CSF Ignoring Configuration
Posted: 03 Mar 2015, 13:04
I have done a look through the forum and (amazingly) didn't find anything that matched - so, I guess I used the wrong search term!
I am testing (hence the seemingly strange restrictive values) my SSH Configuration and have these settings:
LF_TRIGGER = "1" (I don't care what service you try to access)
LF_TRIGGER_PERM = "1" (permanently block)
LF_SELECT = "0" (complete block)
LF_SSHD = "1" (active)
LF_SSHD_PERM = "1" (permanent, but shouldn't have any effect due to LF_TRIGGER_PERM)
LF_INTERVAL = 86400 (1 failed login in the last 24 hours)
LF_PARSE = 1 (scan logs every second)
After changing the settings, I run csf -r to re-read the config, and I know this is successful, because it gives me warnings about crazy values (in this case LF_PARSE, but I can put a crazy value in for LF_INTERVAL and it will warn me as well) -> so I know the latest changes are read.
I then tail -f on /var/log/lfd.log, fire up another machine, and start trying to SSH in. My SSHD will let me try a password 3 times - I guess, like fail2ban, 3 password fails == 1 attempt to login?
In any case, I am expecting after 1 failure to be blocked. But no matter what I set the above values to, it always takes 5 SSH attempts to block myself.... In actuality, the block message comes to lfd.log in the middle of the 5th login attempt (i.e.: after two password prompts/inputs, I see the block message in lfd.log and I see from my ssh terminal that I am actually blocked.
I thought this might be due to the LF_PARSE value (hence I set it to 1), but after a failed login, I wait, go make a cup of coffee, watch some cricket, and nope! still not blocked. Which when looking at the lfd.log file is not surprising, as the output on that is:
Failed SSH login from <ip> (hostname): 5 in the last 3600 sec - *Block in csf* [LF_SSHD]
... what? wait! I said 1 failure, in 86400 secs! But at least the actions of CSF match the log, however, it appears CSF is completely ignoring what I want it to do!
In another test, I have two terminals open to the server, one tail -f /var/log/auth.log and one tail -f /var/log/lfd.log, and also the system console tail -f /var/log/lfd.log. From a local terminal on my laptop, I start trying to ssh into the server.
(remember for each ssh user@ip i do, I get 3 password attempts)
after each login attempt (not password entry, but actual calls to ssh user@ip) i put a couple of new lines in the auth.log. I can therefore clearly see the different ssh attempts. And indeed, I do not get blocked until after first password attempt in the 5th ssh session; no matter what I change.
As I said earlier, when re-reading the config, the sanity parser is at least running on the latest config, but it definitely appears as if csf is not using the config - is it using a cached copy? or am I modifying the wrong values? is this a bug?
I am testing (hence the seemingly strange restrictive values) my SSH Configuration and have these settings:
LF_TRIGGER = "1" (I don't care what service you try to access)
LF_TRIGGER_PERM = "1" (permanently block)
LF_SELECT = "0" (complete block)
LF_SSHD = "1" (active)
LF_SSHD_PERM = "1" (permanent, but shouldn't have any effect due to LF_TRIGGER_PERM)
LF_INTERVAL = 86400 (1 failed login in the last 24 hours)
LF_PARSE = 1 (scan logs every second)
After changing the settings, I run csf -r to re-read the config, and I know this is successful, because it gives me warnings about crazy values (in this case LF_PARSE, but I can put a crazy value in for LF_INTERVAL and it will warn me as well) -> so I know the latest changes are read.
I then tail -f on /var/log/lfd.log, fire up another machine, and start trying to SSH in. My SSHD will let me try a password 3 times - I guess, like fail2ban, 3 password fails == 1 attempt to login?
In any case, I am expecting after 1 failure to be blocked. But no matter what I set the above values to, it always takes 5 SSH attempts to block myself.... In actuality, the block message comes to lfd.log in the middle of the 5th login attempt (i.e.: after two password prompts/inputs, I see the block message in lfd.log and I see from my ssh terminal that I am actually blocked.
I thought this might be due to the LF_PARSE value (hence I set it to 1), but after a failed login, I wait, go make a cup of coffee, watch some cricket, and nope! still not blocked. Which when looking at the lfd.log file is not surprising, as the output on that is:
Failed SSH login from <ip> (hostname): 5 in the last 3600 sec - *Block in csf* [LF_SSHD]
... what? wait! I said 1 failure, in 86400 secs! But at least the actions of CSF match the log, however, it appears CSF is completely ignoring what I want it to do!
In another test, I have two terminals open to the server, one tail -f /var/log/auth.log and one tail -f /var/log/lfd.log, and also the system console tail -f /var/log/lfd.log. From a local terminal on my laptop, I start trying to ssh into the server.
(remember for each ssh user@ip i do, I get 3 password attempts)
after each login attempt (not password entry, but actual calls to ssh user@ip) i put a couple of new lines in the auth.log. I can therefore clearly see the different ssh attempts. And indeed, I do not get blocked until after first password attempt in the 5th ssh session; no matter what I change.
As I said earlier, when re-reading the config, the sanity parser is at least running on the latest config, but it definitely appears as if csf is not using the config - is it using a cached copy? or am I modifying the wrong values? is this a bug?