via FTP, SMTP, IMAP, or POP3 that they will be blocked initially for five minutes (300 seconds). But if the offender tries back four times within 24 hours, then they are blocked for 24 hours. I believe the settings noted above are correct for this.
But I have some confusion with the login failure section - because I only see the options to either permanently block - or provide a time. Example in my config:
LF_TRIGGER = 0 (this is because I want to set a different trigger for each item)
LF_TRIGER_PERM = 0
LF_FTPD = 3 (block anyone that tries three invalid logins to FTP)
LF_FTPD_PERM = 1 (this is the setting I'm unsure of)
Hopefully my question is clear enough. I just want to make sure that the configuration is set so that initially, any attacker will be blocked for just five minutes (300 seconds) and then upon the fourth attack, they would then be blocked for 24 hours.
Thank you!