thanks for heads up try changing the 444 regex from Thanks! I'll follow the logs now
Can this functionality be used with the real fail2ban installed via fail2ban.sh or do I need to make some additional adjustments in order to use both? Would it be a good idea to use both functionality on centmin stack at the same time?
Use one not both as I haven't tested both. Fail2ban would have greater control and wider application usage
I was casually looking through configserver.com and found this screenshot: That made me wonder, is it possible to somehow still respond with an HTTP error page like that when someone with a temp-blocked IP attempt to visit any vhosts in the server? As far as I'm aware, right now any blocked IPs will simply get hit by connection timed out, as the server won't even bother responding or something along that line. UPDATE: Ah yes. Found the relevant information on https://download.configserver.com/csf/readme.txt, specifically point 14. Messenger Service. There doesn't seem to be any eva-flavored guides in the forum so it seems I'll have to stumble through by my own
Yes the CSF readme at https://download.configserver.com/csf/readme.txt has alot of additional info folks should read if they want to learn more about CSF Firewall. It's why it's linked to at bottom of official Centmin Mod CSF Firewall page at CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS
Hi there, First of all thank you for your helpful forum and exact this post i have some problems to apply one string from my nginx acccess.log to apply custom regex for CSF my current log line that i want to match is : 87.227.227.227 - - [13/May/2020:17:49:26 +0200] "GET /player_api.php?username=0232306793&password=SBmMBsOl HTTP/1.1" 200 24 "-" "-" i wan to match exact: player_api.php and the return of: 200 24 please help me for working regex Thanks !!!
What specific CSF config to modify in order to disable email alerts for Blocked IP? I'm getting 3,000+ attackers per hour and my email inbox is filling up. Thanks!
what type of attacks login failure alerts? /etc/csf/csf.conf has settings for various attacks. You can also setup a email filter to manage/label/move those emails out of the inbox too. You can see some of them via this grep filter Code (Text): grep -in _ALERT -C1 /etc/csf/csf.conf Code (Text): grep -in _ALERT -C1 /etc/csf/csf.conf 39-# logs. These options are: 40:# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT 41:# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP 42:# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT 43:# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT 44-# -- 49-# that, on balance, csf/lfd still provides expected levels of security: 50:# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT 51-# -- 652-# reported log file for the reason for the flooding 653:LOGFLOOD_ALERT = "0" 654- -- 662-# Leave this option empty to use the To: field setting in each alert template 663:LF_ALERT_TO = "" 664- -- 669-# Leave this option empty to use the From: field setting in each alert template 670:LF_ALERT_FROM = "" 671- -- 674-# "127.0.0.1". Leave this setting blank to use SENDMAIL 675:LF_ALERT_SMTP = "" 676- -- 705-# Note: The following block types are not reported through this feature: 706:# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT 707-X_ARF = "0" -- 750-LF_PERMBLOCK_COUNT = "4" 751:LF_PERMBLOCK_ALERT = "1" 752- -- 769-LF_NETBLOCK_CLASS = "C" 770:LF_NETBLOCK_ALERT = "1" 771- -- 1151-# Send an email alert if an IP address is blocked by one of the [*] triggers 1152:LF_EMAIL_ALERT = "1" 1153- -- 1156-# 1157:# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails 1158:LF_TEMP_EMAIL_ALERT = "1" 1159- -- 1257-# this file about RESTRICT_SYSLOG before enabling this option: 1258:LF_SSH_EMAIL_ALERT = "1" 1259- -- 1264-# this file about RESTRICT_SYSLOG before enabling this option: 1265:LF_SU_EMAIL_ALERT = "1" 1266- -- 1275-# this file about RESTRICT_SYSLOG before enabling this option: 1276:LF_SUDO_EMAIL_ALERT = "0" 1277- -- 1281-# this file about RESTRICT_SYSLOG before enabling this option: 1282:LF_WEBMIN_EMAIL_ALERT = "1" 1283- -- 1287-# this file about RESTRICT_SYSLOG before enabling this option: 1288:LF_CONSOLE_EMAIL_ALERT = "1" 1289- -- 1368-# file to report in gigabytes, e.g. set to 5 for 5GB 1369:LF_MODSECIPDB_ALERT = "0" 1370- -- 1563-# Send an email alert if LF_DISTFTP is triggered 1564:LF_DISTFTP_ALERT = "1" 1565- -- 1590-# Send an email alert if LF_DISTSMTP is triggered 1591:LF_DISTSMTP_ALERT = "1" 1592- -- 1633-# per IP 1634:LT_EMAIL_ALERT = "1" 1635- -- 1662-# Send an email alert if an IP address is blocked due to connection tracking 1663:CT_EMAIL_ALERT = "1" 1664- -- 1807-# this option to 0 1808:PT_USERKILL_ALERT = "1" 1809- -- 1931-# "0" to disable them 1932:PS_EMAIL_ALERT = "1" 1933- -- 1968-# 1969:# You can set AT_ALERT to the following: 1970-# 0 = disable this feature -- 1973-# 3 = enable this feature only for the root account 1974:AT_ALERT = "2" 1975- -- 2092-# 0 = disabled 2093:UI_ALERT = "4" 2094- -- 2325-# Set to "0" to disable 2326:RECAPTCHA_ALERT = "1" 2327- -- 2426-# this file about RESTRICT_SYSLOG before enabling this option: 2427:PORTKNOCKING_ALERT = "0" 2428-
hello, I'm getting a lot of: Code: Jun 18 17:23:13 hostname sshd[31839]: Invalid user admin from 139.59.224.196 port 60008 Jun 18 17:23:15 hostname sshd[31839]: Failed password for invalid user admin from 139.59.224.196 port 60008 ssh2 Jun 18 17:29:20 hostname sshd[32382]: Invalid user mlopez from 139.59.224.196 port 34552 Jun 18 17:29:22 hostname sshd[32382]: Failed password for invalid user mlopez from 139.59.224.196 port 34552 ssh2 Jun 18 17:30:38 hostname sshd[32531]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=139.59.224.196 user=root I notice them finding out that two rotate maillogs were strangelly big (500MB each), it sends a mail every minute. My /var/mail/root has 61706 rows matching authentication failure Code: cat /var/mail/root | grep "authentication failure" | wc -l 61706 Can I do something to stop them? Every time they get banned the IP is different.
That is the system working as expected. The logs are necessary as some security software may rely on them for monitoring/reporting and firewall level blocking i.e. fail2ban and AbuseIPDB reporting AbuseIPDB API integration as well as CSF Firewall's own LFD - login failure daemon CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS As to managing root emails, see Getting Started Guide step 18