CyberHosting

CSF settings and log paths for lfd integration from the CLI

So figured I would share this information here as someone else may find it helpful. I reviewed both Centos and Ubuntu log paths and figured out how to map them all properly in csf so that lfd and whatnot works for bruteforce protection when its enabled.

Currently, the default doesn't do much good neither does firewalld about bruteforce attacks.

With the below information you can rapidly adjust the csf.conf and lfd to work properly after installing via the WebGUI.

Overview of log files and difference.

Cyberpanel Control Panel Accesslog
/usr/local/lscp/cyberpanel/logs/access.log

Cyberpanel Control Panel errorlog
/usr/local/lscp/cyberpanel/logs/error.log

Cyberpanel Control Panel stderr.log
/usr/local/lscp/cyberpanel/logs/stderr.log

Cyberpanel Control Panel logs and rotated logs.
/usr/local/lscp/logs/



csf.logfiles csf.syslogs
# CyberPanel
/home/cyberpanel/error-logs.txt
/usr/local/lscp/cyberpanel/logs/error.log
/usr/local/lscp/cyberpanel/logs/access.log
/usr/local/lscp/cyberpanel/logs/stderr.log

csf.syslogs
# Litespeed/Openlitespeed
/usr/local/lsws/logs/error.log
/usr/local/lsws/logs/access.log
/usr/local/lsws/logs/auditmodsec.log


Ubuntu
This file contain email logs for postfix/dovecot
/var/log/mail.err
/var/log/mail.log

Auth
/var/log/syslog
/var/log/auth.log

Iptables log
/var/log/kern.log



Centos 7

sshd
/var/log/secure

FTP
/var/log/messages
tail -f /var/log/messages

Maillog
/var/log/maillog


As I like to do stuff rapidly vs doing it all by hand in nano/vi and wanted to reuse. I setup oneliners with sed for each directive I wanted to change.

Use this as a reference to see what these directives do.
https://download.configserver.com/csf/readme.txt

Basically, this disables the excessive alerts CSF defaults too being on and a number of other good defaults i have been using for years on my cPanel and other linux servers.

The first thing you're going to want to do is backup the configuration.
/etc/csf/csf.conf

cp /etc/csf/csf.conf /etc/csf/csf.conf-bak

If something is broken you can then do the below to reverse it.
cp /etc/csf/csf.conf-bak /etc/csf/csf.conf
csf -r


General universal rules

sed -i 's/^RESTRICT_SYSLOG =.*/RESTRICT_SYSLOG = "3"/g' /etc/csf/csf.conf
sed -i 's/^LF_EMAIL_ALERT.*/LF_EMAIL_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^LF_PERMBLOCK_ALERT.*/LF_PERMBLOCK_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^LF_NETBLOCK_ALERT.*/LF_NETBLOCK_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^LF_TRIGGER_PERM.*/LF_TRIGGER_PERM = "1800"/g' /etc/csf/csf.conf
sed -i 's/^LF_EMAIL_ALERT.*/LF_EMAIL_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^LF_SSHD =.*/LF_SSHD = "10"/g' /etc/csf/csf.conf
sed -i 's/^LF_SSHD_PERM =.*/LF_SSHD_PERM = "1800"/g' /etc/csf/csf.conf
sed -i 's/^LF_FTPD_PERM =.*/LF_FTPD_PERM = "1800"/g' /etc/csf/csf.conf
sed -i 's/^LF_SMTPAUTH =.*/LF_SMTPAUTH = "10"/g' /etc/csf/csf.conf
sed -i 's/^LF_SMTPAUTH_PERM =.*/LF_SMTPAUTH_PERM = "1800"/g' /etc/csf/csf.conf
sed -i 's/^LF_POP3D =.*/LF_POP3D = "10"/g' /etc/csf/csf.conf
sed -i 's/^LF_POP3D_PERM =.*/LF_POP3D_PERM = "1800"/g' /etc/csf/csf.conf
sed -i 's/^LF_IMAPD =.*/LF_IMAPD = "10"/g' /etc/csf/csf.conf
sed -i 's/^LF_IMAPD_PERM =.*/LF_IMAPD_PERM = "1800"/g' /etc/csf/csf.conf
sed -i 's/^LF_HTACCESS_PERM =.*/LF_HTACCESS_PERM = "1800"/g' /etc/csf/csf.conf
sed -i 's/^LF_MODSEC =.*/LF_MODSEC = "10"/g' /etc/csf/csf.conf
sed -i 's/^LF_MODSEC_PERM =.*/LF_MODSEC_PERM = "1800"/g' /etc/csf/csf.conf
sed -i 's/^LF_SSH_EMAIL_ALERT =.*/LF_SSH_EMAIL_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^LF_WEBMIN_EMAIL_ALERT =.*/LF_WEBMIN_EMAIL_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^LF_QUEUE_ALERT =.*/LF_QUEUE_ALERT = "2000"/g' /etc/csf/csf.conf
sed -i 's/^LF_QUEUE_INTERVAL =.*/LF_QUEUE_INTERVAL = "300"/g' /etc/csf/csf.conf
sed -i 's/^RT_RELAY_ALERT =.*/RT_RELAY_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^RT_RELAY_LIMIT =.*/RT_RELAY_LIMIT = "500"/g' /etc/csf/csf.conf
sed -i 's/^RT_RELAY_BLOCK =.*/RT_RELAY_BLOCK = "0"/g' /etc/csf/csf.conf
sed -i 's/^RT_AUTHRELAY_ALERT =.*/RT_AUTHRELAY_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^RT_AUTHRELAY_LIMIT =.*/RT_AUTHRELAY_LIMIT = "100"/g' /etc/csf/csf.conf
sed -i 's/^RT_AUTHRELAY_BLOCK =.*/RT_AUTHRELAY_BLOCK = "0"/g' /etc/csf/csf.conf
sed -i 's/^RT_POPRELAY_ALERT =.*/RT_POPRELAY_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^RT_POPRELAY_LIMIT =.*/RT_POPRELAY_LIMIT = "100"/g' /etc/csf/csf.conf
sed -i 's/^RT_POPRELAY_BLOCK =.*/RT_POPRELAY_BLOCK = "0"/g' /etc/csf/csf.conf
sed -i 's/^RT_LOCALRELAY_ALERT =.*/RT_LOCALRELAY_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^RT_LOCALRELAY_LIMIT =.*/RT_LOCALRELAY_LIMIT = "100"/g' /etc/csf/csf.conf
sed -i 's/^RT_LOCALHOSTRELAY_ALERT =.*/RT_LOCALHOSTRELAY_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^RT_LOCALHOSTRELAY_LIMIT =.*/RT_LOCALHOSTRELAY_LIMIT = "100"/g' /etc/csf/csf.conf
sed -i 's/^RT_ACTION =.*/RT_ACTION = ""/g' /etc/csf/csf.conf
sed -i 's/^CT_EMAIL_ALERT =.*/CT_EMAIL_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^PT_USERPROC =.*/PT_USERPROC = "0"/g' /etc/csf/csf.conf
sed -i 's/^PT_USERMEM.*/PT_USERMEM = "0"/g' /etc/csf/csf.conf
sed -i 's/^PT_USERRSS.*/PT_USERRSS = "0"/g' /etc/csf/csf.conf
sed -i 's/^PT_USERTIME.*/PT_USERTIME = "0"/g' /etc/csf/csf.conf
sed -i 's/^PT_USERKILL_ALERT.*/PT_USERKILL_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^PT_LOAD =.*/PT_LOAD = "0"/g' /etc/csf/csf.conf
sed -i 's/^UI_USER =.*/UI_USER = "asjdbhjbadiywbhww"/g' /etc/csf/csf.conf
sed -i 's/^UI_PASS =.*/UI_PASS = "jbnjkebiub2e32qei"/g' /etc/csf/csf.conf
sed -i 's|^HTACCESS_LOG =.*|HTACCESS_LOG = "/usr/local/lsws/logs/error.log"|g' /etc/csf/csf.conf
sed -i 's|^MODSEC_LOG =.*|MODSEC_LOG = "/usr/local/lsws/logs/auditmodsec.log"|g' /etc/csf/csf.conf

The below sections are OS-specific based on the Centos 7 and Ubuntu 18 servers I have. If unsure just check that your server logs files match these. If they do not adjust the rules carefully before using to match your configuration.

For Ubuntu base Cyberpanel with CSF
sed -i 's|^SSHD_LOG =.*|SSHD_LOG = "/var/log/auth.log"|g' /etc/csf/csf.conf
sed -i 's|^SU_LOG =.*|SU_LOG = "/var/log/auth.log"|g' /etc/csf/csf.conf
sed -i 's|^FTPD_LOG =.*|FTPD_LOG = "/var/log/auth.log"|g' /etc/csf/csf.conf
sed -i 's|^SMTPAUTH_LOG =.*|SMTPAUTH_LOG = "/var/log/mail.log"|g' /etc/csf/csf.conf
sed -i 's|^POP3D_LOG =.*|POP3D_LOG = "/var/log/mail.log"|g' /etc/csf/csf.conf
sed -i 's|^IMAPD_LOG =.*|IMAPD_LOG = "/var/log/mail.log"|g' /etc/csf/csf.conf
sed -i 's|^IPTABLES_LOG =.*|IPTABLES_LOG = "/var/log/kern.log"|g' /etc/csf/csf.conf
sed -i 's|^SYSLOG_LOG =.*|SYSLOG_LOG = "/var/log/syslog"|g' /etc/csf/csf.conf

For Centos based Cyberpanel with CSF
sed -i 's|^SSHD_LOG =.*|SSHD_LOG = "/var/log/secure"|g' /etc/csf/csf.conf
sed -i 's|^SU_LOG =.*|SU_LOG = "/var/log/secure"|g' /etc/csf/csf.conf
sed -i 's|^FTPD_LOG =.*|FTPD_LOG = "/var/log/messages"|g' /etc/csf/csf.conf
sed -i 's|^POP3D_LOG =.*|POP3D_LOG = "/var/log/maillog"|g' /etc/csf/csf.conf
sed -i 's|^SMTPAUTH_LOG =.*|SMTPAUTH_LOG = "/var/log/maillog"|g' /etc/csf/csf.conf
sed -i 's|^IMAPD_LOG =.*|IMAPD_LOG = "/var/log/maillog"|g' /etc/csf/csf.conf
sed -i 's|^IPTABLES_LOG =.*|IPTABLES_LOG = "/var/log/messages"|g' /etc/csf/csf.conf
sed -i 's|^SYSLOG_LOG =.*|SYSLOG_LOG = "/var/log/messages"|g' /etc/csf/csf.conf


Restart csf and lfd
csf -r

Check if lfd is enabled
service lfd status
or
systemctl status lfd


Once you apply the general rules and the correct host specific version for your server you can then check if its working by tailing the lfd.log.
tail -f /var/log/lfd.log

It should look something like this if its working properly as.
[[email protected]:/etc/csf]# tail -f /var/log/lfd.log
Oct 5 11:14:04 wcloud lfd[3049]: Watching /usr/local/lsws/logs/error.log...
Oct 5 11:24:35 wcloud lfd[7777]: (sshd) Failed SSH login from 190.64.141.18 (UY/Uruguay/r190-64-141-18.ir-static.anteldata.net.uy): 10 in the last 3600 secs - *Blocked in csf* for 1800 secs [LF_SSHD]
Oct 5 11:24:40 wcloud lfd[7787]: (sshd) Failed SSH login from 201.48.4.15 (BR/Brazil/201-048-004-015.static.ctbctelecom.com.br): 10 in the last 3600 secs - *Blocked in csf* for 1800 secs [LF_SSHD]
Oct 5 11:27:35 wcloud lfd[3049]: *Error* Log line flooding/looping in /usr/local/lsws/logs/error.log. Reopening log file
Oct 5 11:27:35 wcloud lfd[3049]: Watching /usr/local/lsws/logs/error.log...
Oct 5 11:28:50 wcloud lfd[8726]: (sshd) Failed SSH login from 134.175.80.27 (CN/China/-): 10 in the last 3600 secs - *Blocked in csf* for 1800 secs [LF_SSHD]
Oct 5 11:29:10 wcloud lfd[8896]: (sshd) Failed SSH login from 196.44.191.3 (ZW/Zimbabwe/s35931.broadband.yoafrica.com): 10 in the last 3600 secs - *Blocked in csf* for 1800 secs [LF_SSHD]
Oct 5 11:31:35 wcloud lfd[9372]: (sshd) Failed SSH login from 54.38.183.177 (FR/France/177.ip-54-38-183.eu): 10 in the last 3600 secs - *Blocked in csf* for 1800 secs [LF_SSHD]
Oct 5 11:35:21 wcloud lfd[10232]: Incoming IP 222.186.173.238 temporary block removed
Oct 5 11:35:21 wcloud lfd[10232]: Outgoing IP 222.186.173.238 temporary block removed
Oct 5 11:39:11 wcloud lfd[10983]: Incoming IP 49.88.112.77 temporary block removed
Oct 5 11:39:11 wcloud lfd[10983]: Outgoing IP 49.88.112.77 temporary block removed


Now you should have a way more secure server then the default firewalld or default csf with nothing enabled.

Hope this helps everyone out. Hopefully we can these good defaults or a profile imported upon installation via the webgui

Tagged:
Tagged:

Comments

  • Thank you, my server load went down after getting hammered by bots.
  • Glad to hear it. I submitted a commit so these are hopefully the new defaults upon install.

    File:
    https://github.com/usmannasir/cyberpanel/blob/1.8.0/plogical/csf.py

    Commit submitted:
    https://github.com/usmannasir/cyberpanel/pull/137
  • edited October 2019
    Just an update on this. I was able to code some more modifications to enable the native CSF web UI to be enabled on port: 1025. The default port 6666 is blocked in Chrome/Firefox so this port was not used.

    https://github.com/usmannasir/cyberpanel/blob/53c5536f0fe00273b415ef239cac8b9f263c65c8/plogical/csf.py#L62-L72
    https://github.com/usmannasir/cyberpanel/blob/53c5536f0fe00273b415ef239cac8b9f263c65c8/plogical/csf.py#L286-L296

    If there is a signed SSL for the hostname installed already it will automatically use that for the SSL for CSF.

    That magic happens due to these symlinks.
    ln -s /usr/local/lscp/conf/cert.pem /etc/csf/ui/server.crt
    ln -s /usr/local/lscp/conf/key.pem /etc/csf/ui/server.key

    Tested on both Ubuntu and Centos.

    After CSF is installed you can access the webui via hostname/IP.
    https://hostname:1025/
    https://IP:1025/

    Default username:
    cyberpanel

    Default password:
    csfadmin1234567

    To change the default username or password this can be done via the CLI. See the below examples and replace them with your desired username and password.

    To change username:
    sed -i 's/^UI_USER =.*/UI_USER = "YourNewUserNameHere"/g' /etc/csf/csf.conf

    To change password:
    sed -i 's/^UI_PASS =.*/UI_PASS = "YourNewPasswordHere"/g' /etc/csf/csf.conf

    Once updated use the below command to restart all.
    csf -ra

    If you see CSF is enabled but it's not showing on the WebUI port you might need to also run command the above command after install. I coded this in as i noticed it needs to be run after installation to allow the WebUI to properly load but sometimes it needs to be done manually again.

    This will give you all the advanced functionality to tail logs live in browser etc.


    Optional Security recommendations.

    Currently, it will allow anyone to visit this page. If they fail logins it will block them which is not a huge deal, but restricting this to your IP or a VPN management IP will add some extra protection to the webui.

    Adding your IP or IP's to the below file will allow you to put it back into whitelist mode and prevent any IP's not listed from loading the page.
    /etc/csf/ui/ui.allow

    echo "YOUR_PUBLIC_IP_ADDRESS" >> /etc/csf/ui/ui.allow

    To turn that protection back on the below can be used.
    sed -i 's/^UI_ALLOW =.*/UI_ALLOW = "1"/g' /etc/csf/csf.conf
    csf -ra

    Source reference links:
    https://forums.cyberpanel.net/discussion/comment/4716#Comment_4716
    https://tecadmin.net/how-to-enable-csf-firewall-web-ui/
  • @whattheserver do i need to reinstall csf from cyberpanel to get the ui enabled?
  • yeah, that's the easiest way. If you have a lot of custom modifications you may want to backup your csf.conf outside of the /etc/csf/ directory as it deletes it all during the uninstall.

    cp /etc/csf/csf.conf /root/csf.conf

    You could also use the below commands to modify the different things manually vs uninstalling.

    Mv the default ssl keys out of the way and create the symlinks.
    mv /etc/csf/ui/server.crt /etc/csf/ui/server.crt-bak; ln -s /usr/local/lscp/conf/cert.pem /etc/csf/ui/server.crt;
    mv /etc/csf/ui/server.key /etc/csf/ui/server.key-bak; ln -s /usr/local/lscp/conf/key.pem /etc/csf/ui/server.key;

    Specify your username and password in the below you want it to use
    sed -i 's/^UI_USER =.*/UI_USER = "username"/g' /etc/csf/csf.conf
    sed -i 's/^UI_PASS =.*/UI_PASS = "password"/g' /etc/csf/csf.conf

    Enable UI UI port and disable
    sed -i 's/^UI =.*/UI = "1"/g' /etc/csf/csf.conf
    sed -i 's/^UI_PORT =.*/UI_PORT = "1025"/g' /etc/csf/csf.conf
    sed -i 's/^UI_ALLOW =.*/UI_ALLOW = "0"/g' /etc/csf/csf.conf

    csf -ra

    Check
    https://hostname:1025
  • So is this still valid?
  • edited April 7
    You can use the ldapmodify utility to modify the parameters in the cn=config subtree that control the Directory Server logging.
Sign In or Register to comment.
CyberPanel Discord

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!