ConfigServer CSF

SYSTEM INFORMATION
OS type and version Debian 11/12
Webmin version 2.111
Virtualmin version 7.10.0
Related packages CSF

I suspect that CSF is not blocking properly.
Sends an extract of selected lines from /var/log/lfd.log

User Processing PID:1480245 Kill:0 User:domain1.com Time:9045 EXE:/usr/sbin/php-fpm8.2 CMD:php-fpm: pool 16811240821455200
User Processing PID:1480244 Kill:0 User:domain1.com Time:9045 EXE:/usr/sbin/php-fpm8.2 CMD:php-fpm: pool 16811240821455200
User Processing PID:2995617 Kill:0 User:www-data Time:88137 EXE:/usr/sbin/php-fpm8.2 CMD:php-fpm: pool www
User Processing PID:2995508 Kill:0 User:domain2.com Time:88137 EXE:/usr/sbin/php-fpm8.2 CMD:php-fpm: pool 1683536731575778
User Processing PID:2995575 Kill:0 User:domain3.com Time:88137 EXE:/usr/sbin/php-fpm8.2 CMD:php-fpm: pool 1705748160996163
User Processing PID:2995391 Kill:0 User:domain4.com Time:88137 EXE:/usr/sbin/php-fpm8.2 CMD:php-fpm: pool 168266248380413
SYSLOG CHECK Failed to detect check line [BgLyK2j5C8UBlK3M4KWi6nCWorF8] sent to SYSLOG
Suspicious Process PID:1854001 PPID:1783 User:postfix Uptime:131 secs EXE:/usr/lib/postfix/sbin/smtpd CMD:smtpd -n submission -t inet -u -c -o stress= -s 2 -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may
User Processing PID:1848615 Kill:0 User:postfix Time:4212 EXE:/usr/lib/postfix/sbin/smtpd CMD:smtpd -n smtp -t inet -u -c -o stress= -s 2 -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=may

Grateful for a statement from those of you who know csf.

Not blocking properly what? Besides, why use CSF in the first place, if the default Virtualmin installation with FirewallD and Fail2Ban does everything that needs to be done?

@Ilia I have seen many recommend CSF in the forum. That´s why.

I think CSF is great, but I don’t believe it’s necessary to replace the Virtualmin stock FirewallD + Fail2Ban. Essentially, they are equally effective and perform the same functions.

I tried it once, didn’t like it. So I use firewalld to open and close ports and fail2ban to manage bans via iptables directly, using the iptables_x actions. Maybe csf gives more information back but all I need to know is who is banned for what reason ( fail2ban jail name ) for how long and when the ban expires. Which you can see in the fail2ban module, this also allows you selectively unban ip addresses if you need to. I would guess if the virtualmin devs thought that there are significant gains by using csf they would not default to firewalld/fail2ban and install and configure csf at installation instead

Well it not simple config and need time to config. Where firewalld and fail2ban work. I like you can do country blocking with CSF and add quick blocking of IP’s too.

Ok that may follow and be good but I don’t judge a country on a some of there residents being bad, does csf take into account vpn’s ? I could block say the USA and someone could connect via a vpn in the USA from Germany would csf also block them ?

Well how many of my customers need a email from russia or china? it does stop alot of crap and hackers.
USA is a issue :slight_smile: It down reduce alot or crap.

It may not originate in those countries but the vpn makes it appear as if it has originated from a banned country, this is used a lot by UK nationals that wish to use services in the UK from countries that are blocked. Example someone in the USA is blocked from using a service in the UK so they use a UK based vpn so they appear to be in the UK.

Or perhaps more relevant - I’ll rephrase that, if I may,

I could block say Russia/China and someone from there could connect via a VPN in the USA/UK. Would CSF also block them ?

I have global customers and they have global visitors - so banning by any country is a no-no!

1 Like

You can do the same with firewalld by setting up your own list using ipset. You can create your own list and copy from server to server with just a couple commands. Just look up ipset…

CSF has the unpleasant side effect of blocking you from the server, not just the service, you triggered. Not pleasant when doing re,mote admin. Happens too much when someone is trying to set up email too.

I’ll give this as a plus but it could be added to the Firewalld interface? Having the ability to whitelist for a given time was nice for customers that were ‘inventive’ in configuring their email clients.

Quick IP manipulation was the only real reason I went into CFS once it was set up.

One thing to remember though is a real firewall is ahead of the server, not on it. Trying to do too much on the server is probably a mistake. If you need a firewall, get a firewall.

I would think most apps that manage the firewall manipulate iptables in a linux environment, so therefore as long as the kernel is setup correctly you will have a firewall, that said not all distro’s, suppliers may not will deploy a kernel without a firewall enabled, from that everyone should have a firewall to start with it’s just how you manipulate it

You missed the context.

This was just implemented in this PR.

Example:

4 Likes

CSF give a graph of the country its blocking the most, CN leads by a long way, so just blocking china is handy.
No its not going to stop VPN but it stops alot. This from a test server I ran I’ve been running for about 10 hours

Not if they are your principal customers.

Still do not see the point of CSF when/if it can be bypassed by using a VPN (which seems to be common practise)

What about the majority of hacker that aren’t using VPN? I thought the diagram would of proved that but I guess not.

I have a VM with more than one domain in CN and the traffic is nearly all CN dealing with the pests seems still better to leave Firewalld handling them. I just do not see any real advantage in CSF (in fact judging on this topic and all the others popping up on here it is more trouble than it it is worth)

That different, if your dealing with CN. No need to use CSF if you don’t won’t to.