2
-----------
Modify IP Block Checking Time Interval in CSF
When you were not able to log into cPanel for the first time, please do not try to do it as many times as possible. It will lead to IP block if you are trying to login with the wrong login details continuously say 20 times in 5 minutes’ time. To avoid this, you have to make sure that the login details you are using are the exact one in the Welcome Email Guide that was sent to the email account you have used for sign up.
আপনি যখন প্রথমবার সিপ্যানেলে লগইন করতে সক্ষম হবেন না, দয়া করে যতবার সম্ভব এটি করার চেষ্টা করবেন না। যদি আপনি ভুল লগইন বিশদটি দিয়ে লগইন করার চেষ্টা করে অবিরত 5 মিনিটের সময় 20 বার বলে থাকেন তবে এটি আইপি ব্লকের দিকে নিয়ে যাবে। এটি এড়াতে, আপনাকে অবশ্যই নিশ্চিত করতে হবে যে আপনি যে লগইন বিশদটি ব্যবহার করছেন সেটি হ'ল স্বাগতম ইমেইল গাইডের যে হ'ল আপনি সাইন আপের জন্য ব্যবহার করেছেন এমন ইমেল অ্যাকাউন্টে প্রেরণ করা হয়েছিল।
Reasons to Block IP Address
Block due to failed POP3/IMAP login attempts
If you start receiving errors/pop-up windows related to IMAP/POP3 failed authentication in your email client, then the chance was high for the login credentials are incorrect or are become outdated. So most probably the email client will try to access the mail server again and again and will cause the result as the permanent IP block eventually.
Block due to failed SMTP login attempts
This kind of block occurs when SMTP authentication details get wrong or they are incorrect and you can’t send emails from the email client. So you have to make sure that SMTP login credentials are correct and valid.
Incorrect email client settings
The email client settings may also cause an IP block
Failed FTP/SSH login
Make sure your FTP client is using correct login details and appropriate settings. Also if you are using incorrect port number to log in then also your IP get blocked in the firewall.
Failed web page login
There is another possibility for the block that occurs when if there is some kind of authentication form or protected file on the website and if it requires some login details! It is your responsibility that you have to make sure to use correct and valid login credentials.
Reset the IP Block Time Interval
1) SSH to the server
2) Open the CSF configuration file ” csf.conf ” in any one of the text editor’s
# vi /etc/csf/csf.conf
3) Change the following values (in seconds)
LF_INTERVAL = 300
Set the time interval to track login and other LF_ failures within (seconds}
Edit and change the above value will change the time interval for the number of failed login attempt from an IP address to the server.
CT_INTERVAL = “90”
Edit and change the above value will change the time interval of the total number of connections from an IP address to the server.
CT_BLOCK_TIME = “1800”
You can select whether IP blocks for Port Scan Tracking should be temporary
Edit to change the above value to change the IP address block time interval, for that time the IP will be remain blocked.
4) Perform a CSF daemon restart to come in effect the changes have done. Run the below command to restart the CSF.
Change the Number of Failed Login Attempts on CSF
SMTP AUTH
By default, CSF firewall will be blocked IP address when logging into the control panel, email, or a password protected area on the website with entering wrong username or password in more than 5 times in the last 3600 seconds. We can change this failed attempts values in CSF configuration file. in this tutorial, we will discuss how to change this values in csf config file via both WHM and command line(CLI).
Edit csf configuration via command line(CLI)
1) Login to Server as a root user.
2) Open the csf config file using the text editor like vi, vim.
vi /etc/csf/csf.config
3) Then find the following entries.
To change FTP login failed attempt value.
LF_FTPD = “10”
To change the value failure detection of SMTP AUTH connections.
LF_SMTPAUTH = “5”
To change login failure detection value of courier pop3 connections.
LF_POP3D = “5”
To change login failure detection value of courier imap connections
LF_IMAPD = “10”
To change login failure detection value of cPanel, webmail and WHM connections.
LF_CPANEL = “5”
4) Then save this config file after changing these values.
5) You have to restart csf and lfd services.
csf -r
Allow incoming / outgoing ping / ICMP
To allow ICMP/ping, in/out, change the following:
# Allow incoming PING ICMP_IN = "1" # Allow outgoing PING ICMP_OUT = "1"
To block it, change it to "0"
Block certain country's
To block all traffic coming from certain country's:
CC_DENY = "CN,KR,HK,IN,ID,MY,NG,PK,RU,SA,TW,SY,AE"
Use the 2 letter ISO code there.
Disable tracking of long running processes
PT_LIMIT = "0"
If that is set to 1 you will receive a lot of mails when process resource usage spikes or they run longer than a minute.
Enable a Web Management UI
To enable the CSF web management UI, without having a controlpanel (like cpanel/directadmin):
UI = "0" UI_PORT = "6666" UI_USER = "username" UI_PASS = "password"
Send an email when a user logs in via ssh
LF_SSH_EMAIL_ALERT = "1"
The emails are sent to root by default. Change the below line to change that:
LF_ALERT_TO = "user@example.org"
Change the Number of Failed Login Attempts on CSF
IMAP, Devcot, POP3D
openSSH
cPanel, WHM, Webmail(in cPanel Server)
Pure-ftpd, vsftpd, Proftpd
Password protected areas on the website.
Mod_security.
Suhosin failures.
Exim SMTP AUTH
By default, CSF firewall will be blocked IP address when logging into the control panel, email, or a password protected area on the website with entering wrong username or password in more than 5 times in the last 3600 seconds. We can change this failed attempts values in CSF configuration file. in this tutorial, we will discuss how to change this values in csf config file via both WHM and command line(CLI).
Edit csf configuration via command line(CLI)
1) Login to Server as a root user.
2) Open the csf config file using the text editor like vi, vim.
vi /etc/csf/csf.config
3) Then find the following entries.
To change FTP login failed attempt value.
LF_FTPD = “10”
To change the value failure detection of SMTP AUTH connections.
LF_SMTPAUTH = “5”
To change login failure detection value of courier pop3 connections.
LF_POP3D = “5”
To change login failure detection value of courier imap connections
LF_IMAPD = “10”
To change login failure detection value of cPanel, webmail and WHM connections.
LF_CPANEL = “5”
4) Then save this config file after changing these values.
5) You have to restart csf and lfd services.
csf -r
------------------X -----------------------------
Port Flood Protection
This is used to protect the server from port flood attacks, i.e, flooding the common ports with huge number of connections and thereby denying or hanging up the services listening to those ports.
With this option, we can set the maximum number of connections a port can connect to and the new connections after this limit will be blocked by the firewall. Syntax of PORTFLOOD field is as given below.
PORTFLOOD = “port;protocol;hit_count;interval_in_seconds”
You can add multiple ports separated by commas.
Here is an example for enabling port flood protection.
PORTFLOOD = “80;tcp;50;10”
This means that if the number of connections to port 80 exceeds 50 in ten seconds, all the new connections will be blocked.
Connection Limit Protection
This option allows us to set maximum number of concurrent connections to a particular open port in the server from a single IP. This is intended for protection from denial of service attacks like DoS.
Syntax:
CONNLIMIT = “port;limit”
We can set connection limits for multiple ports separated by comma. Here is an example:
CONNLIMIT = "80;10,21;2"
This means, the maximum concurrent connections to port 80 (HTTP) from a single IP is 10 and to port 21 (FTP) per IP is 2.
Connection Tracking
This option allows us to set maximum number of all connections from a single IP addresses to the server. If the total number of connections from thet IP address is greater than the set value then the offending IP address is blocked. This also provides protection against denial of service attacks like Dos attacks.
Here are the examples of CT options in the configuration.
CT_LIMIT = “100”
All IPs with more than 200 connections will be blocked.
CT_PERMANENT = “1”
IPs with excess connection limit will blocked permanenty
CT_BLOCK_TIME = “3600”
This is to set the time period of the IP block for excessive connection limit. Above setting will block th eIP with excess connections for 3600 seconds or 1 hour.
CT_INTERVAL = “60”
This value sets the interval in seconds between the Connection Tracking scans and in the above example the scans will take place with 60 seconds.
These are the basic security settings. There are lot of advanced options like,
PACKET_FILTER – To drop invaid packets.
SYNFLOOD – To drop tcp SYN packet DOS attempts(Recommended only if you are under DoS attack)
ICMP_IN and ICMP_OUT – To Allow/Deny incoming and outgoing ping (ICMP) packets.
Syslog and RESTRICT_SYSLOG – To enable logging login failures to syslog and rsyslog, etc.
Various Reasons for IP Address Block in CSF
CSF Configuration
1) SSH to the server.
2) Open the file csf.conf.
# vi /etc/csf/csf.conf
3) Check the following parameters in the file csf.conf you have opened,
LT_POP3D = “value”
In the place of value if you replace with a number then the failed POP3 login attempt times per hour per account per IP address is greater than the IP gets blocked. Put the value to zero to disable the option. Please keep in mind that the IP is blocked temporarily and it automatically unblocks after an hour!
মানের জায়গায় যদি আপনি একটি সংখ্যা দিয়ে প্রতিস্থাপন করেন তাহলে IP অ্যাড্রেস প্রতি অ্যাকাউন্ট প্রতি ঘন্টায় ব্যর্থ POP3 লগইন চেষ্টা বার IP ব্লক হওয়ার চেয়ে বেশি। বিকল্পটি নিষ্ক্রিয় করতে মানটি শূন্যে রাখুন। অনুগ্রহ করে মনে রাখবেন যে IP সাময়িকভাবে ব্লক করা হয়েছে এবং এটি এক ঘন্টা পরে স্বয়ংক্রিয়ভাবে আনব্লক হয়ে যায়!
----------------------------
LT_IMAPD = “value”
CSF will check the value corresponding to the LT_IMAPD and compare it the number of IMAP login failure and if the failure count is greater than the value mentioned hen the IP will be blocked. Using a high number is recommended other than putting zero as (0=option as disabled). Since this is the temporary block for an hour after that the IP will be unblocked!
CSF LT_IMAPD-এর সাথে সম্পর্কিত মান পরীক্ষা করবে এবং IMAP লগইন ব্যর্থতার সংখ্যার সাথে তুলনা করবে এবং ব্যর্থতার সংখ্যা উল্লিখিত মানের থেকে বেশি হলে IP ব্লক করা হবে। শূন্য হিসেবে (0=অক্ষম হিসাবে বিকল্প) রাখার পরিবর্তে একটি উচ্চ সংখ্যা ব্যবহার করা বাঞ্ছনীয়। যেহেতু এটি এক ঘন্টার জন্য অস্থায়ী ব্লক তার পরে আইপি আনব্লক করা হবে!
----------------------------
LF_SSHD = “value”
LF_SSHD_PERM = “value”
These are the option in CSF to enabled to detect the login failure for sshd connections to the server.
LF_FTPD = “value”
LF_FTPD_PERM = “value”
This option is enabled to check the login failure of ftp connections, compare the value with the login failure count and if the login failure is greater corresponding IP will be blocked.
LF_SMTPAUTH = “value”
LF_SMTPAUTH_PERM = “value”
This parameter in the CSF will check the login failure of SMTP AUTH connections and the failure counts gets higher than the value set then the IP gets blocked.
LF_POP3D = “value”
LF_POP3D_PERM = “value”
This option is enabled to check the login failure of pop3 connections to the server.
LF_IMAPD = “value”
LF_IMAPD_PERM = “value”
Through this option enabled the CSF will check the login failure of imap connections to the server.
4) You need to restart the csf after that for the changes made to take effect server wide.
Run the below command to restart the CSF.
# csf -r
--------------