CSF settings and log paths for lfd integration from the CLI

So figured I would share this information here as someone else may find it helpful. I reviewed both Centos and Ubuntu log paths and figured out how to map them all properly in csf so that lfd and whatnot works for bruteforce protection when its enabled.

Currently, the default doesn’t do much good neither does firewalld about bruteforce attacks.

With the below information you can rapidly adjust the csf.conf and lfd to work properly after installing via the WebGUI.

Overview of log files and difference.

Cyberpanel Control Panel Accesslog
/usr/local/lscp/cyberpanel/logs/access.log

Cyberpanel Control Panel errorlog
/usr/local/lscp/cyberpanel/logs/error.log

Cyberpanel Control Panel stderr.log
/usr/local/lscp/cyberpanel/logs/stderr.log

Cyberpanel Control Panel logs and rotated logs.
/usr/local/lscp/logs/

csf.logfiles csf.syslogs

CyberPanel

/home/cyberpanel/error-logs.txt
/usr/local/lscp/cyberpanel/logs/error.log
/usr/local/lscp/cyberpanel/logs/access.log
/usr/local/lscp/cyberpanel/logs/stderr.log

csf.syslogs

Litespeed/Openlitespeed

/usr/local/lsws/logs/error.log
/usr/local/lsws/logs/access.log
/usr/local/lsws/logs/auditmodsec.log

Ubuntu
This file contain email logs for postfix/dovecot
/var/log/mail.err
/var/log/mail.log

Auth
/var/log/syslog
/var/log/auth.log

Iptables log
/var/log/kern.log

Centos 7

sshd
/var/log/secure

FTP
/var/log/messages
tail -f /var/log/messages

Maillog
/var/log/maillog

As I like to do stuff rapidly vs doing it all by hand in nano/vi and wanted to reuse. I setup oneliners with sed for each directive I wanted to change.

Use this as a reference to see what these directives do.
https://download.configserver.com/csf/readme.txt

Basically, this disables the excessive alerts CSF defaults too being on and a number of other good defaults i have been using for years on my cPanel and other linux servers.

The first thing you’re going to want to do is backup the configuration.
/etc/csf/csf.conf

cp /etc/csf/csf.conf /etc/csf/csf.conf-bak

If something is broken you can then do the below to reverse it.
cp /etc/csf/csf.conf-bak /etc/csf/csf.conf
csf -r

General universal rules

sed -i ‘s/^RESTRICT_SYSLOG =./RESTRICT_SYSLOG = “3”/g’ /etc/csf/csf.conf
sed -i 's/^LF_EMAIL_ALERT.
/LF_EMAIL_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i ‘s/^LF_PERMBLOCK_ALERT./LF_PERMBLOCK_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i 's/^LF_NETBLOCK_ALERT.
/LF_NETBLOCK_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i ‘s/^LF_TRIGGER_PERM./LF_TRIGGER_PERM = “1800”/g’ /etc/csf/csf.conf
sed -i 's/^LF_EMAIL_ALERT.
/LF_EMAIL_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i ‘s/^LF_SSHD =./LF_SSHD = “10”/g’ /etc/csf/csf.conf
sed -i 's/^LF_SSHD_PERM =.
/LF_SSHD_PERM = “1800”/g’ /etc/csf/csf.conf
sed -i ‘s/^LF_FTPD_PERM =./LF_FTPD_PERM = “1800”/g’ /etc/csf/csf.conf
sed -i 's/^LF_SMTPAUTH =.
/LF_SMTPAUTH = “10”/g’ /etc/csf/csf.conf
sed -i ‘s/^LF_SMTPAUTH_PERM =./LF_SMTPAUTH_PERM = “1800”/g’ /etc/csf/csf.conf
sed -i 's/^LF_POP3D =.
/LF_POP3D = “10”/g’ /etc/csf/csf.conf
sed -i ‘s/^LF_POP3D_PERM =./LF_POP3D_PERM = “1800”/g’ /etc/csf/csf.conf
sed -i 's/^LF_IMAPD =.
/LF_IMAPD = “10”/g’ /etc/csf/csf.conf
sed -i ‘s/^LF_IMAPD_PERM =./LF_IMAPD_PERM = “1800”/g’ /etc/csf/csf.conf
sed -i 's/^LF_HTACCESS_PERM =.
/LF_HTACCESS_PERM = “1800”/g’ /etc/csf/csf.conf
sed -i ‘s/^LF_MODSEC =./LF_MODSEC = “10”/g’ /etc/csf/csf.conf
sed -i 's/^LF_MODSEC_PERM =.
/LF_MODSEC_PERM = “1800”/g’ /etc/csf/csf.conf
sed -i ‘s/^LF_SSH_EMAIL_ALERT =./LF_SSH_EMAIL_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i 's/^LF_WEBMIN_EMAIL_ALERT =.
/LF_WEBMIN_EMAIL_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i ‘s/^LF_QUEUE_ALERT =./LF_QUEUE_ALERT = “2000”/g’ /etc/csf/csf.conf
sed -i 's/^LF_QUEUE_INTERVAL =.
/LF_QUEUE_INTERVAL = “300”/g’ /etc/csf/csf.conf
sed -i ‘s/^RT_RELAY_ALERT =./RT_RELAY_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i 's/^RT_RELAY_LIMIT =.
/RT_RELAY_LIMIT = “500”/g’ /etc/csf/csf.conf
sed -i ‘s/^RT_RELAY_BLOCK =./RT_RELAY_BLOCK = “0”/g’ /etc/csf/csf.conf
sed -i 's/^RT_AUTHRELAY_ALERT =.
/RT_AUTHRELAY_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i ‘s/^RT_AUTHRELAY_LIMIT =./RT_AUTHRELAY_LIMIT = “100”/g’ /etc/csf/csf.conf
sed -i 's/^RT_AUTHRELAY_BLOCK =.
/RT_AUTHRELAY_BLOCK = “0”/g’ /etc/csf/csf.conf
sed -i ‘s/^RT_POPRELAY_ALERT =./RT_POPRELAY_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i 's/^RT_POPRELAY_LIMIT =.
/RT_POPRELAY_LIMIT = “100”/g’ /etc/csf/csf.conf
sed -i ‘s/^RT_POPRELAY_BLOCK =./RT_POPRELAY_BLOCK = “0”/g’ /etc/csf/csf.conf
sed -i 's/^RT_LOCALRELAY_ALERT =.
/RT_LOCALRELAY_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i ‘s/^RT_LOCALRELAY_LIMIT =./RT_LOCALRELAY_LIMIT = “100”/g’ /etc/csf/csf.conf
sed -i 's/^RT_LOCALHOSTRELAY_ALERT =.
/RT_LOCALHOSTRELAY_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i ‘s/^RT_LOCALHOSTRELAY_LIMIT =./RT_LOCALHOSTRELAY_LIMIT = “100”/g’ /etc/csf/csf.conf
sed -i 's/^RT_ACTION =.
/RT_ACTION = “”/g’ /etc/csf/csf.conf
sed -i ‘s/^CT_EMAIL_ALERT =./CT_EMAIL_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i 's/^PT_USERPROC =.
/PT_USERPROC = “0”/g’ /etc/csf/csf.conf
sed -i ‘s/^PT_USERMEM./PT_USERMEM = “0”/g’ /etc/csf/csf.conf
sed -i 's/^PT_USERRSS.
/PT_USERRSS = “0”/g’ /etc/csf/csf.conf
sed -i ‘s/^PT_USERTIME./PT_USERTIME = “0”/g’ /etc/csf/csf.conf
sed -i 's/^PT_USERKILL_ALERT.
/PT_USERKILL_ALERT = “0”/g’ /etc/csf/csf.conf
sed -i ‘s/^PT_LOAD =./PT_LOAD = “0”/g’ /etc/csf/csf.conf
sed -i 's/^UI_USER =.
/UI_USER = “asjdbhjbadiywbhww”/g’ /etc/csf/csf.conf
sed -i ‘s/^UI_PASS =./UI_PASS = “jbnjkebiub2e32qei”/g’ /etc/csf/csf.conf
sed -i 's|^HTACCESS_LOG =.
|HTACCESS_LOG = “/usr/local/lsws/logs/error.log”|g’ /etc/csf/csf.conf
sed -i ‘s|^MODSEC_LOG =.*|MODSEC_LOG = “/usr/local/lsws/logs/auditmodsec.log”|g’ /etc/csf/csf.conf

The below sections are OS-specific based on the Centos 7 and Ubuntu 18 servers I have. If unsure just check that your server logs files match these. If they do not adjust the rules carefully before using to match your configuration.

For Ubuntu base Cyberpanel with CSF
sed -i ‘s|^SSHD_LOG =.|SSHD_LOG = “/var/log/auth.log”|g’ /etc/csf/csf.conf
sed -i 's|^SU_LOG =.
|SU_LOG = “/var/log/auth.log”|g’ /etc/csf/csf.conf
sed -i ‘s|^FTPD_LOG =.|FTPD_LOG = “/var/log/auth.log”|g’ /etc/csf/csf.conf
sed -i 's|^SMTPAUTH_LOG =.
|SMTPAUTH_LOG = “/var/log/mail.log”|g’ /etc/csf/csf.conf
sed -i ‘s|^POP3D_LOG =.|POP3D_LOG = “/var/log/mail.log”|g’ /etc/csf/csf.conf
sed -i 's|^IMAPD_LOG =.
|IMAPD_LOG = “/var/log/mail.log”|g’ /etc/csf/csf.conf
sed -i ‘s|^IPTABLES_LOG =.|IPTABLES_LOG = “/var/log/kern.log”|g’ /etc/csf/csf.conf
sed -i 's|^SYSLOG_LOG =.
|SYSLOG_LOG = “/var/log/syslog”|g’ /etc/csf/csf.conf

For Centos based Cyberpanel with CSF
sed -i ‘s|^SSHD_LOG =.|SSHD_LOG = “/var/log/secure”|g’ /etc/csf/csf.conf
sed -i 's|^SU_LOG =.
|SU_LOG = “/var/log/secure”|g’ /etc/csf/csf.conf
sed -i ‘s|^FTPD_LOG =.|FTPD_LOG = “/var/log/messages”|g’ /etc/csf/csf.conf
sed -i 's|^POP3D_LOG =.
|POP3D_LOG = “/var/log/maillog”|g’ /etc/csf/csf.conf
sed -i ‘s|^SMTPAUTH_LOG =.|SMTPAUTH_LOG = “/var/log/maillog”|g’ /etc/csf/csf.conf
sed -i 's|^IMAPD_LOG =.
|IMAPD_LOG = “/var/log/maillog”|g’ /etc/csf/csf.conf
sed -i ‘s|^IPTABLES_LOG =.|IPTABLES_LOG = “/var/log/messages”|g’ /etc/csf/csf.conf
sed -i 's|^SYSLOG_LOG =.
|SYSLOG_LOG = “/var/log/messages”|g’ /etc/csf/csf.conf

Restart csf and lfd
csf -r

Check if lfd is enabled
service lfd status
or
systemctl status lfd

Once you apply the general rules and the correct host specific version for your server you can then check if its working by tailing the lfd.log.
tail -f /var/log/lfd.log

It should look something like this if its working properly as.
[root@wcloud:/etc/csf]# tail -f /var/log/lfd.log
Oct 5 11:14:04 wcloud lfd[3049]: Watching /usr/local/lsws/logs/error.log…
Oct 5 11:24:35 wcloud lfd[7777]: (sshd) Failed SSH login from 190.64.141.18 (UY/Uruguay/r190-64-141-18.ir-static.anteldata.net.uy): 10 in the last 3600 secs - Blocked in csf for 1800 secs [LF_SSHD]
Oct 5 11:24:40 wcloud lfd[7787]: (sshd) Failed SSH login from 201.48.4.15 (BR/Brazil/201-048-004-015.static.ctbctelecom.com.br): 10 in the last 3600 secs - Blocked in csf for 1800 secs [LF_SSHD]
Oct 5 11:27:35 wcloud lfd[3049]: Error Log line flooding/looping in /usr/local/lsws/logs/error.log. Reopening log file
Oct 5 11:27:35 wcloud lfd[3049]: Watching /usr/local/lsws/logs/error.log…
Oct 5 11:28:50 wcloud lfd[8726]: (sshd) Failed SSH login from 134.175.80.27 (CN/China/-): 10 in the last 3600 secs - Blocked in csf for 1800 secs [LF_SSHD]
Oct 5 11:29:10 wcloud lfd[8896]: (sshd) Failed SSH login from 196.44.191.3 (ZW/Zimbabwe/s35931.broadband.yoafrica.com): 10 in the last 3600 secs - Blocked in csf for 1800 secs [LF_SSHD]
Oct 5 11:31:35 wcloud lfd[9372]: (sshd) Failed SSH login from 54.38.183.177 (FR/France/177.ip-54-38-183.eu): 10 in the last 3600 secs - Blocked in csf for 1800 secs [LF_SSHD]
Oct 5 11:35:21 wcloud lfd[10232]: Incoming IP 222.186.173.238 temporary block removed
Oct 5 11:35:21 wcloud lfd[10232]: Outgoing IP 222.186.173.238 temporary block removed
Oct 5 11:39:11 wcloud lfd[10983]: Incoming IP 49.88.112.77 temporary block removed
Oct 5 11:39:11 wcloud lfd[10983]: Outgoing IP 49.88.112.77 temporary block removed

Now you should have a way more secure server then the default firewalld or default csf with nothing enabled.

Hope this helps everyone out. Hopefully we can these good defaults or a profile imported upon installation via the webgui

2 Likes

Thank you, my server load went down after getting hammered by bots.

Glad to hear it. I submitted a commit so these are hopefully the new defaults upon install.

File:
https://github.com/usmannasir/cyberpanel/blob/1.8.0/plogical/csf.py

Commit submitted:

Just an update on this. I was able to code some more modifications to enable the native CSF web UI to be enabled on port: 1025. The default port 6666 is blocked in Chrome/Firefox so this port was not used.

If there is a signed SSL for the hostname installed already it will automatically use that for the SSL for CSF.

That magic happens due to these symlinks.
ln -s /usr/local/lscp/conf/cert.pem /etc/csf/ui/server.crt
ln -s /usr/local/lscp/conf/key.pem /etc/csf/ui/server.key

Tested on both Ubuntu and Centos.

After CSF is installed you can access the webui via hostname/IP.
https://hostname:1025/
https://IP:1025/

Default username:
cyberpanel

Default password:
csfadmin1234567

To change the default username or password this can be done via the CLI. See the below examples and replace them with your desired username and password.

To change username:
sed -i ‘s/^UI_USER =.*/UI_USER = “YourNewUserNameHere”/g’ /etc/csf/csf.conf

To change password:
sed -i ‘s/^UI_PASS =.*/UI_PASS = “YourNewPasswordHere”/g’ /etc/csf/csf.conf

Once updated use the below command to restart all.
csf -ra

If you see CSF is enabled but it’s not showing on the WebUI port you might need to also run command the above command after install. I coded this in as i noticed it needs to be run after installation to allow the WebUI to properly load but sometimes it needs to be done manually again.

This will give you all the advanced functionality to tail logs live in browser etc.

Optional Security recommendations.

Currently, it will allow anyone to visit this page. If they fail logins it will block them which is not a huge deal, but restricting this to your IP or a VPN management IP will add some extra protection to the webui.

Adding your IP or IP’s to the below file will allow you to put it back into whitelist mode and prevent any IP’s not listed from loading the page.
/etc/csf/ui/ui.allow

echo “YOUR_PUBLIC_IP_ADDRESS” >> /etc/csf/ui/ui.allow

To turn that protection back on the below can be used.
sed -i ‘s/^UI_ALLOW =.*/UI_ALLOW = “1”/g’ /etc/csf/csf.conf
csf -ra

Source reference links:

@whattheserver do i need to reinstall csf from cyberpanel to get the ui enabled?

yeah, that’s the easiest way. If you have a lot of custom modifications you may want to backup your csf.conf outside of the /etc/csf/ directory as it deletes it all during the uninstall.

cp /etc/csf/csf.conf /root/csf.conf

You could also use the below commands to modify the different things manually vs uninstalling.

Mv the default ssl keys out of the way and create the symlinks.
mv /etc/csf/ui/server.crt /etc/csf/ui/server.crt-bak; ln -s /usr/local/lscp/conf/cert.pem /etc/csf/ui/server.crt;
mv /etc/csf/ui/server.key /etc/csf/ui/server.key-bak; ln -s /usr/local/lscp/conf/key.pem /etc/csf/ui/server.key;

Specify your username and password in the below you want it to use
sed -i ‘s/^UI_USER =./UI_USER = “username”/g’ /etc/csf/csf.conf
sed -i 's/^UI_PASS =.
/UI_PASS = “password”/g’ /etc/csf/csf.conf

Enable UI UI port and disable
sed -i ‘s/^UI =./UI = “1”/g’ /etc/csf/csf.conf
sed -i 's/^UI_PORT =.
/UI_PORT = “1025”/g’ /etc/csf/csf.conf
sed -i ‘s/^UI_ALLOW =.*/UI_ALLOW = “0”/g’ /etc/csf/csf.conf

csf -ra

Check
https://hostname:1025

Thanks @whattheserver

So is this still valid?

You can use the ldapmodify utility to modify the parameters in the cn=config subtree that control the Directory Server logging.

@whattheserver thanks for writing this up! I just installed the CSF module in cyberpanel today. Are these instructions still relevant?