The login failure daemon process runs all the time and periodically scans the latest log file entries for login attempts against your server that continually fail within a short period of time. Such attempts are often called "Brute-force attacks" and the daemon process responds very quickly to such patterns and blocks offending IP's quickly. Other similar products run every x minutes via cron and as such often miss break-in attempts until after they've finished, our daemon eliminates such long waits and makes it much more effective at performing its task.
There are an array of extensive checks that LFD can perform to help alert the server administrator of changes to the server, potential problems and possible compromises.
One of the best ways to protect the server from inbound attack against network daemons is to monitor their authentication logs. Invalid login attempts which happen in a short space of time from the same source can often mean someone is attempting to brute-force their way into the server, usually by guessing usernames and passwords and therefore generating authentication and login failures.
LFD can monitor the most commonly abused protocols, SSHD, POP3, IMAP, FTP and HTTP password protection. Unlike other applications, LFD is a daemon process that monitors logs continuously and so can react within seconds of detecting such attempts. It also monitors across protocols, so if attempts are made on different protocols in a short space of time, all those attempts will be counted against the threshold.
Once the number of failed login attempts is reached, LFD immediately forks a sub-process and uses CSF to block the offending IP address from both in and outgoing connections. Stopping the attack in its tracks in a quick and timely manner. Other applications that use cron job timings to run usually completely miss brute force attacks as they run usually every 5 minutes or by which time the attack could be over, or simply biding its time. In the meantime LFD will have block the offenders IP address. By running the block and alert email actions in a sub-process, the main daemon can continue monitoring the logs without delay.
If you want to know when LFD blocks an IP address you can enable the email
alert (which is on by default) and you should watch the log file in
/var/log/lfd.log
.
LFD doesn't have any command line options of its own but is constrolled by the init script /etc/init.d/lfd
or on systems running systemd /usr/lib/systemd/system/lfd.service
. It is configured using the /etc/csf/csf.conf
file. The best way to see what LFD is doing is to take a look at /var/log/lfd.log
where its activities are logged.
To restart LFD issue the command:
service lfd restart
File | Description |
---|---|
/usr/local/csf/tpl/accounttracking.txt |
Account tracking alert emails |
/usr/local/csf/tpl/alert.txt |
Port blocking emails |
/usr/local/csf/tpl/connectiontracking.txt |
Connection tracking emails |
/usr/local/csf/tpl/consolealert.txt |
Console root login alert emails |
/usr/local/csf/tpl/exploitalert.txt |
System exploit alert emails |
/usr/local/csf/tpl/filealert.txt |
Suspicious file alert emails |
/usr/local/csf/tpl/integrityalert.txt |
System integrity alert emails |
/usr/local/csf/tpl/loadalert.txt |
High load average alert emails |
/usr/local/csf/tpl/logalert.txt |
Log scanner report emails |
/usr/local/csf/tpl/logfloodalert.txt |
Log file flooding alert emails |
/usr/local/csf/tpl/netblock.txt |
Netblock alert emails |
/usr/local/csf/tpl/permblock.txt |
Temporary to permanent block alert emails |
/usr/local/csf/tpl/portknocking.txt |
Port Knocking alert emails |
/usr/local/csf/tpl/portscan.txt |
Port scan tracking alert emails |
/usr/local/csf/tpl/processtracking.txt |
Process tracking alert emails |
/usr/local/csf/tpl/queuealert.txt |
Email queue alert emails |
/usr/local/csf/tpl/relayalert.txt |
Email relay alert emails |
/usr/local/csf/tpl/resalert.txt |
Process resource alert emails |
/usr/local/csf/tpl/scriptalert.txt |
Script alert emails |
/usr/local/csf/tpl/sshalert.txt |
SSH login emails |
/usr/local/csf/tpl/sualert.txt |
SU alert emails |
/usr/local/csf/tpl/tracking.txt |
POP3/IMAP blocking emails |
/usr/local/csf/tpl/usertracking.txt |
User process tracking alert emails |
/usr/local/csf/tpl/watchalert.txt |
Watched file and directory change alert emails |
/usr/local/csf/tpl/forkbombalert.txt |
Fork bomb alert emails |