Server Down? Check the Firewall First
Have you ever been administering your server when all of a sudden, it appears to have mysteriously dropped off the Internet? You can no longer make an SSH connection, your email client times out, and your websites are down! What gives? Before jumping to the conclusion that your server or web host are down, you should check your server’s firewall. It’s likely the reason why you can’t connect.
A couple weeks ago in the Tech Bench I talked about using ConfigServer Firewall (CSF) to administer a server firewall. CSF is complimented by a lesser-known companion program called Login Failure Daemon (LFD). This software actively checks against brute-force attacks, port scans, and other potential threats. If an “attack” is detected, it will automatically add that offending IP address to the firewall. It does all this quietly (in the background), and when an IP block is committed, the root user will be informed via email. On occasion, LFD may block you or your users out! This is because LFD works based on thresholds. Some common thresholds are:
- .htaccess login rate
- cPanel login rate
- POP/IMAP login rate
- FTP login rate
- SSH login rate
For instance, the default rate for POP/IMAP authentication is 10 failed attempts every 300 seconds. If that rate is exceeded, LFD will automatically add a block rule to the firewall and email the administrator with a reason why. Many regular users save their account passwords in their local client programs so that they don’t have to bother typing them every time. If that password is changed, but the client program (web browser, FTP client, etc.) isn’t updated with the new password, that user could trigger LFD to block them with a firewall rule. To the untrained eye, it would look like the server suddenly dropped off the face of the web.
Aside from making sure you’re entering the correct password every time, there are a few ways to prevent yourself from being blocked:
- Whitelist your IP. This is the best way to ensure a known user doesn’t get blocked.
- Raise the thresholds. This should help with users that have a habit of trying to log in with the same non-working credentials over and over.
If you have cPanel installed, you can access the CSF administrative interface and make changes to the Login Failure Daemon in WHM. Simply click “Plugins” from the bottom of the left-haft menu in WHM and select “ServerConfig Security&Firewall.”
To whitelist an IP address add the IP address to the green box in the “csf – ConfigServer Firewall” section of CSF admin interface and click “Quick Allow.”
To raise the thresholds for an application click Firewall Configuration in the same section of the interface. On the next page, use the dropdown menu to jump to “Login Failure Blocking and Alerts.” Adjust the thresholds for the services you wish in the given boxes.
As an example, here is the specific application configuration for SSH:
LF_SSHD = 5
LF_SSHD_PERM = 1
Changing LF_SSHD = 5 to LF_SSHD = 10 will raise the login failure threshold for SSH from 5 to 10 attempts. Changing the value of LF_SSHD_PERM will change the length of time an IP is blocked. 1 is a permanent block, 0 is no block, and any other positive number is the number of seconds the block should last.
I hope this introduction to ConfigServer Firewall’s Login Failure Daemon gives you a few tools to help you keep access open to your server. ConfigServer Firewall and Login Failure Daemon have many more features. Remember, if you are having trouble with LFD or anything else on your server and you’re a ServInt customer, you can always open a ticket in your Customer Portal, and we’ll be happy to help.