1

When I give /etc/csf/csf.pl -r , I see lots of lines flushing, then I begin to get the notification emails again, (several emails per day), for example:

Time:     Wed Sep 12 08:39:47 2012 +0800
IP:       221.13.104.162 (CN/China/-)
Failures: 5 (sshd)
Interval: 300 seconds
Blocked:  Permanent Block

Log entries:

Sep 12 08:39:25 MyHost sshd[9677]: Failed password for root from 221.13.104.162 port 51106 ssh2
Sep 12 08:39:28 MyHost sshd[9712]: Failed password for root from 221.13.104.162 port 51690 ssh2
Sep 12 08:39:32 MyHost sshd[9739]: Failed password for root from 221.13.104.162 port 52128 ssh2
Sep 12 08:39:36 MyHost sshd[9778]: Failed password for root from 221.13.104.162 port 52670 ssh2
Sep 12 08:39:40 MyHost sshd[9821]: Failed password for root from 221.13.104.162 port 53155 ssh2

And then after about 30 days, the emails stop coming, it is as if something has filled up, and requires flushing again.

I don't know much about CSF/LFD, but I would have imagined that this would work in a FIFO manner, so it should be able to run indefinitely within finite space.

My /etc/csf/version.txt says 4.83

My cat /proc/version says Linux version 2.6.18-028stab066.8 (root@rhel5-64-build) (gcc version 4.1.2 20070626 (Red Hat 4.1.2-14)) #1 SMP Fri Nov 27 20:19:25 MSK 2009

Doochz
  • 141
  • 3

1 Answers1

1

By default, the Login Failure Daemon (LFD) will block an IP temporarily only so many times for attempting to brute force a service before permanently blocking that IP. Presumably at which point you would no longer see notification emails for temporary blocks. The related settings are in csf.conf. Look for "LF_PERMBLOCK". Additionally the FIFO idea is correct. CSF will block up to a maximum number of IPs as determined by the configuration directives DENY_IP_LIMIT and DENY_TEMP_IP_LIMIT, at which point the oldest (first) blocked IP will be unblocked in favor of the newest offender.

I believe a restart of CSF will clear the LFD block lists.

I recommend reading over the configuration scripts and reviewing your logs to verify that this is what is happening.

Source: http://configserver.com/free/csf/readme.txt, csf.conf in http://www.configserver.com/free/csf.tgz

Preston
  • 289
  • 1
  • 5
  • The notifications that I want to see coming in _are_ for Permanent Blocks (as quoted in original question). We do not expect the emails to stop just because the FIFO space has just been reached and is starting to kick out oldest IPs. Thank you though. – Doochz Oct 20 '12 at 15:03
  • Are you seeing permanent blocks in the lfd log that you aren't getting notification emails for? – Preston Oct 20 '12 at 20:27