So figured I would share this information here as someone else may find it helpful. I reviewed both Centos and Ubuntu log paths and figured out how to map them all properly in csf so that lfd and whatnot works for bruteforce protection when its enabled.
Currently, the default doesn’t do much good neither does firewalld about bruteforce attacks.
With the below information you can rapidly adjust the csf.conf and lfd to work properly after installing via the WebGUI.
Overview of log files and difference.
Cyberpanel Control Panel Accesslog
/usr/local/lscp/cyberpanel/logs/access.log
Cyberpanel Control Panel errorlog
/usr/local/lscp/cyberpanel/logs/error.log
Cyberpanel Control Panel stderr.log
/usr/local/lscp/cyberpanel/logs/stderr.log
Cyberpanel Control Panel logs and rotated logs.
/usr/local/lscp/logs/
csf.logfiles csf.syslogs
CyberPanel
/home/cyberpanel/error-logs.txt
/usr/local/lscp/cyberpanel/logs/error.log
/usr/local/lscp/cyberpanel/logs/access.log
/usr/local/lscp/cyberpanel/logs/stderr.log
csf.syslogs
Litespeed/Openlitespeed
/usr/local/lsws/logs/error.log
/usr/local/lsws/logs/access.log
/usr/local/lsws/logs/auditmodsec.log
Ubuntu
This file contain email logs for postfix/dovecot
/var/log/mail.err
/var/log/mail.log
Auth
/var/log/syslog
/var/log/auth.log
Iptables log
/var/log/kern.log
Centos 7
sshd
/var/log/secure
FTP
/var/log/messages
tail -f /var/log/messages
Maillog
/var/log/maillog
As I like to do stuff rapidly vs doing it all by hand in nano/vi and wanted to reuse. I setup oneliners with sed for each directive I wanted to change.
Use this as a reference to see what these directives do.
https://download.configserver.com/csf/readme.txt
Basically, this disables the excessive alerts CSF defaults too being on and a number of other good defaults i have been using for years on my cPanel and other linux servers.
The first thing you’re going to want to do is backup the configuration.
/etc/csf/csf.conf
cp /etc/csf/csf.conf /etc/csf/csf.conf-bak
If something is broken you can then do the below to reverse it.
cp /etc/csf/csf.conf-bak /etc/csf/csf.conf
csf -r
General universal rules
sed -i ‘s/^RESTRICT_SYSLOG =./RESTRICT_SYSLOG = “3”/g’ /etc/csf/csf.conf
sed -i 's/^LF_EMAIL_ALERT./LF_EMAIL_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i ‘s/^LF_PERMBLOCK_ALERT./LF_PERMBLOCK_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i 's/^LF_NETBLOCK_ALERT./LF_NETBLOCK_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i ‘s/^LF_TRIGGER_PERM./LF_TRIGGER_PERM = “1800”/g’ /etc/csf/csf.conf
sed -i 's/^LF_EMAIL_ALERT./LF_EMAIL_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i ‘s/^LF_SSHD =./LF_SSHD = “10”/g’ /etc/csf/csf.conf
sed -i 's/^LF_SSHD_PERM =./LF_SSHD_PERM = “1800”/g’ /etc/csf/csf.conf
sed -i ‘s/^LF_FTPD_PERM =./LF_FTPD_PERM = “1800”/g’ /etc/csf/csf.conf
sed -i 's/^LF_SMTPAUTH =./LF_SMTPAUTH = “10”/g’ /etc/csf/csf.conf
sed -i ‘s/^LF_SMTPAUTH_PERM =./LF_SMTPAUTH_PERM = “1800”/g’ /etc/csf/csf.conf
sed -i 's/^LF_POP3D =./LF_POP3D = “10”/g’ /etc/csf/csf.conf
sed -i ‘s/^LF_POP3D_PERM =./LF_POP3D_PERM = “1800”/g’ /etc/csf/csf.conf
sed -i 's/^LF_IMAPD =./LF_IMAPD = “10”/g’ /etc/csf/csf.conf
sed -i ‘s/^LF_IMAPD_PERM =./LF_IMAPD_PERM = “1800”/g’ /etc/csf/csf.conf
sed -i 's/^LF_HTACCESS_PERM =./LF_HTACCESS_PERM = “1800”/g’ /etc/csf/csf.conf
sed -i ‘s/^LF_MODSEC =./LF_MODSEC = “10”/g’ /etc/csf/csf.conf
sed -i 's/^LF_MODSEC_PERM =./LF_MODSEC_PERM = “1800”/g’ /etc/csf/csf.conf
sed -i ‘s/^LF_SSH_EMAIL_ALERT =./LF_SSH_EMAIL_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i 's/^LF_WEBMIN_EMAIL_ALERT =./LF_WEBMIN_EMAIL_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i ‘s/^LF_QUEUE_ALERT =./LF_QUEUE_ALERT = “2000”/g’ /etc/csf/csf.conf
sed -i 's/^LF_QUEUE_INTERVAL =./LF_QUEUE_INTERVAL = “300”/g’ /etc/csf/csf.conf
sed -i ‘s/^RT_RELAY_ALERT =./RT_RELAY_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i 's/^RT_RELAY_LIMIT =./RT_RELAY_LIMIT = “500”/g’ /etc/csf/csf.conf
sed -i ‘s/^RT_RELAY_BLOCK =./RT_RELAY_BLOCK = “0”/g’ /etc/csf/csf.conf
sed -i 's/^RT_AUTHRELAY_ALERT =./RT_AUTHRELAY_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i ‘s/^RT_AUTHRELAY_LIMIT =./RT_AUTHRELAY_LIMIT = “100”/g’ /etc/csf/csf.conf
sed -i 's/^RT_AUTHRELAY_BLOCK =./RT_AUTHRELAY_BLOCK = “0”/g’ /etc/csf/csf.conf
sed -i ‘s/^RT_POPRELAY_ALERT =./RT_POPRELAY_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i 's/^RT_POPRELAY_LIMIT =./RT_POPRELAY_LIMIT = “100”/g’ /etc/csf/csf.conf
sed -i ‘s/^RT_POPRELAY_BLOCK =./RT_POPRELAY_BLOCK = “0”/g’ /etc/csf/csf.conf
sed -i 's/^RT_LOCALRELAY_ALERT =./RT_LOCALRELAY_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i ‘s/^RT_LOCALRELAY_LIMIT =./RT_LOCALRELAY_LIMIT = “100”/g’ /etc/csf/csf.conf
sed -i 's/^RT_LOCALHOSTRELAY_ALERT =./RT_LOCALHOSTRELAY_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i ‘s/^RT_LOCALHOSTRELAY_LIMIT =./RT_LOCALHOSTRELAY_LIMIT = “100”/g’ /etc/csf/csf.conf
sed -i 's/^RT_ACTION =./RT_ACTION = “”/g’ /etc/csf/csf.conf
sed -i ‘s/^CT_EMAIL_ALERT =./CT_EMAIL_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i 's/^PT_USERPROC =./PT_USERPROC = “0”/g’ /etc/csf/csf.conf
sed -i ‘s/^PT_USERMEM./PT_USERMEM = “0”/g’ /etc/csf/csf.conf
sed -i 's/^PT_USERRSS./PT_USERRSS = “0”/g’ /etc/csf/csf.conf
sed -i ‘s/^PT_USERTIME./PT_USERTIME = “0”/g’ /etc/csf/csf.conf
sed -i 's/^PT_USERKILL_ALERT./PT_USERKILL_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i ‘s/^PT_LOAD =./PT_LOAD = “0”/g’ /etc/csf/csf.conf
sed -i 's/^UI_USER =./UI_USER = “asjdbhjbadiywbhww”/g’ /etc/csf/csf.conf
sed -i ‘s/^UI_PASS =./UI_PASS = “jbnjkebiub2e32qei”/g’ /etc/csf/csf.conf
sed -i 's|^HTACCESS_LOG =.|HTACCESS_LOG = “/usr/local/lsws/logs/error.log”|g’ /etc/csf/csf.conf
sed -i ‘s|^MODSEC_LOG =.*|MODSEC_LOG = “/usr/local/lsws/logs/auditmodsec.log”|g’ /etc/csf/csf.conf
The below sections are OS-specific based on the Centos 7 and Ubuntu 18 servers I have. If unsure just check that your server logs files match these. If they do not adjust the rules carefully before using to match your configuration.
For Ubuntu base Cyberpanel with CSF
sed -i ‘s|^SSHD_LOG =.|SSHD_LOG = “/var/log/auth.log”|g’ /etc/csf/csf.conf
sed -i 's|^SU_LOG =.|SU_LOG = “/var/log/auth.log”|g’ /etc/csf/csf.conf
sed -i ‘s|^FTPD_LOG =.|FTPD_LOG = “/var/log/auth.log”|g’ /etc/csf/csf.conf
sed -i 's|^SMTPAUTH_LOG =.|SMTPAUTH_LOG = “/var/log/mail.log”|g’ /etc/csf/csf.conf
sed -i ‘s|^POP3D_LOG =.|POP3D_LOG = “/var/log/mail.log”|g’ /etc/csf/csf.conf
sed -i 's|^IMAPD_LOG =.|IMAPD_LOG = “/var/log/mail.log”|g’ /etc/csf/csf.conf
sed -i ‘s|^IPTABLES_LOG =.|IPTABLES_LOG = “/var/log/kern.log”|g’ /etc/csf/csf.conf
sed -i 's|^SYSLOG_LOG =.|SYSLOG_LOG = “/var/log/syslog”|g’ /etc/csf/csf.conf
For Centos based Cyberpanel with CSF
sed -i ‘s|^SSHD_LOG =.|SSHD_LOG = “/var/log/secure”|g’ /etc/csf/csf.conf
sed -i 's|^SU_LOG =.|SU_LOG = “/var/log/secure”|g’ /etc/csf/csf.conf
sed -i ‘s|^FTPD_LOG =.|FTPD_LOG = “/var/log/messages”|g’ /etc/csf/csf.conf
sed -i 's|^POP3D_LOG =.|POP3D_LOG = “/var/log/maillog”|g’ /etc/csf/csf.conf
sed -i ‘s|^SMTPAUTH_LOG =.|SMTPAUTH_LOG = “/var/log/maillog”|g’ /etc/csf/csf.conf
sed -i 's|^IMAPD_LOG =.|IMAPD_LOG = “/var/log/maillog”|g’ /etc/csf/csf.conf
sed -i ‘s|^IPTABLES_LOG =.|IPTABLES_LOG = “/var/log/messages”|g’ /etc/csf/csf.conf
sed -i 's|^SYSLOG_LOG =.|SYSLOG_LOG = “/var/log/messages”|g’ /etc/csf/csf.conf
Restart csf and lfd
csf -r
Check if lfd is enabled
service lfd status
or
systemctl status lfd
Once you apply the general rules and the correct host specific version for your server you can then check if its working by tailing the lfd.log.
tail -f /var/log/lfd.log
It should look something like this if its working properly as.
[root@wcloud:/etc/csf]# tail -f /var/log/lfd.log
Oct 5 11:14:04 wcloud lfd[3049]: Watching /usr/local/lsws/logs/error.log…
Oct 5 11:24:35 wcloud lfd[7777]: (sshd) Failed SSH login from 190.64.141.18 (UY/Uruguay/r190-64-141-18.ir-static.anteldata.net.uy): 10 in the last 3600 secs - Blocked in csf for 1800 secs [LF_SSHD]
Oct 5 11:24:40 wcloud lfd[7787]: (sshd) Failed SSH login from 201.48.4.15 (BR/Brazil/201-048-004-015.static.ctbctelecom.com.br): 10 in the last 3600 secs - Blocked in csf for 1800 secs [LF_SSHD]
Oct 5 11:27:35 wcloud lfd[3049]: Error Log line flooding/looping in /usr/local/lsws/logs/error.log. Reopening log file
Oct 5 11:27:35 wcloud lfd[3049]: Watching /usr/local/lsws/logs/error.log…
Oct 5 11:28:50 wcloud lfd[8726]: (sshd) Failed SSH login from 134.175.80.27 (CN/China/-): 10 in the last 3600 secs - Blocked in csf for 1800 secs [LF_SSHD]
Oct 5 11:29:10 wcloud lfd[8896]: (sshd) Failed SSH login from 196.44.191.3 (ZW/Zimbabwe/s35931.broadband.yoafrica.com): 10 in the last 3600 secs - Blocked in csf for 1800 secs [LF_SSHD]
Oct 5 11:31:35 wcloud lfd[9372]: (sshd) Failed SSH login from 54.38.183.177 (FR/France/177.ip-54-38-183.eu): 10 in the last 3600 secs - Blocked in csf for 1800 secs [LF_SSHD]
Oct 5 11:35:21 wcloud lfd[10232]: Incoming IP 222.186.173.238 temporary block removed
Oct 5 11:35:21 wcloud lfd[10232]: Outgoing IP 222.186.173.238 temporary block removed
Oct 5 11:39:11 wcloud lfd[10983]: Incoming IP 49.88.112.77 temporary block removed
Oct 5 11:39:11 wcloud lfd[10983]: Outgoing IP 49.88.112.77 temporary block removed
Now you should have a way more secure server then the default firewalld or default csf with nothing enabled.
Hope this helps everyone out. Hopefully we can these good defaults or a profile imported upon installation via the webgui