CyberHosting

CSF settings and log paths for lfd integration from the CLI

So figured I would share this information here as someone else may find it helpful. I reviewed both Centos and Ubuntu log paths and figured out how to map them all properly in csf so that lfd and whatnot works for bruteforce protection when its enabled.

Currently, the default doesn't do much good neither does firewalld about bruteforce attacks.

With the below information you can rapidly adjust the csf.conf and lfd to work properly after installing via the WebGUI.

Overview of log files and difference.

Cyberpanel Control Panel Accesslog
/usr/local/lscp/cyberpanel/logs/access.log

Cyberpanel Control Panel errorlog
/usr/local/lscp/cyberpanel/logs/error.log

Cyberpanel Control Panel stderr.log
/usr/local/lscp/cyberpanel/logs/stderr.log

Cyberpanel Control Panel logs and rotated logs.
/usr/local/lscp/logs/



csf.logfiles csf.syslogs
# CyberPanel
/home/cyberpanel/error-logs.txt
/usr/local/lscp/cyberpanel/logs/error.log
/usr/local/lscp/cyberpanel/logs/access.log
/usr/local/lscp/cyberpanel/logs/stderr.log

csf.syslogs
# Litespeed/Openlitespeed
/usr/local/lsws/logs/error.log
/usr/local/lsws/logs/access.log
/usr/local/lsws/logs/auditmodsec.log


Ubuntu
This file contain email logs for postfix/dovecot
/var/log/mail.err
/var/log/mail.log

Auth
/var/log/syslog
/var/log/auth.log

Iptables log
/var/log/kern.log



Centos 7

sshd
/var/log/secure

FTP
/var/log/messages
tail -f /var/log/messages

Maillog
/var/log/maillog


As I like to do stuff rapidly vs doing it all by hand in nano/vi and wanted to reuse. I setup oneliners with sed for each directive I wanted to change.

Use this as a reference to see what these directives do.
https://download.configserver.com/csf/readme.txt

Basically, this disables the excessive alerts CSF defaults too being on and a number of other good defaults i have been using for years on my cPanel and other linux servers.

The first thing you're going to want to do is backup the configuration.
/etc/csf/csf.conf

cp /etc/csf/csf.conf /etc/csf/csf.conf-bak

If something is broken you can then do the below to reverse it.
cp /etc/csf/csf.conf-bak /etc/csf/csf.conf
csf -r


General universal rules

sed -i 's/^RESTRICT_SYSLOG =.*/RESTRICT_SYSLOG = "3"/g' /etc/csf/csf.conf
sed -i 's/^LF_EMAIL_ALERT.*/LF_EMAIL_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^LF_PERMBLOCK_ALERT.*/LF_PERMBLOCK_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^LF_NETBLOCK_ALERT.*/LF_NETBLOCK_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^LF_TRIGGER_PERM.*/LF_TRIGGER_PERM = "1800"/g' /etc/csf/csf.conf
sed -i 's/^LF_EMAIL_ALERT.*/LF_EMAIL_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^LF_SSHD =.*/LF_SSHD = "10"/g' /etc/csf/csf.conf
sed -i 's/^LF_SSHD_PERM =.*/LF_SSHD_PERM = "1800"/g' /etc/csf/csf.conf
sed -i 's/^LF_FTPD_PERM =.*/LF_FTPD_PERM = "1800"/g' /etc/csf/csf.conf
sed -i 's/^LF_SMTPAUTH =.*/LF_SMTPAUTH = "10"/g' /etc/csf/csf.conf
sed -i 's/^LF_SMTPAUTH_PERM =.*/LF_SMTPAUTH_PERM = "1800"/g' /etc/csf/csf.conf
sed -i 's/^LF_POP3D =.*/LF_POP3D = "10"/g' /etc/csf/csf.conf
sed -i 's/^LF_POP3D_PERM =.*/LF_POP3D_PERM = "1800"/g' /etc/csf/csf.conf
sed -i 's/^LF_IMAPD =.*/LF_IMAPD = "10"/g' /etc/csf/csf.conf
sed -i 's/^LF_IMAPD_PERM =.*/LF_IMAPD_PERM = "1800"/g' /etc/csf/csf.conf
sed -i 's/^LF_HTACCESS_PERM =.*/LF_HTACCESS_PERM = "1800"/g' /etc/csf/csf.conf
sed -i 's/^LF_MODSEC =.*/LF_MODSEC = "10"/g' /etc/csf/csf.conf
sed -i 's/^LF_MODSEC_PERM =.*/LF_MODSEC_PERM = "1800"/g' /etc/csf/csf.conf
sed -i 's/^LF_SSH_EMAIL_ALERT =.*/LF_SSH_EMAIL_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^LF_WEBMIN_EMAIL_ALERT =.*/LF_WEBMIN_EMAIL_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^LF_QUEUE_ALERT =.*/LF_QUEUE_ALERT = "2000"/g' /etc/csf/csf.conf
sed -i 's/^LF_QUEUE_INTERVAL =.*/LF_QUEUE_INTERVAL = "300"/g' /etc/csf/csf.conf
sed -i 's/^RT_RELAY_ALERT =.*/RT_RELAY_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^RT_RELAY_LIMIT =.*/RT_RELAY_LIMIT = "500"/g' /etc/csf/csf.conf
sed -i 's/^RT_RELAY_BLOCK =.*/RT_RELAY_BLOCK = "0"/g' /etc/csf/csf.conf
sed -i 's/^RT_AUTHRELAY_ALERT =.*/RT_AUTHRELAY_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^RT_AUTHRELAY_LIMIT =.*/RT_AUTHRELAY_LIMIT = "100"/g' /etc/csf/csf.conf
sed -i 's/^RT_AUTHRELAY_BLOCK =.*/RT_AUTHRELAY_BLOCK = "0"/g' /etc/csf/csf.conf
sed -i 's/^RT_POPRELAY_ALERT =.*/RT_POPRELAY_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^RT_POPRELAY_LIMIT =.*/RT_POPRELAY_LIMIT = "100"/g' /etc/csf/csf.conf
sed -i 's/^RT_POPRELAY_BLOCK =.*/RT_POPRELAY_BLOCK = "0"/g' /etc/csf/csf.conf
sed -i 's/^RT_LOCALRELAY_ALERT =.*/RT_LOCALRELAY_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^RT_LOCALRELAY_LIMIT =.*/RT_LOCALRELAY_LIMIT = "100"/g' /etc/csf/csf.conf
sed -i 's/^RT_LOCALHOSTRELAY_ALERT =.*/RT_LOCALHOSTRELAY_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^RT_LOCALHOSTRELAY_LIMIT =.*/RT_LOCALHOSTRELAY_LIMIT = "100"/g' /etc/csf/csf.conf
sed -i 's/^RT_ACTION =.*/RT_ACTION = ""/g' /etc/csf/csf.conf
sed -i 's/^CT_EMAIL_ALERT =.*/CT_EMAIL_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^PT_USERPROC =.*/PT_USERPROC = "0"/g' /etc/csf/csf.conf
sed -i 's/^PT_USERMEM.*/PT_USERMEM = "0"/g' /etc/csf/csf.conf
sed -i 's/^PT_USERRSS.*/PT_USERRSS = "0"/g' /etc/csf/csf.conf
sed -i 's/^PT_USERTIME.*/PT_USERTIME = "0"/g' /etc/csf/csf.conf
sed -i 's/^PT_USERKILL_ALERT.*/PT_USERKILL_ALERT = "0"/g' /etc/csf/csf.conf
sed -i 's/^PT_LOAD =.*/PT_LOAD = "0"/g' /etc/csf/csf.conf
sed -i 's/^UI_USER =.*/UI_USER = "asjdbhjbadiywbhww"/g' /etc/csf/csf.conf
sed -i 's/^UI_PASS =.*/UI_PASS = "jbnjkebiub2e32qei"/g' /etc/csf/csf.conf
sed -i 's|^HTACCESS_LOG =.*|HTACCESS_LOG = "/usr/local/lsws/logs/error.log"|g' /etc/csf/csf.conf
sed -i 's|^MODSEC_LOG =.*|MODSEC_LOG = "/usr/local/lsws/logs/auditmodsec.log"|g' /etc/csf/csf.conf

The below sections are OS-specific based on the Centos 7 and Ubuntu 18 servers I have. If unsure just check that your server logs files match these. If they do not adjust the rules carefully before using to match your configuration.

For Ubuntu base Cyberpanel with CSF
sed -i 's|^SSHD_LOG =.*|SSHD_LOG = "/var/log/auth.log"|g' /etc/csf/csf.conf
sed -i 's|^SU_LOG =.*|SU_LOG = "/var/log/auth.log"|g' /etc/csf/csf.conf
sed -i 's|^FTPD_LOG =.*|FTPD_LOG = "/var/log/auth.log"|g' /etc/csf/csf.conf
sed -i 's|^SMTPAUTH_LOG =.*|SMTPAUTH_LOG = "/var/log/mail.log"|g' /etc/csf/csf.conf
sed -i 's|^POP3D_LOG =.*|POP3D_LOG = "/var/log/mail.log"|g' /etc/csf/csf.conf
sed -i 's|^IMAPD_LOG =.*|IMAPD_LOG = "/var/log/mail.log"|g' /etc/csf/csf.conf
sed -i 's|^IPTABLES_LOG =.*|IPTABLES_LOG = "/var/log/kern.log"|g' /etc/csf/csf.conf
sed -i 's|^SYSLOG_LOG =.*|SYSLOG_LOG = "/var/log/syslog"|g' /etc/csf/csf.conf

For Centos based Cyberpanel with CSF
sed -i 's|^SSHD_LOG =.*|SSHD_LOG = "/var/log/secure"|g' /etc/csf/csf.conf
sed -i 's|^SU_LOG =.*|SU_LOG = "/var/log/secure"|g' /etc/csf/csf.conf
sed -i 's|^FTPD_LOG =.*|FTPD_LOG = "/var/log/messages"|g' /etc/csf/csf.conf
sed -i 's|^POP3D_LOG =.*|POP3D_LOG = "/var/log/maillog"|g' /etc/csf/csf.conf
sed -i 's|^SMTPAUTH_LOG =.*|SMTPAUTH_LOG = "/var/log/maillog"|g' /etc/csf/csf.conf
sed -i 's|^IMAPD_LOG =.*|IMAPD_LOG = "/var/log/maillog"|g' /etc/csf/csf.conf
sed -i 's|^IPTABLES_LOG =.*|IPTABLES_LOG = "/var/log/messages"|g' /etc/csf/csf.conf
sed -i 's|^SYSLOG_LOG =.*|SYSLOG_LOG = "/var/log/messages"|g' /etc/csf/csf.conf


Restart csf and lfd
csf -r

Check if lfd is enabled
service lfd status
or
systemctl status lfd


Once you apply the general rules and the correct host specific version for your server you can then check if its working by tailing the lfd.log.
tail -f /var/log/lfd.log

It should look something like this if its working properly as.
[root@wcloud:/etc/csf]# tail -f /var/log/lfd.log
Oct 5 11:14:04 wcloud lfd[3049]: Watching /usr/local/lsws/logs/error.log...
Oct 5 11:24:35 wcloud lfd[7777]: (sshd) Failed SSH login from 190.64.141.18 (UY/Uruguay/r190-64-141-18.ir-static.anteldata.net.uy): 10 in the last 3600 secs - *Blocked in csf* for 1800 secs [LF_SSHD]
Oct 5 11:24:40 wcloud lfd[7787]: (sshd) Failed SSH login from 201.48.4.15 (BR/Brazil/201-048-004-015.static.ctbctelecom.com.br): 10 in the last 3600 secs - *Blocked in csf* for 1800 secs [LF_SSHD]
Oct 5 11:27:35 wcloud lfd[3049]: *Error* Log line flooding/looping in /usr/local/lsws/logs/error.log. Reopening log file
Oct 5 11:27:35 wcloud lfd[3049]: Watching /usr/local/lsws/logs/error.log...
Oct 5 11:28:50 wcloud lfd[8726]: (sshd) Failed SSH login from 134.175.80.27 (CN/China/-): 10 in the last 3600 secs - *Blocked in csf* for 1800 secs [LF_SSHD]
Oct 5 11:29:10 wcloud lfd[8896]: (sshd) Failed SSH login from 196.44.191.3 (ZW/Zimbabwe/s35931.broadband.yoafrica.com): 10 in the last 3600 secs - *Blocked in csf* for 1800 secs [LF_SSHD]
Oct 5 11:31:35 wcloud lfd[9372]: (sshd) Failed SSH login from 54.38.183.177 (FR/France/177.ip-54-38-183.eu): 10 in the last 3600 secs - *Blocked in csf* for 1800 secs [LF_SSHD]
Oct 5 11:35:21 wcloud lfd[10232]: Incoming IP 222.186.173.238 temporary block removed
Oct 5 11:35:21 wcloud lfd[10232]: Outgoing IP 222.186.173.238 temporary block removed
Oct 5 11:39:11 wcloud lfd[10983]: Incoming IP 49.88.112.77 temporary block removed
Oct 5 11:39:11 wcloud lfd[10983]: Outgoing IP 49.88.112.77 temporary block removed


Now you should have a way more secure server then the default firewalld or default csf with nothing enabled.

Hope this helps everyone out. Hopefully we can these good defaults or a profile imported upon installation via the webgui

Tagged:
Tagged:

Comments

Sign In or Register to comment.
CyberPanel Discord

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!