cPanel and lfd IP block messages
Hello,
Everytime an attempt is made to login to my server, I receive two messages as in the following examples -
One will come from cPanel -
5 failed login attempts to account mydomain (system) -- Large number of attempts from this IP: 91.201.244.50
Origin Country: Ukraine (UA)
Please use the following links to add to the black list:
Single IP:
/16:
/24:
And then another one from root@hostname.mydomain.com with the subject line - lfd on hostname.mydomain.com: blocked 91.201.244.50 (UA/Ukraine/-) Time: Fri Oct 24 06:25:44 2014 +0100 IP: 91.201.244.50 (UA/Ukraine/-) Failures: 10 (ftpd) Interval: 3600 seconds Blocked: Permanent Block
Two questions arise from this. 1. As the second email is reporting a permanent block of the IP address, I assume there is no need to click any links in the first email adding the IP to the blacklist? 2. If the IPs are automatically blocked or banned, is there any way to stop these notifications and just be advised of successful logins? Hope someone can advise. :)
And then another one from root@hostname.mydomain.com with the subject line - lfd on hostname.mydomain.com: blocked 91.201.244.50 (UA/Ukraine/-) Time: Fri Oct 24 06:25:44 2014 +0100 IP: 91.201.244.50 (UA/Ukraine/-) Failures: 10 (ftpd) Interval: 3600 seconds Blocked: Permanent Block
Two questions arise from this. 1. As the second email is reporting a permanent block of the IP address, I assume there is no need to click any links in the first email adding the IP to the blacklist? 2. If the IPs are automatically blocked or banned, is there any way to stop these notifications and just be advised of successful logins? Hope someone can advise. :)
-
1. Correct, if the server is already blocking it you don't need to block manually. 2. Set LF_PERMBLOCK_ALERT = "0" in csf.conf or via WHM. There are other alert settings you can review as well. 0 -
]1. Correct, if the server is already blocking it you don't need to block manually. 2. Set LF_PERMBLOCK_ALERT = "0" in csf.conf or via WHM. There are other alert settings you can review as well.
Great. Thanks for the assistance and advice. :)0 -
Hello :) I just want to point out that you can review some changes that will occur with cPhulk in cPanel version 11.48 at: [url=http://features.cpanel.net/responses/as-a-server-administrator-i-want-cphulkd-to-better-mitigate-brute-force-attacks-so-that-i-can-enhance-security-on-my-system]cPHulkd to better mitigate Brute Force Attacks | cPanel Feature Requests Thank you. 0 -
. Set LF_PERMBLOCK_ALERT = "0" in csf.conf or via WHM. There are other alert settings you can review as well.
I did but still receive emails about permanent block IPs. Any more ideas?0 -
Could you verify which email notification you received? Thank you. 0 -
I did but still receive emails about permanent block IPs. Any more ideas?
Did you fully restart CSF/LFD via WHM after making the change? Just restarting CSF will not make the change effective.0 -
Did you fully restart CSF/LFD via WHM after making the change? Just restarting CSF will not make the change effective.
I understand CSF/LFD restarted after change setting via WHM0 -
I understand CSF/LFD restarted after change setting via WHM
Could you verify the email you are receiving is actually from CSF/LFD? Are you sure it's the same email reported by the original poster? Thank you.0 -
Could you verify the email you are receiving is actually from CSF/LFD? Are you sure it's the same email reported by the original poster? Thank you.
This is the email:lfd on server.xxxxxx.com: blocked 000.000.000.000 (ID/Indonesia/-) Time: Wed Nov 11 22:42:32 2015 -0700 IP: 000.000.000.000 (ID/Indonesia/-) Failures: 5 (ftpd) Interval: 3600 seconds Blocked: Permanent Block Log entries: Nov 11 22:41:57 server pure-ftpd: (?@000.000.000.000) [WARNING] Authentication failed for user [user] Nov 11 22:42:03 server pure-ftpd: (?@000.000.000.000) [WARNING] Authentication failed for user [user] Nov 11 22:42:11 server pure-ftpd: (?@000.000.000.000) [WARNING] Authentication failed for user [user] Nov 11 22:42:23 server pure-ftpd: (?@000.000.000.000) [WARNING] Authentication failed for user [user] Nov 11 22:42:29 server pure-ftpd: (?@000.000.000.000) [WARNING] Authentication failed for user [user] --------------------------------------
// 000.000.000.000 is IP address0 -
Your options are located in this section of CSF: Login Failure Blocking and Alerts 0 -
my /etc/csf/csf.conf show: # Set LF_PERMBLOCK to "0" to disable this feature LF_PERMBLOCK = "1" LF_PERMBLOCK_INTERVAL = "86400" LF_PERMBLOCK_COUNT = "4" LF_PERMBLOCK_ALERT = "0"
however yet continue recibing:lfd on myhost: blocked 223.255.28.203 (CN/China/-) Para: root@myhost Time: Wed Mar 10 19:37:46 2021 +0000 IP: 223.255.28.203 (CN/China/-) Failures: 5 (sshd) Interval: 3600 seconds Blocked: Permanent Block [LF_SSHD] Log entries: Mar 10 19:24:09 todo sshd[48532]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.255.28.203 user=root Mar 10 19:24:11 todo sshd[48532]: Failed password for root from 223.255.28.203 port 60965 ssh2 Mar 10 19:34:57 todo sshd[48856]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.255.28.203 user=root Mar 10 19:34:59 todo sshd[48856]: Failed password for root from 223.255.28.203 port 54020 ssh2 Mar 10 19:37:42 todo sshd[49092]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.255.28.203 user=root
what I can do BEFORE of GMAIL mark my IP as SPAM ?0 -
@000 - if you're seeing configuration options in CSF that aren't working how you expect, it might be best to speak with CSF's support team directly at ConfigServer Technical Support or reach out through their forums directly at ConfigServer Community Forum - Index page 0
Please sign in to leave a comment.
Comments
12 comments