ConfigServer Firewall (CSF) is a Stateful Packet Inspection (SPI) firewall created by the ConfigServer Services team. CSF, offers login and intrusion detection and other security applications for Linux servers to provide enterprise security protection for your server while giving you access to advanced configurable options, easily managed through its the CSF GUI.
CSF comes complete with a Login Failure Daemon (LFD) will monitors server log activity for anything malicious such as excessive login failures, commonly seen with brute force attacks. LFD will act to temporarily or permanently ban the offering IP address, once its failure thresholds have been met. That IP address will no longer be able to access any services on your server.
If you or someone else using the server accidentally excesses the LFD thresholds your IP address will become blocked. Temporary IP blocks will expire after a set period of time and you will then be able to access the server again. However, Permanent IP blocks will not expire and you will need to manually remove the IP blocks using the CSF GUI in DirectAdmin or cPanel or command line interface.
You could accidentally trigger LFD to block your IP address because you have forgotten your password to the control panel and entered it incorrectly too many times or your email account passwords were wrong and your email program attempted to connect to the server multiple times or you were updating your WordPress website and it accidentally triggered a mod security rule. All innocent and not excessive login failures but LFD triggered, as it should to block the ‘attack’. This could result in your website appearing to be down as you cannot access it, or you unable to access your email due to the block but you won’t know that a block is in place as there is no message.
There is a feature built into ConfigServer Firewall (CSF) for this kind of situation, and it’s called Messenger Server. Now when you try to browse your website, you’ll be greeted with a message saying The firewall on this server is blocking your connection. You need to contact the server owner or hosting provider for further information.. The web page will enable you to unblock an IP address yourself using the reCAPTCHA system. The Messenger Service can be used to remove IP addresses that feature in either the temporary and/or permanent csf.deny file.
In this guide, we will show you how to activate the Messenger Service, enable Google reCAPTCHA and enter your site and secure key from within CSF GUI, create a non-privileged, non-shell user called CSF to run the Messenger daemon and how to customise the blocked page.
Activate Messenger Service
Firstly, we will need to activate the Messenger Service in CSF. We can do this via the CSF GUI or using the command line to edit the /etc/csf/csf.conf file. I prefer to use the command line as it is quicker to setup the Messenger Service but if you prefer to use the CSF GUI, you can view the instructions below.
Using Command Line
To activate Messenger, we need to edit the /etc/csf/csf.conf file using the command line with the following code. The default Messenger setting is off but we can check using the following code:
grep -w '^MESSENGER' /etc/csf/csf.conf
# MESSENGER = "0"To activate Messenger, just copy and paste the following code:
perl -pi -w -e "s/MESSENGER = \"0\"/MESSENGER = \"1\"/" /etc/csf/csf.conf
Now if we run the grep command again, we will see the result has changed to:
# MESSENGER = "1"Using GUI
To activate the Messenger Service using the CSF GUI, you will need to log into your current hosting panel using https://server.domain.com:2222 for DirectAdmin or https://server.domain.com: 2087 for cPanel. Once you have logged into the dashboard, you will need to select the ConfigServer Security & Firewall icon.
Once the ConfigServer Security & Firewall panel has loaded you will need to select Firewall Configuration button to edit the CSF /etc/csf/csf.conf file.
Now you will need to scroll down to the section called Messenger Service. The first option called MESSENGER = will be OFF. You will need to click ON to active the Messenger Service.
Enable Google reCAPTCHA
Now we need to enable Google reCAPTCHA, so users will have the ability to unblock themselves on the Messenger unblock page. Firstly, we need to set up our reCAPTCHA site and secret keys by visiting the Google reCAPTCHA website. When making your reCAPTCHA keys make sure you uncheck the Verify the origin of reCAPTCHA solutions option. Now you have your ReCaptcha site and secret keys we need to enter them into CSF. If you are using the CSF GUI, you can view the instructions below.
Using Command Line
To activate reCAPTCHA, just copy and paste the following code. The default reCAPTCHA Site and Secret Key setting is empty but we can check using the following code:
grep -w '^RECAPTCHA_SITEKEY' /etc/csf/csf.conf
# RECAPTCHA_SITEKEY = " "grep -w '^RECAPTCHA_SECRET' /etc/csf/csf.conf
# RECAPTCHA_SECRET = " "Now we need to add our reCAPTCHA Site and Secret Keys into the /etc/csf/csf.conf file, with the following code:
perl -pi -w -e "s/RECAPTCHA_SITEKEY = \"\"/RECAPTCHA_SITEKEY = \"kRNqhCalhxnXHTWlKOQ40EFvbkC3BF80YE6pMQFy\"/" /etc/csf/csf.conf
perl -pi -w -e "s/RECAPTCHA_SECRET = \"\"/RECAPTCHA_SECRET = \"nBBpD9yn30Dq3ILGwkLP61K0GYBEVpvQ00gka3NG\"/" /etc/csf/csf.conf
Important
Please remember to change the example reCAPTCHA keys in the above code.
Now if we run the grep commands again, we will see the results have changed to:
# RECAPTCHA_SITEKEY = "kRNqhCalhxnXHTWlKOQ40EFvbkC3BF80YE6pMQFy"# RECAPTCHA_SECRET = "nBBpD9yn30Dq3ILGwkLP61K0GYBEVpvQ00gka3NG"Using GUI
Now you will need to scroll down to the reCAPTCHA options RECAPTCHA_SITEKEY and RECAPTCHA_SECRET. In the RECAPTCHA_SITEKEY you will need to paste your Site Key kRNqhCalhxnXHTWlKOQ40EFvbkC3BF80YE6pMQFy and your Secret Key nBBpD9yn30Dq3ILGwkLP61K0GYBEVpvQ00gka3NG.
Important
Please remember to change the example reCAPTCHA keys in the above code.
Now scroll down to the bottom of the bottom of /etc/csf/csf.conf click the Change button and then click the Restart csf+lfd button. Now you will need to move onto the command line to add a new user for the CSF Messenger Service.
Add User for CSF Messenger Service
Now we need to create a new unique user that the Messenger services will run under. The new user should disabled and have no shell access, but will need to have a home directory. We will create a new user called CSF, using the following command:
useradd csf -s /bin/false
Now we have enabled the Messenger Service, added the Site and Secret Key to enable reCAPTCHA and created the new user CSF. So now we need to restart CSF and LFD. We can do this, using the following commands:
service csf restart service lfd restart
That’s it. You have now successfully set up the CSF Messenger Service.
Customise the Block Page
CSF provides the ability to customise the Block Page. If you want to customise the Block Page you will need to edit the index.html file for the standard Block Page or the index.recaptcha.html file for the reCAPTCHA Block Page. These files are located in the /etc/csf/messenger folder. The image above shows the default template layout for the index.recaptcha.html file.
Note
After editing the files you will need to make sure you restart CSF and LFD, otherwise your changes will not take effect.
You can find more information on how to customise the the files in the CSF Readme.
