Join the community today
Become a Member

Security Sysadmin CSF Ifd Warning

Discussion in 'System Administration' started by Jimmy, Apr 17, 2017.

  1. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    9:43 PM
    1.13.x
    MariaDB 10.1.x
    Trying to figure out why my one server notifies me every time I login and the other one doesn't.
    Both are running 09.beta and both are set up the same.

    One server always sends out this email when I login:
    Code:
    Time: Sun Apr 16 21:23:14 2017 +0000
    IP: XX.XX.XX.XX
    Account: root
    Method: publickey authentication
    My other server with the exact same setup doesn't notify me when I login.
    1. I've compared both the csf.conf from both systems and they're both the same.
    2. I checked all the email settings to make sure they're all the same.

    I checked from both servers (both the same):
    Code:
    # cat /etc/csf/alerts/alert.txt
    Code:
    From: root
    To: root
    Subject: lfd on [hostname]: blocked [ip]
    
    Time:     [time]
    IP:       [ip]
    Failures: [ipcount]
    Interval: [iptick] seconds
    Blocked:  [block]
    
    Log entries:
    
    [text]
    
    Any ideas why one system would send out Ifd emails and the other doesn't?
     
  2. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    9:43 PM
    1.13.x
    MariaDB 10.1.x
    The logins are showing up in the lfd log file, just not sending out an email notification.

    I am getting other system emails - from cron, cmm update, and csf update files I created and run via cron.

    I also tested the outgoing mail via the dkim test and it sent successfully. The only emails not coming out of the system are the lfd emails.
     
    Last edited: Apr 17, 2017
  3. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    9:43 PM
    1.13.x
    MariaDB 10.1.x
    Figured it out. Everything is working!
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,161
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    11:43 AM
    Nginx 1.13.x
    MariaDB 5.5
    ??? .forward ???
     
  5. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    9:43 PM
    1.13.x
    MariaDB 10.1.x
    I mostly use VPNs. I installed CMM without being connected to a VPN. So, it logged my home IP in the allow and I was testing / setting up the server without being connected to a VPN. I wasn't getting any notices because my IP was whitelisted via the initial install. As soon as I connected to a VPN and logged in, I got the notice.
     
    • Informative Informative x 1