Discover Centmin Mod today
Register Now

Featured Security CSF Firewall native fail2ban functionality

Discussion in 'System Administration' started by eva2000, Apr 12, 2018.

  1. fabianski

    fabianski Member

    102
    14
    18
    Feb 20, 2019
    Ratings:
    +36
    Local Time:
    6:45 AM
    Thanks! I'll follow the logs now

     
  2. Lav

    Lav Member

    49
    1
    8
    Feb 23, 2020
    Ratings:
    +1
    Local Time:
    3:15 PM
    1.17.8
    10.3
    Can this functionality be used with the real fail2ban installed via fail2ban.sh or do I need to make some additional adjustments in order to use both?
    Would it be a good idea to use both functionality on centmin stack at the same time?
     
  3. eva2000

    eva2000 Administrator Staff Member

    49,031
    11,232
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,483
    Local Time:
    7:45 PM
    Nginx 1.21.x
    MariaDB 10.x
    Use one not both as I haven't tested both. Fail2ban would have greater control and wider application usage
     
  4. BobbyWibowo

    BobbyWibowo Active Member

    197
    42
    28
    Jul 30, 2015
    Indonesia
    Ratings:
    +71
    Local Time:
    4:45 PM
    1.17.x
    10.3.x
    I was casually looking through configserver.com and found this screenshot:
    [​IMG]
    That made me wonder, is it possible to somehow still respond with an HTTP error page like that when someone with a temp-blocked IP attempt to visit any vhosts in the server?
    As far as I'm aware, right now any blocked IPs will simply get hit by connection timed out, as the server won't even bother responding or something along that line.

    UPDATE: Ah yes. Found the relevant information on https://download.configserver.com/csf/readme.txt, specifically point 14. Messenger Service. There doesn't seem to be any eva-flavored guides in the forum so it seems I'll have to stumble through by my own :(
     
  5. eva2000

    eva2000 Administrator Staff Member

    49,031
    11,232
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,483
    Local Time:
    7:45 PM
    Nginx 1.21.x
    MariaDB 10.x
    Yes the CSF readme at https://download.configserver.com/csf/readme.txt has alot of additional info folks should read if they want to learn more about CSF Firewall. It's why it's linked to at bottom of official Centmin Mod CSF Firewall page at CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS :)
     
  6. cheirekov

    cheirekov New Member

    2
    0
    1
    May 14, 2020
    Ratings:
    +0
    Local Time:
    12:45 PM
    Hi there, First of all thank you for your helpful forum and exact this post
    i have some problems to apply one string from my nginx acccess.log to apply custom regex for CSF
    my current log line that i want to match is :
    87.227.227.227 - - [13/May/2020:17:49:26 +0200] "GET /player_api.php?username=0232306793&password=SBmMBsOl HTTP/1.1" 200 24 "-" "-"
    i wan to match exact:
    player_api.php
    and the return of:
    200 24
    please help me for working regex
    Thanks !!!
     
  7. rdan

    rdan Premium Member Premium Member

    5,299
    1,328
    113
    May 25, 2014
    Ratings:
    +2,052
    Local Time:
    5:45 PM
    Mainline
    10.2
    What specific CSF config to modify in order to disable email alerts for Blocked IP?
    I'm getting 3,000+ attackers per hour and my email inbox is filling up.

    Thanks!
     
  8. eva2000

    eva2000 Administrator Staff Member

    49,031
    11,232
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,483
    Local Time:
    7:45 PM
    Nginx 1.21.x
    MariaDB 10.x
    what type of attacks login failure alerts? /etc/csf/csf.conf has settings for various attacks. You can also setup a email filter to manage/label/move those emails out of the inbox too.

    You can see some of them via this grep filter
    Code (Text):
    grep -in _ALERT -C1 /etc/csf/csf.conf


    Code (Text):
    grep -in _ALERT -C1 /etc/csf/csf.conf
    39-# logs. These options are:
    40:# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT
    41:# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP
    42:# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT
    43:# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT
    44-#
    --
    49-# that, on balance, csf/lfd still provides expected levels of security:
    50:# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT
    51-#
    --
    652-# reported log file for the reason for the flooding
    653:LOGFLOOD_ALERT = "0"
    654-
    --
    662-# Leave this option empty to use the To: field setting in each alert template
    663:LF_ALERT_TO = ""
    664-
    --
    669-# Leave this option empty to use the From: field setting in each alert template
    670:LF_ALERT_FROM = ""
    671-
    --
    674-# "127.0.0.1". Leave this setting blank to use SENDMAIL
    675:LF_ALERT_SMTP = ""
    676-
    --
    705-# Note: The following block types are not reported through this feature:
    706:# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT
    707-X_ARF = "0"
    --
    750-LF_PERMBLOCK_COUNT = "4"
    751:LF_PERMBLOCK_ALERT = "1"
    752-
    --
    769-LF_NETBLOCK_CLASS = "C"
    770:LF_NETBLOCK_ALERT = "1"
    771-
    --
    1151-# Send an email alert if an IP address is blocked by one of the [*] triggers
    1152:LF_EMAIL_ALERT = "1"
    1153-
    --
    1156-#
    1157:# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails
    1158:LF_TEMP_EMAIL_ALERT = "1"
    1159-
    --
    1257-# this file about RESTRICT_SYSLOG before enabling this option:
    1258:LF_SSH_EMAIL_ALERT = "1"
    1259-
    --
    1264-# this file about RESTRICT_SYSLOG before enabling this option:
    1265:LF_SU_EMAIL_ALERT = "1"
    1266-
    --
    1275-# this file about RESTRICT_SYSLOG before enabling this option:
    1276:LF_SUDO_EMAIL_ALERT = "0"
    1277-
    --
    1281-# this file about RESTRICT_SYSLOG before enabling this option:
    1282:LF_WEBMIN_EMAIL_ALERT = "1"
    1283-
    --
    1287-# this file about RESTRICT_SYSLOG before enabling this option:
    1288:LF_CONSOLE_EMAIL_ALERT = "1"
    1289-
    --
    1368-# file to report in gigabytes, e.g. set to 5 for 5GB
    1369:LF_MODSECIPDB_ALERT = "0"
    1370-
    --
    1563-# Send an email alert if LF_DISTFTP is triggered
    1564:LF_DISTFTP_ALERT = "1"
    1565-
    --
    1590-# Send an email alert if LF_DISTSMTP is triggered
    1591:LF_DISTSMTP_ALERT = "1"
    1592-
    --
    1633-# per IP
    1634:LT_EMAIL_ALERT = "1"
    1635-
    --
    1662-# Send an email alert if an IP address is blocked due to connection tracking
    1663:CT_EMAIL_ALERT = "1"
    1664-
    --
    1807-# this option to 0
    1808:PT_USERKILL_ALERT = "1"
    1809-
    --
    1931-# "0" to disable them
    1932:PS_EMAIL_ALERT = "1"
    1933-
    --
    1968-#
    1969:# You can set AT_ALERT to the following:
    1970-# 0 = disable this feature
    --
    1973-# 3 = enable this feature only for the root account
    1974:AT_ALERT = "2"
    1975-
    --
    2092-# 0 = disabled
    2093:UI_ALERT = "4"
    2094-
    --
    2325-# Set to "0" to disable
    2326:RECAPTCHA_ALERT = "1"
    2327-
    --
    2426-# this file about RESTRICT_SYSLOG before enabling this option:
    2427:PORTKNOCKING_ALERT = "0"
    2428-
    
     
  9. rdan

    rdan Premium Member Premium Member

    5,299
    1,328
    113
    May 25, 2014
    Ratings:
    +2,052
    Local Time:
    5:45 PM
    Mainline
    10.2
    LF_CUSTOMTRIGGER

    I'll try with
    for now.
     
  10. rdan

    rdan Premium Member Premium Member

    5,299
    1,328
    113
    May 25, 2014
    Ratings:
    +2,052
    Local Time:
    5:45 PM
    Mainline
    10.2
    Just an update,
    Works as expected.
     
  11. eva2000

    eva2000 Administrator Staff Member

    49,031
    11,232
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,483
    Local Time:
    7:45 PM
    Nginx 1.21.x
    MariaDB 10.x
    Thanks for the update/info :D