CSF

Translate the Page

Hi,

In this post, I will explain about the firewall that is commonly used in most of the Linux server. That is called CSF (ConfigServer Security & Firewall).

The CSF will block external IPs (Inbound connections) for any Brute force attack or something like that(Multiple login failure, hacking attempts etc) on the server. We can find out all details regarding the IP block from the ‘lfd’ log. The reason for IP block, exact time etc will be explained in the log file.

CSF log file details:

All records related with the CSF and LFD is logged in a file under “/var/log“. The log file for CSF & LFD is:

/var/log/lfd.log

>> How to find whether the IP address is blocked or not in CSF ?

There are three different ways to find out the details of IP address if it is Blacklisted in CSF.

 

Method I: From WHM
Login to your WHM control panel and search the “ConfigServer Security & Firewall” from the search tool bar which is located left side of the WHM menu. Then use the Search for IP tool to find out the details of IP block on the server.
You can unblock the IP address from the output itself. Refer the below URL for your reference:

 

 

Method II : Command line options
You can use the switch ‘g’ along with the csf command.

How to use it?
Step 1: SSH to your server as root user.
Step 2: Run the below pasted command.

1. Search the details of IP address (lets say 1.1.1.1) on your server by using the command csf.
[root@server ] csf -g 1.1.1.1
——-
Chain            num   pkts bytes target     prot opt in     out     source               destination
No matches found for 1.1.1.1 in iptables
——-
2. Search after blocking the IP address 2.2.2.2 on your server.
2.1 csf -d : to block IP address
[root@server ] csf -d 2.2.2.2
——-
Adding 2.2.2.2 to csf.deny and iptables DROP…
DROP  all opt — in !lo out *  2.2.2.2  -> 0.0.0.0/0
DROP  all opt — in * out !lo  0.0.0.0/0  -> 2.2.2.2
——-
2.2 csf -g : to find details
[root@server ] csf -g 2.2.2.2
——-
Chain            num   pkts bytes target     prot opt in     out     source               destination
DENYIN           26       0     0 DROP       all  —  !lo    *       2.2.2.2              0.0.0.0/0
DENYOUT          26       0     0 DROP       all  —  *      !lo     0.0.0.0/0            2.2.2.2
csf.deny: 2.2.2.2 # Manually denied – Tue Dec 24 14:35:43 2013
——-

Method III : Grep the IP Address details from the log file “/var/log/lfd.log”

[root@server ] grep ‘IP-Address’ /var/log/lfd.log
[root@server ] grep 1.1.1.11 /var/log/lfd.log
======
Feb 28 03:37:47 whm728 lfd[202183]: (mod_security) mod_security (id:10) triggered by 1.1.1.11 (CN/China/-): 3 in the last 3600 secs – *Blocked in csf* port=80 [LF_MODSEC]
======

>>  Troubleshooting and Identifying the root cause:

[LF_CPANEL] : IP address is blocked due to failed cPanel login attempts.  The maximum number of attempts and the duration is mentioned in the firewall configuration file. For example, if the LFD log says the below line:

====
(cpanel) Failed cPanel login from x.x.x.x (CA/Canada/bas7-sudbury98-1096760400.dsl.bell.ca): 5 in the last 300 secs – *Blocked in csf* [LF_CPANEL]
====

This means that the server firewall has set a maximum of 5 cpanel invalid login attempts from an IP address. So when 5 login failures occur from a single IP address it will be automatically blocked in the server firewall.

***
Now, go to the location ” /usr/local/cpanel/log/login_log “, find the root cause and proceed accordingly.
***

[LF_FTPD] : IP address is blocked due to failed FTP login attempts. The maximum number of attempts and the duration is mentioned in the firewall configuration file. For example, if the LFD log says the below line:

====
(ftpd) Failed FTP login from x.x.x.x (NL/Netherlands/541f4283.cm-5-8b.dynamic.ziggo.nl): 10 in the last 300 secs – *Blocked in csf* [LF_FTPD]
====

This means that the server firewall has set a maximum of 10 FTP invalid login attempts from an IP address. So when 10 login failures occur from a single IP address it will be automatically blocked in the server firewall.

***
Now, ” grep ip /var/log/messages “, find the root cause and proceed accordingly.
***

[LF_POP3D] : IP address blocked due to failed POP3 login attempts. The LFD log will show as below:

====
pop3d – 61 logins in 2990 secs from x.x.x.x (AU/Australia/-) for example@yourmail.com exceeds 60/hour – *Blocked in csf* for 610 secs [LT_POP3D]
====

CSF (server firewall) uses the parameter “LF_POP3D” to check email login failures from a single IP address. Once this limit is exceeded the IP address will be automatically blocked in the server firewall.

***
Now, ” grep ip /var/log/maillog “, find the root cause and proceed accordingly.
***

[LF_MODSEC] : IP address is blocked due to ModSecurity triggering. The LFD log shows below:

=====
Feb 28 03:37:47 whm2 lfd[202183]: (mod_security) mod_security (id:10) triggered by 1.1.1.11 (CN/China/-): 3 in the last 3600 secs – *Blocked in csf* port=80 [LF_MODSEC]
=====

Mod_security has certain rules for the words or pattern used in online CMS and requested URLs. If any pattern match with the requested URL under the site or any online CMS try to put the words or Pattern to database, mod_security deny the access to it. Most of the CMS put the data in the database and edit/delete record from database and they really need the mod_security to be disable.
Modsecurity rule protects a site from attacks such as SQL injection protection, URL formatting protection, meta and null character filtering, path recursion attack protection, buffer and heap overflow defences, remote file inclusion attack prevention and many others. This is to ensure server security.

***
Now, ” grep ip /usr/local/apache/logs/error_log “, find the root cause and proceed accordingly.
***

[CT_LIMIT] : IP address is blocked due to excessive number of connections. The IP address is temporarily blocked for a particular time interval. The LFD log will show as:

====
(CT) IP x.x.x.x (AU/Australia/CPE-58-165-216-228.nsw.bigpond.net.au) found to have 79 connections – *Blocked in csf* for 900 secs
====

Connection Tracking Limit or ( CT_LIMIT ) option in CSF, enables tracking of all connections from IP addresses to the server. If the total number of connections is greater than this limit, then the offending IP address is blocked. This can be used to prevent DOS attack.
Please make sure that you have disabled the settings that make too many connections to the server like email check interval in email clients, ftp session limit in ftp clients, auto reload in browser etc.

***
Now, ” grep ip  /var/log/messages “, find the root cause and proceed accordingly.
***

If you are using any email clients, please check whether you have enabled automatic mail check option. If so, please disable the same or increase the mail check interval to avoid such issues in future.
For example, if you are using email client outlook, you can follow the steps given below to do the same:
========
1) Open Outlook.
2) Choose Tools Options.
3) In the Options dialogue box, click the General tab (if needed).
4) Uncheck the “Check for New Messages Every [interval you have given] Minutes” check box, or you can increase the mail check interval by giving the desired time in [interval you have given].
5) Click OK to save the changes.
========
>>FTP session limit in FTP clients
You can follow the steps mentioned below to do that.
=========
If you are using FILEZILLA as your FTP client, do the following:
1. EDIT
2. SETTINGS
3. TRANSFERS
In that window modify the following parameters, to have the same values:
Maximum Simultaneous Transfers: 3
Limit for concurrent Downloads: 3
Limit for Concurrent Uploads: 3
=========
[PS_LIMIT] : IP address is blocked due to excess generation for port blocks.  The LFD log shows below:

====
*Port Scan* detected from x.x.x.x (BE/Belgium/d51A54121.access.telenet.be). 11 hits in the last 268 seconds – *Blocked in csf* for 3600 secs [PS_LIMIT]
====

Port Scan Tracking or PS_LIMIT feature tracks port blocks logged by iptables to syslog. If an IP address generates a port block that is logged more than PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.
Port scanning is normally done to check for the open ports in the server. This is normally done by the intruders to get access to the server through the open ports. It will temporarily block the IP address if port scan is detected from any IP address.
Please refer the below mentioned preventive Measures against Port Scanning Attacks from the PC:
—-
(1) Do all Windows Critical Update in your PC monthly or when reminded to do so.
(In the Internet Explorer, click the ‘Tools’ menu => ‘Windows Update’ => ‘Scan for Update’.)
(2) Install anti-virus software on your computer and update regularly (daily) for the latest virus pattern from the vendor of your anti-virus software.
(3) Remove viruses and trojan horses: (Some viruses would disable anti-virus software and special tools are required to remove them.)
– See pointers to common viruses and removal instructions at http://www.itservices.hku.hk/faq/virus.htm.
(4) Do not open suspicious mail or attachments from unknown or suspicious sources. Always scan an attachment before opening it.
– If you are using Outlook or Outlook Express for reading email, be careful that the attachment preview setting might open a virus-infected attachment.
(5) Avoid file sharing with unknown or suspicious sources, such as using Peer-to-Peer (P2P) software. Many viruses can spread through P2P file sharing software.
—-

>> Commands to perform some tasks on CSF:

========
csf -a ip    Allow an IP and add to /etc/csf/csf.allow
csf -ar ip   Remove an IP from /etc/csf/csf.allow and delete rule
csf -d ip     Deny an IP and add to /etc/csf/csf.deny
csf -dr ip     Unblock an IP and remove from /etc/csf/csf.deny
csf -t ip    Displays the current list of temporary allow and deny IP entries with their TTL and comment.
csf -ta ip ttl Add an IP to the temp IP allow list (default:inout)  Where ttl is the time to live in seconds(Default value: 3600)
csf -td ip ttl Add an IP to the temp IP ban list.
csf -tr ip   Remove an IP from the temporary IP ban or allow list
csf -tf      Flush all IPs from the temporary IP entries
========

General commands:

csf -v Or csf –version : Show csf version
csf -c Or csf –check :   Check for updates to csf but do not upgrade
csf -u Or csf –update :  Check for updates to csf and upgrade if available
csf -h Or csf –help :    For help

If you have any other query related to CSF firewall, please feel free to comment in the below box. I will be more than happy to assist you.

My name is Shashank Shekhar. I am a Software Engineer, currently working in one of the leading web-hosting companies in India. I am having 2 years of experience in Linux Server Administration.

I love to work in Linux environment & love learning new things.

Powered by Facebook Comments

Be the first to comment

Leave a Reply