Join the community today
Register Now

Security Sysadmin CSF Ifd Warning

Discussion in 'System Administration' started by Jimmy, Apr 17, 2017.

  1. Jimmy

    Jimmy Well-Known Member

    1,793
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +993
    Local Time:
    6:47 PM
    Trying to figure out why my one server notifies me every time I login and the other one doesn't.
    Both are running 09.beta and both are set up the same.

    One server always sends out this email when I login:
    Code:
    Time: Sun Apr 16 21:23:14 2017 +0000
    IP: XX.XX.XX.XX
    Account: root
    Method: publickey authentication
    My other server with the exact same setup doesn't notify me when I login.
    1. I've compared both the csf.conf from both systems and they're both the same.
    2. I checked all the email settings to make sure they're all the same.

    I checked from both servers (both the same):
    Code:
    # cat /etc/csf/alerts/alert.txt
    Code:
    From: root
    To: root
    Subject: lfd on [hostname]: blocked [ip]
    
    Time:     [time]
    IP:       [ip]
    Failures: [ipcount]
    Interval: [iptick] seconds
    Blocked:  [block]
    
    Log entries:
    
    [text]
    
    Any ideas why one system would send out Ifd emails and the other doesn't?

     
  2. Jimmy

    Jimmy Well-Known Member

    1,793
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +993
    Local Time:
    6:47 PM
    The logins are showing up in the lfd log file, just not sending out an email notification.

    I am getting other system emails - from cron, cmm update, and csf update files I created and run via cron.

    I also tested the outgoing mail via the dkim test and it sent successfully. The only emails not coming out of the system are the lfd emails.
     
    Last edited: Apr 17, 2017
  3. Jimmy

    Jimmy Well-Known Member

    1,793
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +993
    Local Time:
    6:47 PM
    Figured it out. Everything is working!
     
  4. eva2000

    eva2000 Administrator Staff Member

    55,951
    12,283
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,870
    Local Time:
    8:47 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    ??? .forward ???
     
  5. Jimmy

    Jimmy Well-Known Member

    1,793
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +993
    Local Time:
    6:47 PM
    I mostly use VPNs. I installed CMM without being connected to a VPN. So, it logged my home IP in the allow and I was testing / setting up the server without being connected to a VPN. I wasn't getting any notices because my IP was whitelisted via the initial install. As soon as I connected to a VPN and logged in, I got the notice.