Want to subscribe to topics you're interested in?
Become a Member

How to disable emails about failed login attempts?

Discussion in 'System Administration' started by jeffwidman, Feb 18, 2015.

  1. jeffwidman

    jeffwidman Active Member

    152
    27
    28
    Dec 3, 2014
    Ratings:
    +51
    Local Time:
    9:02 PM
    I'm getting tons of emails about failed login attempts to my VPS.


    Not a surprise, and I'm not too worried about it because I have login via password completely disabled and require key-based authentication.

    Is there a way to set it so I *only* get emails whenever someone successfully logs in?
    That way if a successful login happens that I'm not expecting I'll still be notified and can take action.
     
  2. eva2000

    eva2000 Administrator Staff Member

    53,883
    12,161
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,713
    Local Time:
    3:02 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    the emails are coming from CSF Firewall's LFD (login failure daemon) and is enabled by default in CSF Firewall, see http://download.configserver.com/csf/readme.txt under 3. lfd Principles

    so doing the opposite and disabling email alert in /etc/csf/csf.conf would stop the notifications.

    SSH login notifications are in there too :)

    Code:
    grep -ni email /etc/csf/csf.conf
    40:# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT
    41:# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP
    42:# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT
    50:# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT
    388:# are difficult to achive since port 25 needs to be open to relay email
    545:# By default, lfd will send alert emails using the relevant alert template to
    547:# option will override the configured To: field in all lfd alert emails
    552:# By default, lfd will send alert emails using the relevant alert template from
    554:# option will override the configured From: field in all lfd alert emails
    579:# In addition to the standard lfd email alerts, you can additionally enable the
    593:# By default, lfd will send emails from the root forwarder. Setting the
    597:# By default, lfd will send emails to the root forwarder. Setting the following
    819:# to be open to relay email
    890:# Send an email alert if an IP address is blocked by one of the [*] triggers
    891:LF_EMAIL_ALERT = "1"
    987:# Send an email alert if anyone logs in successfully using SSH
    991:LF_SSH_EMAIL_ALERT = "1"
    993:# Send an email alert if anyone uses su to access another account. This will
    994:# send an email alert whether the attempt to use su was successful or not
    998:LF_SU_EMAIL_ALERT = "1"
    1000:# Send an email alert if anyone accesses webmin
    1004:LF_WEBMIN_EMAIL_ALERT = "0"
    1006:# Send an email alert if anyone logs in successfully to root on the console
    1010:LF_CONSOLE_EMAIL_ALERT = "0"
    1111:# file is found an email alert is sent. One alert per file per LF_FLUSH
    1124:# changes and should they change and email alert using watchalert.txt is sent
    1142:# Modified files will only be reported via email once.
    1259:# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour
    1261:LT_EMAIL_ALERT = "1"
    1289:# Send an email alert if an IP address is blocked due to connection tracking
    1290:CT_EMAIL_ALERT = "1"
    1323:# suspicious process is found an alert email is sent with relevant information.
    1379:# exceeds the value of the following setting an email alert is sent with
    1413:# If you want to disable email alerts if PT_USERKILL is triggered, then set
    1426:# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is
    1428:# seconds has passed to prevent email floods.
    1436:# This is the Apache Server Status URL used in the email alert. Requires the
    1524:# Set the following to "1" to enable Port Scan Tracking email alerts, set to
    1526:PS_EMAIL_ALERT = "1"
    1559:# a modifications to an account, an alert email is sent. Only the modification
    1669:# This controls what email alerts are sent with regards to logins to the UI. It
    1843:# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must
    1853:# Log Scanner. This feature will send out an email summary of the log lines of
    1884:# Send the report email even if no log lines reported
    Also changing SSH port from 22 will help a bit :)
     
    Last edited: Feb 18, 2015