IP addresses denied in /etc/hosts.allow appear in /etc/csf/csf.deny?
csf.deny
is used by ConfigServer Firewall, and IPs listed there will not be allowed to connect to the server at all.
If an IP is in csf.deny
file, it means it is blocked in the server firewall on all ports, and will not be presented with any login screen on any of the services, as it will never establish connections with the server.
5 in the last 300 seconds, means that they failed the authentication process, which got them blacklisted in CSF. It can be that they inputted wrong credentials, or that they didn't get the login prompt at all, if only SSH keys are allowed.
putting IP in hosts.allow
will allow it to connect to the service you specified there, but they still need to enter the correct credentials to connect to the server.
IPs that are not listed as allowed should be presented with following message:
ssh_exchange_identification: Connection closed by remote host
This will, I believe, be treated as failed login if they try to connect to SSH, any they will end up in csf.deny if they hit the failed login limit. They will establish connection to SSH port, but will fail to authenticate themselves due to deny rule, and CSF will see it as failed login.
Better option on blocking SSH for non-listed IPs would be to completely block it in CSF, as described in the end of this post.
In addition to csf.deny, important files are also csf.allow
, and csf.ignore
.
csf.allow
will allow connections from the listed IP on any source port, to any destination port.
csf.ignore
will ignore any failed actions from listed IP, it will not be subjected to limits on failed logins, or connections.
you can remove the IP from csf.deny
with csf -dr IP
and whitelist it in csf.allow
with csf -a IP
If you want to completely block SSH for non-preapproved IPs, and want to avoid your csf.deny
growing due to failed SSH logins, you can completely block SSH port, 22 if you haven't changed it, by removing it from the TCP_IN line in csf.config
.
After you change anything in csf.config
, you need to restart CSF with csf -r
to reload the config file.
This will block port 22 for all the IPs, except IPs listed in csf.allow.
By removing port 22 from TCP_IN in csf.config
, and putting your IPs in csf.allow
, you will allow only those IPs to connect to port 22, any other IP will not be presented with any SSH login, but will receive timed out message when trying to connect to SSH.
If you put only the IP in csf.allow
, it will be allowed to all ports, but you can specify a single port only with advanced port+ip filtering.
Putting this in csf.allow
will allow connections to port 22 from the IP, even if port 22 is not allowed in csf.config
.
tcp:in:d=22:s=x.x.x.x