Welcome to Centmin Mod Community
Register Now

Security Use CSF+LFD as a fail2ban equivalent (including cloudflare support)

Discussion in 'System Administration' started by ethanpil, May 17, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    45,640
    10,356
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,071
    Local Time:
    9:02 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    no that means 40 hits to port 80/443 within past 24hrs (86400 seconds) will be blocked
     
  2. rdan

    rdan Well-Known Member

    5,003
    1,201
    113
    May 25, 2014
    Ratings:
    +1,827
    Local Time:
    7:02 AM
    Mainline
    10.2
    How/Where can we set how many hours it will be blocked on Cloudflare & CSF?
    I don't want permanent block.
     
  3. eva2000

    eva2000 Administrator Staff Member

    45,640
    10,356
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,071
    Local Time:
    9:02 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    correction 86400 is the number of seconds for temp block

    Code (Text):
    # Example:
    #       if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ pure-ftpd: \(\?\@(\d+\.\d+\.\d+\.\d+)\) \[WARNING\] Authentication failed for user/)) {
    #               return ("Failed myftpmatch login from",$1,"myftpmatch","5","20,21","1");
    #       }
    #
    # The return values from this example are as follows:
    #
    # "Failed myftpmatch login from" = text for custom failure message
    # $1 = the offending IP address
    # "myftpmatch" = a unique identifier for this custom rule, must be alphanumeric and have no spaces
    # "5" = the trigger level for blocking
    # "20,21" = the ports to block the IP from in a comma separated list, only used if LF_SELECT enabled. To specify the protocol use 53;udp,53;tcp
    # "1" = n/temporary (n = number of seconds to temporarily block) or 1/permanant IP block, only used if LF_TRIGGER is disabled
    

    LF_TRIGGER is by default disabled = 0 so it becomes a permanent block - read /etc/csf/csf.conf config file for full details - it's up to you to properly configure this for your needs - part of the info below but full info in /etc/csf/csf.conf CSF Firewall config file.
    Code (Text):
    ###############################################################################
    # SECTION:Login Failure Blocking and Alerts
    ###############################################################################
    # The following[*] triggers are application specific. If you set LF_TRIGGER to
    # "0" the value of each trigger is the number of failures against that
    # application that will trigger lfd to block the IP address
    #
    # If you set LF_TRIGGER to a value greater than "0" then the following[*]
    # application triggers are simply on or off ("0" or "1") and the value of
    # LF_TRIGGER is the total cumulative number of failures that will trigger lfd
    # to block the IP address
    #
    # Setting the application trigger to "0" disables it
    LF_TRIGGER = "0"
    
    # If LF_TRIGGER is > "0" then LF_TRIGGER_PERM can be set to "1" to permanently
    # block the IP address, or LF_TRIGGER_PERM can be set to a value greater than
    # "1" and the IP address will be blocked temporarily for that value in seconds.
    # For example:
    # LF_TRIGGER_PERM = "1" => the IP is blocked permanently
    # LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour
    #
    # If LF_TRIGGER is "0", then the application LF_[application]_PERM value works
    # in the same way as above and LF_TRIGGER_PERM serves no function
    LF_TRIGGER_PERM = "1"
    
     
  4. rc112

    rc112 Member

    126
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    7:02 AM
    Hi @ethanpil Nice work. I also think of not installing additional Fail2Ban when CSF+LFD can do the work. My question is your method will work with Apache server? Can I contact you for the details? Thank you.
     
  5. rc112

    rc112 Member

    126
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    7:02 AM
    Hi @ethanpil Nice work. I also think of not installing additional Fail2Ban when CSF+LFD can do the work. My question is your method will work with Apache server? Can I contact you for the details? Thank you.
     
  6. ethanpil

    ethanpil Active Member

    171
    53
    28
    Nov 8, 2015
    Ratings:
    +99
    Local Time:
    9:02 AM
    It should work without issues, but not with CentMinMod... :) We are nginx only!
    Just need to change the log file formats.... Basically step 2 would need to be redone for your apache log formats.
     
  7. rdan

    rdan Well-Known Member

    5,003
    1,201
    113
    May 25, 2014
    Ratings:
    +1,827
    Local Time:
    7:02 AM
    Mainline
    10.2
    I manually unblock an IP using csf -tr, but it didn't work.
    What else could be the problem?
     
  8. rdan

    rdan Well-Known Member

    5,003
    1,201
    113
    May 25, 2014
    Ratings:
    +1,827
    Local Time:
    7:02 AM
    Mainline
    10.2
  9. eva2000

    eva2000 Administrator Staff Member

    45,640
    10,356
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,071
    Local Time:
    9:02 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  10. rdan

    rdan Well-Known Member

    5,003
    1,201
    113
    May 25, 2014
    Ratings:
    +1,827
    Local Time:
    7:02 AM
    Mainline
    10.2
    For new server install, this works fine and tested it myself the first week.
    Now after 1 month, I tested this again and suddenly stops working.
    Temp Block IP aren't sent to Cloudflare anymore.

    Not sure what's the problem.