Change the Number of Failed Login Attempts on CSF

Posted on June 14th, 2018

The ConfigServer Security firewall known as CSF is an open source software and most commonly used to configure the advanced firewall in Linux servers such us Login detection, SSH login notifications, etc. CSF provides the wide range of protection on your Linux servers.  By default, CSF firewall will be blocked IP address when entering wrong username or password in more than 5 times in the last 3600 seconds. Also, you can find the reason why the IP has been blocked on the server from LFD log file. LFD stands for Login Failure Daemon is a process that is a part of the CSF that checks periodically for potentials threats to a server. The CSF is working with LFD. CSF checks the LFD logs for failed login attempts at a regular time interval and is able to find most unauthorized attempts to gain access to your Linux server. The following applications can configure in CSF firewall.

IMAP, Devcot, POP3D

openSSH

cPanel, WHM, Webmail(in cPanel Server)

Pure-ftpd, vsftpd, Proftpd

Password protected areas on the website.

Mod_security.

Suhosin failures.

Exim SMTP AUTH

By default, CSF firewall will be blocked IP address when logging into the control panel, email, or a password protected area on the website with entering wrong username or password in more than 5 times in the last 3600 seconds. We can change this failed attempts values in CSF configuration file. in this tutorial, we will discuss how to change this values in csf config file via both WHM and command line(CLI).

 

Edit csf configuration via command line(CLI)

1) Login to Server as a root user.

2) Open the csf config file using the text editor like vi, vim.

vi /etc/csf/csf.config

3) Then find the following entries.

To change FTP login failed attempt value.

LF_FTPD = “10”

To change the value failure detection of SMTP AUTH connections.

LF_SMTPAUTH = “5”

To change login failure detection value of courier pop3 connections.

LF_POP3D = “5”

To change login failure detection value of courier imap connections

LF_IMAPD = “10”

To change login failure detection value of cPanel, webmail and WHM connections.

LF_CPANEL = “5”

4) Then save this config file after changing these values.

5) You have to restart csf and lfd services.

csf -r

service csf restart.

service lfd restart.

 

Edit csf configuration via WHM

1) Login to WHM as a root user.

2) Go to Plugins >> ConfigServer Security & Firewall.

failed login

 

3) Click on “Firewall Configuration”.

failed login

 

From here you can change the same above values.

Please note that to increase these values will decrease your server security.

 

3 Responses to “Change the Number of Failed Login Attempts on CSF”

  1. Laurence says:

    It says above it will block failed logins to openSSH. But in the config settings, there is no SSH option, so what setting controls the failed login to SSH? Thanks

    • You can use ‘Host Access Control’ option in the WHM (WHM >> Security Center >> Host Access Control) for disabling SSH access to others.

      Example:

      Daemon = SSH
      Access List = 192.168.0.1 (replace with actual IP address)
      Action = Allow

  2. Eugene van der Merwe says:

    How can you control how long people are locked out?

    We are under constant attack and I want people who get the password wrong to stay away from the server for at least 24 hours.

Leave a Reply