Login Failure Daemon

Login Failure Daemon (LFD)

The login failure daemon process runs all the time and periodically scans the latest log file entries for login attempts against your server that continually fail within a short period of time. Such attempts are often called "Brute-force attacks" and the daemon process responds very quickly to such patterns and blocks offending IP's quickly. Other similar products run every x minutes via cron and as such often miss break-in attempts until after they've finished, our daemon eliminates such long waits and makes it much more effective at performing its task.

There are an array of extensive checks that LFD can perform to help alert the server administrator of changes to the server, potential problems and possible compromises.

LFD Principles

One of the best ways to protect the server from inbound attack against network daemons is to monitor their authentication logs. Invalid login attempts which happen in a short space of time from the same source can often mean someone is attempting to brute-force their way into the server, usually by guessing usernames and passwords and therefore generating authentication and login failures.

LFD can monitor the most commonly abused protocols, SSHD, POP3, IMAP, FTP and HTTP password protection. Unlike other applications, LFD is a daemon process that monitors logs continuously and so can react within seconds of detecting such attempts. It also monitors across protocols, so if attempts are made on different protocols in a short space of time, all those attempts will be counted against the threshold.

Once the number of failed login attempts is reached, LFD immediately forks a sub-process and uses CSF to block the offending IP address from both in and outgoing connections. Stopping the attack in its tracks in a quick and timely manner. Other applications that use cron job timings to run usually completely miss brute force attacks as they run usually every 5 minutes or by which time the attack could be over, or simply biding its time. In the meantime LFD will have block the offenders IP address. By running the block and alert email actions in a sub-process, the main daemon can continue monitoring the logs without delay.

If you want to know when LFD blocks an IP address you can enable the email alert (which is on by default) and you should watch the log file in /var/log/lfd.log.

LFD Command Line Options

LFD doesn't have any command line options of its own but is constrolled by the init script /etc/init.d/lfd or on systems running systemd /usr/lib/systemd/system/lfd.service . It is configured using the /etc/csf/csf.conf file. The best way to see what LFD is doing is to take a look at /var/log/lfd.log where its activities are logged.

To restart LFD issue the command:

service lfd restart

Email Templates

File Description
/usr/local/csf/tpl/accounttracking.txt Account tracking alert emails
/usr/local/csf/tpl/alert.txt Port blocking emails
/usr/local/csf/tpl/connectiontracking.txt Connection tracking emails
/usr/local/csf/tpl/consolealert.txt Console root login alert emails
/usr/local/csf/tpl/exploitalert.txt System exploit alert emails
/usr/local/csf/tpl/filealert.txt Suspicious file alert emails
/usr/local/csf/tpl/integrityalert.txt System integrity alert emails
/usr/local/csf/tpl/loadalert.txt High load average alert emails
/usr/local/csf/tpl/logalert.txt Log scanner report emails
/usr/local/csf/tpl/logfloodalert.txt Log file flooding alert emails
/usr/local/csf/tpl/netblock.txt Netblock alert emails
/usr/local/csf/tpl/permblock.txt Temporary to permanent block alert emails
/usr/local/csf/tpl/portknocking.txt Port Knocking alert emails
/usr/local/csf/tpl/portscan.txt Port scan tracking alert emails
/usr/local/csf/tpl/processtracking.txt Process tracking alert emails
/usr/local/csf/tpl/queuealert.txt Email queue alert emails
/usr/local/csf/tpl/relayalert.txt Email relay alert emails
/usr/local/csf/tpl/resalert.txt Process resource alert emails
/usr/local/csf/tpl/scriptalert.txt Script alert emails
/usr/local/csf/tpl/sshalert.txt SSH login emails
/usr/local/csf/tpl/sualert.txt SU alert emails
/usr/local/csf/tpl/tracking.txt POP3/IMAP blocking emails
/usr/local/csf/tpl/usertracking.txt User process tracking alert emails
/usr/local/csf/tpl/watchalert.txt Watched file and directory change alert emails
/usr/local/csf/tpl/forkbombalert.txt Fork bomb alert emails