IP addresses denied in /etc/hosts.allow appear in /etc/csf/csf.deny?

security linux hosts.allow csf

csf.deny is used by ConfigServer Firewall, and IPs listed there will not be allowed to connect to the server at all.

If an IP is in csf.deny file, it means it is blocked in the server firewall on all ports, and will not be presented with any login screen on any of the services, as it will never establish connections with the server.

5 in the last 300 seconds, means that they failed the authentication process, which got them blacklisted in CSF. It can be that they inputted wrong credentials, or that they didn't get the login prompt at all, if only SSH keys are allowed.

putting IP in hosts.allow will allow it to connect to the service you specified there, but they still need to enter the correct credentials to connect to the server.

IPs that are not listed as allowed should be presented with following message:

ssh_exchange_identification: Connection closed by remote host

This will, I believe, be treated as failed login if they try to connect to SSH, any they will end up in csf.deny if they hit the failed login limit. They will establish connection to SSH port, but will fail to authenticate themselves due to deny rule, and CSF will see it as failed login.

Better option on blocking SSH for non-listed IPs would be to completely block it in CSF, as described in the end of this post.

In addition to csf.deny, important files are also csf.allow, and csf.ignore.

csf.allow will allow connections from the listed IP on any source port, to any destination port.

csf.ignore will ignore any failed actions from listed IP, it will not be subjected to limits on failed logins, or connections.

you can remove the IP from csf.deny with csf -dr IP and whitelist it in csf.allow with csf -a IP

If you want to completely block SSH for non-preapproved IPs, and want to avoid your csf.deny growing due to failed SSH logins, you can completely block SSH port, 22 if you haven't changed it, by removing it from the TCP_IN line in csf.config.

After you change anything in csf.config, you need to restart CSF with csf -r to reload the config file.

This will block port 22 for all the IPs, except IPs listed in csf.allow.

By removing port 22 from TCP_IN in csf.config, and putting your IPs in csf.allow, you will allow only those IPs to connect to port 22, any other IP will not be presented with any SSH login, but will receive timed out message when trying to connect to SSH.

If you put only the IP in csf.allow, it will be allowed to all ports, but you can specify a single port only with advanced port+ip filtering.

Putting this in csf.allow will allow connections to port 22 from the IP, even if port 22 is not allowed in csf.config.

tcp:in:d=22:s=x.x.x.x

Related

How to configure a MikroTik hAP ac lite router as a Layer 2 switch?
NFS Performance issues on Oracle Linux 6.7: Shared libraries on NFS slow down system
What AWS service to avoid CORS issues with S3 static content and aws backends
How do I tell why a systemd service was started?
sftp How to get stat attributes?
Connection timed out on new AWS RDS instances - can connect to older, almost identical RDS with no issue
postfix/smtp: fatal: unknown service: smtp/tcp – but /var/spool/postfix/etc/services exists
RabbitMq Management plugin only on localhost
ssh warning: <no hostip for proxy command>
file copy using restore privilege
Confusion with Jenkins Docker Plugin and Jenkins Docker Slaves
Difference between limit number of connections setting in IIS and the Max Pool Size