Messenger Service

The messenger service displays a message to inform the user that their IP address has been blocked by the firewall. Temporary and/or permanent deny IP addresses can be serviced by this feature. This can help when users get themselves blocked, e.g. due to multiple login failures. This service uses two separate daemons running on different ports providing either an HTML or TEXT message to be displayed to the user.

• The messenger service does not support showing a message for any GLOBAL or BLOCK deny lists.
• The messenger service does not support SSL connections.
• The iptables module ipt_REDIRECT and the Perl module IO::Socket::INET is required.
• If you change any of the files in /etc/csf/messenger/ you must restart LFD as they are all cached in memory.

HTML Messenger Server

The HTML message that is displayed is provided by the file /etc/csf/messenger/index.html

The HTML server providing this page is very rudimentary but will accept the use of linked images that are stored in the /etc/csf/messenger/ directory. The images must be of either jpg, gif or png format. These images are loaded into memory so you should keep the number and size to a minimum. No other linked resource files are supported (e.g. .css, .js).

The server has a built-in function that will replace the text [IPADDRESS] in index.html with the IP address that is blocked by the firewall. This will help the blocked user know what their blocked IP address is. You can also use the text [HOSTAME] which will be replaced by the servers FQDN hostname.

• The HTML server does not support SSL connections, so redirecting port 443 will not work.
• The HTML server port should not be added to the TCP_IN list.
• There is a maximum of 15 ports allowed in MESSENGER_HTML_IN.

TEXT Messenger Server

The TEXT message that is displayed is provided by the file /etc/csf/messenger/index.text

This file should only contain text. The TEXT server providing this file simply sends the contents to the connecting port and no protocol exchange takes place. This means that it may not be suitable for use with protocols such as POP3.

The server has a built-in function that will replace the text [IPADDRESS] in index.text with the IP address that is blocked by the firewall. This will help the blocked user know what their blocked IP address is. You can also use the text [HOSTAME] which will be replaced by the servers FQDN hostname.

• The TEXT server does not support SSL connections, so redirecting port 995 will not work.
• The TEXT server port should not be added to the TCP_IN list.
• There is a maximum of 15 ports allowed in MESSENGER_TEXT_IN.

Messenger User

The Juggernaut interface will create a unique user that the messenger services will run under. This user will be disabled and have no shell access. The command to create such an account from the root shell would be:

useradd csf -s /bin/false

Related Files

File Description
/etc/csf/csf.conf MESSENGER_* configuration options
/etc/csf/messenger/index.html The HTML message that is displayed by the messenger service when an IP address is being blocked by the firewall.
/etc/csf/messenger/index.text The TEXT message that is displayed by the messenger service when an IP address is being blocked by the firewall.

Related Pages