How to automatically block IPs

Post Reply
iodisciple
Junior Member
Posts: 33
Joined: 09 Jan 2018, 12:52

How to automatically block IPs

Post by iodisciple »

Hi all,

I have a Debian 9 server with all the latest patches and CSF/LFD the latest version. Just a standard configuration with one IP number, no crazy things.

I want to automatically block IPs when they try to break in. I thought CSF/LFD did out of the box, but still I wake up with 600 of the below alert mails:

Feb 6 05:32:48 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 6 05:32:48 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 6 05:32:32 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 6 05:32:32 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 6 05:32:13 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 6 05:32:13 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 6 05:31:57 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 6 05:31:57 mail02 postfix/submission/smtpd[2459]: warning: host90-152-53-250.ipv4.regusnet.com[90.152.53.250]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

I do not understand because I thought the below configuration would automatically block. What am I doing wrong?

LF_DAEMON = "1"
LF_CSF = "1"
LF_TRIGGER = "0"
LF_TRIGGER_PERM = "1"
LF_SELECT = "0"
LF_EMAIL_ALERT = "1"
LF_SSHD = "5"
LF_SSHD_PERM = "1"
LF_FTPD = "10"
LF_FTPD_PERM = "1"
LF_SMTPAUTH = "5"
LF_SMTPAUTH_PERM = "1"
LF_EXIMSYNTAX = "10"
LF_EXIMSYNTAX_PERM = "1"
LF_POP3D = "0"
LF_POP3D_PERM = "1"
LF_IMAPD = "0"
LF_IMAPD_PERM = "1"
LF_HTACCESS = "5"
LF_HTACCESS_PERM = "1"
LF_MODSEC = "5"
LF_MODSEC_PERM = "1"

Any help is greatly appreciated.
iodisciple
Junior Member
Posts: 33
Joined: 09 Jan 2018, 12:52

Re: How to automatically block IPs

Post by iodisciple »

Please let me rephrase this question (I really do not want to switch all servers to something else than CSF/LFD): is there someone out there, that has Debian 9 fully updated and CSF/LFD the latest version, where automatically blocking of rogue IP numbers just works?

On non-DirectAdmin servers that is, I have 2 DirectAdmin servers that do automatically block (with the DirectAdmin specific scripts).
Post Reply