CSF / LFD Firewall: csf.pignore not working or ignoring processes

Malte Hellmeier -

If you set up the ConfigServer Security & Firewall (CSF) with Login Failure Daemon (LFD) on your Linux server, you might get bombarded with unwanted e-mails after enabling the mail alert. To get rid of it, one possible solution is to disable the triggering alert services. But to be honest this would disable some of the great advantages of the software. The other, significantly better solution is to ignore trustful processes in the /etc/csf/csf.pignore file. Sometimes, the processes listed in the file aren't ignored and you still get emails from LFD which is pretty frustrating. There isn't a log file or debug option to check the validation of the file. To identify the problem, just check the following:

1. Restart CSF and LFD

First, remember to restart CSF with sudo csf -r as well as LFD with sudo service lfd restart. Most of the users forget to restart LFD which is important to apply the changes of the /etc/csf/csf.pignore file.

If you are using the Web UI you can restart LFD with a single button click after making your changes in the text area field.

Successful LFD restart shown in the Web UI

2. Be Careful with Inline Comments

Perhaps you want to structure your ignored processes with comments to keep the overview. One thing I noticed pretty late: Don't put comments at the end of a line! Use a separate line for every comment! Otherwise, it won't work because LFD doesn't seem to filter it out.

As an example, this will not work:

exe:/usr/sbin/apache2 # Apache Webserver
exe:/usr/bin/zsh # ZSH Shell
exe:/usr/sbin/nginx # nginx Webserver


To get it working, change it into:

# Apache Webserver
exe:/usr/sbin/apache2
# ZSH Shell
exe:/usr/bin/zsh
# nginx Webserver
exe:/usr/sbin/nginx

3. Check RegEx Syntax

LFD allows you to use Perl Regular Expressions (RegEx) to ignore a stack of processes with a single line. Remember two things:

  1. Use the correct prefix! This is pexe instead of exe, pcmd instead of cmd and so on. RegEx won't work without the leading p.
  2. Get familiar with the Perl RegEx syntax! If you want to add a wildcard that can be filled with anything, use .* instead of a single *. Explanation: A single . represents any character, a * represents the repetition of the last character (or nothing). Therefore, .* can be anything.

A working example would be:

pexe:/usr/lib/systemd/systemd-.*

4. Check your System and Side Effects

Be sure that you have a working CSF and LFD system, running the latest version. Check for errors in the LFD log with sudo cat /var/log/lfd.log and check for updates with sudo apt-get update && sudo apt-get upgrade and/or sudo csf -u. Also check if you are working in the correct process ignore file (location: /etc/csf/csf.pignore) and that the file is formatted correctly (with Linux line endings) and has no other abnormalities.

References