If there are 20 different forks they will all be lower quality.
One group needs to look after csf.
Not necessarily (though, obviously most will be low quality because it’s extremely rare for someone to have the time/knowledge/motivation to maintain a kinda large project for a long time). It was already being maintained by only one or two people…it’s not like it was some massive community effort.
Most Open Source is one person, with a little help (Webmin has been mostly Jamie for coming up on 30 years with a little help from me and Ilia and some other folks along the way). The idea that Open Source projects benefits massively from a huge community of contributors is mostly imagined. Open Source can be more secure, because of more eyes, and Open Source may eventually trend toward fewer bugs, because more bug reports and more eyes looking for the bugs. But, for any large project to last and get better, it generally needs one person or company to really work on it, to treat it like it matters. Casual users don’t really do that, and most forks of OSS projects are by casual users who just want one specific change or whatever.
In the short term, I suspect there will be a fork for each of the projects that use it in some way that will become somewhat specialized for that project, with some patches going back and forth now and then. But, maybe someone will really focus on it. I’m not convinced it’s the right security model for web servers, like a Virtualmin system, but a lot of people disagree with me…it’s quite popular for that purpose. So, I dunno. Maybe we want to make our own fork to make sure it stays suitable for Virtualmin deployments…Ilia did put a lot of time into the UI side of things for CSF.
3 Likes
If the webmin team take csf on, maybe it should become the default software and drop fail2ban etc..
Did you miss this?
I think it’s too much for a web server. I think fail2ban is probably too much, too, but if we switch from fail2ban, I think I would prefer it be sshguard (which is what I use on my personal servers that don’t have Virtualmin and servers at my day job). At the time I picked fail2ban it was the best fit I could find.
I can see the argument for the monitoring abilities, I understand folks like seeing what’s been blocked in a friendly way, etc. I dunno.
I think my position continues to be that if you want specific features you find in CSF (or any of the other tools are under that umbrella of applications), you should specifically suggest those features. The probability of me being willing to adopt CSF as the default firewall configuration tool in Virtualmin is very close to zero. The probability of my being willing to implement specific features you like about CSF (or the mail thing, or the ModSecurity thing, or whatever other things their apps do, mostly in the context of cPanel) is much higher.
So, be specific. Make a new topic with the thing(s) you like about CSF that you can’t do in a default Virtualmin installation, or that isn’t as easy to do in a default Virtualmin installation. If you can show a screenshot or link to docs about what it looks like in CSF, all the better. I’ve never really used it, so I probably won’t know what you’re talking about if you just say “I want X feature”.
1 Like
My thought is why develop or maintain CSF if you do not want to use it as you guys have limited developer time.
This is one of those topics that keeps coming up, one side of the team say CSF is great (Ilia) and one side say it should not be used for VM (Joe).
Maybe the team should get together and decide on an official Virtualmin stance and then end-users can decide what they are going to do. Now is the time while peoples systems running with CSF are not affected.
I like CSF only because it was in cPanel and that is what I used. The biggest feature was the quick block/unblock buttons which after some persuasion both buttons 
are now added.
I have been running with fails2ban for 2 years as that is the recommended default and nothing is broken.
I use pfsense for ip blocking for spam bots and other stuff so GEO-Block in CSF is not an issue.
I was using CSF for 10 years (because it was in cPanel, my first server panel).
This month, I have tried fail2ban and Firewalld (because of the recommendations of the Virtualmin Team; thanks, @Joe!). It’s enough for me:
- Firewalld is easy to configure.
- Fail2ban has a learning curve if you want to create your own jails and filters, but it is not very difficult.
If you use WordPress on your server, fail2ban is your savior with the correct filter and jail (spam comments, attacks on admin and login…). Virtualmin Workbench has a jail for it in the Pro version.
Conclusion? CSF is great software, but probably we don’t need all of its functions. Firewalld and fail2ban are enough.
Seems to me the only folk who want it are ex-CPanel users.
Personally I never liked that, or CSF.
I for one do not care I just don’t want the Virtualmin team wasting time on what seems an old and relatively irrelevant module.
So I’m with @Joe on this.
CSF or FirewallD is just an abstraction layer for iptables/nftables. There’s nothing inherently good or bad about it. Joe doesn’t like it because he thinks it has too many configurable options and features, as far as I can tell from his vibe about it. I don’t think he ever said that CSF was too resource-intensive though.
We don’t limit users in our decision-making. We use FirewallD and Fail2Ban because every OS we support is compatible with them. We also have modules for both. Yes, we have a great-looking module for CSF, but this is exclusively my effort to redesign its appearance to fit the Webmin style, as the default CSF module design looked completely off.
I liked CSF because it wasn’t just in the cPanel and had cool features that I thought were great back then.
Geoblocking was one of the features I thought was cool back then.
Yes, this is one of the reasons we are leaning more toward FirewallD and Fail2Ban—these are well-supported by all the OSs we provide support for, and most importantly, they do the job well.
Yes, and having integration with Fail2Ban in Virtualmin WP Workbench is another reason to use FirewallD & Fail2Ban. Even though I could add support for it with CSF since I know how it’s done, I still think it’s easier to use what the OS provides.
Yes, most definitely ex-cPanel users were among those who would look for it in Virtualmin, simply because they got used to it. But it’s hard not to like CSF—it’s a great and very flexible piece of software. The downside, in my opinion, is it would need a lot of support if we decided to make it a recommended choice.
Take a closer look at it. I don’t really think those who say they don’t like CSF have ever used it in real life. If you do, you’ll probably like it more than anything you’ve tried before. However, again, the downside is big—it’s not supported upstream by any OS we support.
Yeah, I was itching to go for it. I even have what others probably don’t: years of CSF Git changes made after dozens of CSF updates when it was still released under a proprietary license. I’ve never made it public, but it would probably help anyone taking over to see and understand the thought process.
That said, I could only take over with CSF if I had enough free time. We already have a lot to build for Virtualmin, and I even turned down a very high-paying job offer recently because it would take away from that. Since it’s not realistic to support or work on other projects effectively without slowing down Virtualmin development, the best thing for me is to step back and hope someone else takes it on and does it well.
However, if CSF ever makes its way to be a standard package in EL and Debian repos, we may get back to this discussion again.
2 Likes
I think @Ilia is right, let the project get picked up and managed primarily by someone else or group. It is early days yet, I suspect cPanel the company might have too because this is what their users expect, if not see what they replace it with.
Still early days 
.
Also, let no-one say @Ilia is not dedicated to virtualmin.
I’d be surprised to hear anyone ever say this! I know you know, I switched countries with my girls so we could all move forward like before with Virtualmin; and, let’s not forget about my average screen time too! 
1 Like
That’s one of the features I have used in the past.
I think what a lot of people like about CSF is it is something that has been created from decades of real world server administration, so it covers a lot of the most common areas as well as some that aren’t so common - and when it comes to security many people feel it is better safe than sorry.
Geoip is an emotive subject and as far as I think should not be used, you can not block a whole area of the world based on actions of some of the residents there. With my project that replaces fail2ban and csf in the banning sense I not added the ability to ban on region as I feel it is unfair to users from a region, when you may not like that region, why not just ban on their actions rather than just banning a region
I think all we really should care about is slowing the attacker down.
What Fail2Ban doesn’t have, as far as I know, is blocking by subnets. In CSF, it was called distributed attack mitigation.
So, if attackers were brute-forcing a password for SSH from 192.168.1.10 and 192.168.1.20, then the whole subnet, like 192.168.1.0/24, could be blocked. It can be useful in some cases but could also create false positive blocks.
I think we’re more than good with Fail2Ban on all fronts.
I started decades ago with cPanel and CSF. Once I started with WM/VM I liked it better. I really appreciate that Fail2Ban doesn’t block you from every service when you trip one.
I don’t know that I’ve seen the same IP address in more than one jail, but, my server is very low traffic.
more ≠ better
1 Like
Oddly I have, I’m guessing that the dark web guess target destinations that they feel are vulnerable and tbf with the code I’m writting I have a server that I would class as vulnerable to test on, and tbf I do get the same ip appearing in the equivalent of multiple jails
I think it depends on the circumstances. The software we were using had little to no defence against the sort of spam we were getting so we didn’t have much of a choice. Plus the country we blocked was not our target audience at all so it wasn’t a big deal for us. I don’t think we were the only ones either, because the country seemed to clean up its act.
Yep, CSF has some great features:
Distributed Attacks
Distributed Account Attack. This option will keep track of login failures
from distributed IP addresses to a specific application account. If the number of failures matches the trigger value above, ALL of the IP addresses involved in the attack will be blocked according to the temp/perm rules above Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, LF_HTACCESS
I prefer the opposite - that an IP is banned completely, this stops them trying their luck elsewhere.
It has drawbacks, like not being able to unblock your own IP in case you accidentally enter the wrong password for one of the services.
1 Like
Been there
This is where being able to tether to your mobile connection comes in handy : D (as well as CSF’s allowed list)
That’s a thing of the past! Now, you can get hundreds of VPN tunnels and a TOR browser with just a few clicks.
1 Like
same here.
the only jail that seems to fill up is the wordpress jail.
and that is just where they belong
banning by region seems rather political eg. “let’s just ban reporting from xyz”
1 Like