CSF › Version
15.10
CSF › Release
Stable
System › OS
Linux
System › Distro & Version
Cloudlinux 7.9
Control Panel › Name
cPanel
Priority
Low
Issue Description
CSF Version: v16.08 (cPanel fork) — also confirmed present in v15.10 source (same original codebase)
Description:
The blockdistattack function in /usr/sbin/lfd sends email alerts for every temporary distributed SSH attack block,
regardless of the LF_TEMP_EMAIL_ALERT setting. This is inconsistent with how the rest of LFD handles temp block
emails.
csf.conf settings (verified, no typos):
LF_EMAIL_ALERT = "1"
LF_TEMP_EMAIL_ALERT = "0"
LF_DISTATTACK = "15"
LF_DISTATTACK_UNIQ = "2"
Expected behavior:
With LF_TEMP_EMAIL_ALERT = "0", no emails should be sent for any temporary blocks, including distributed SSH attack
blocks.
Actual behavior:
Every LF_DISTATTACK temporary block sends an email alert. On a server facing typical internet SSH brute force traffic,
this produces dozens of unwanted emails per hour. Normal LF_SSHD temp blocks correctly produce no email with the same
settings.
lfd.log showing the blocks that generated unwanted emails:
Mar 10 12:41:26 hosting1 lfd[2968458]: 103.74.123.88 (VN/Vietnam/sv123088.bkns.vn), 5 distributed sshd attacks on
account [root] in the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Mar 10 12:41:26 hosting1 lfd[2968458]: 157.10.252.74 (ID/Indonesia/ip157-10-252-74.cloudhost.web.id), 5 distributed
sshd attacks on account [root] in the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Mar 10 12:41:26 hosting1 lfd[2968458]: 43.162.103.157 (US/United States/-), 5 distributed sshd attacks on account
[root] in the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Mar 10 12:43:27 hosting1 lfd[2969626]: 206.189.149.194 (SG/Singapore/-), 5 distributed sshd attacks on account [root]
in the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Mar 10 12:43:27 hosting1 lfd[2969626]: 181.191.128.18 (BR/Brazil/static-181-191-128-18.fabconnectprovedor.net.br), 5
distributed sshd attacks on account [root] in the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Mar 10 13:01:10 hosting1 lfd[2981060]: 36.50.55.18 (VN/Vietnam/-), 5 distributed sshd attacks on account [clawd] in
the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Each of these temp blocks generated an email despite LF_TEMP_EMAIL_ALERT = "0".
Root cause:
In /usr/sbin/lfd, the blockdistattack function (around line 2657 in v16.08) checks only LF_EMAIL_ALERT:
if ( $config{LF_EMAIL_ALERT} ) {
The normal block path (around line 2525) correctly checks both:
if ( $config{LF_EMAIL_ALERT} and ( $perm or ( !$perm and $config{LF_TEMP_EMAIL_ALERT} ) ) ) {
The blockdistftp and blockdistsmtp functions are also fine — they have their own LF_DISTFTP_ALERT and
LF_DISTSMTP_ALERT toggles. Only blockdistattack is missing a temp check.
Suggested fix:
Change the condition in blockdistattack from:
if ( $config{LF_EMAIL_ALERT} ) {
to:
if ( $config{LF_EMAIL_ALERT} and ( $perm or ( !$perm and $config{LF_TEMP_EMAIL_ALERT} ) ) ) {
This matches the pattern used in the main ipblock email path and respects the admin's LF_TEMP_EMAIL_ALERT setting.
Steps To Reproduce
CSF Version: v16.08 (cPanel fork) — also confirmed present in v15.10 source (same original codebase)
Description:
The blockdistattack function in /usr/sbin/lfd sends email alerts for every temporary distributed SSH attack block,
regardless of the LF_TEMP_EMAIL_ALERT setting. This is inconsistent with how the rest of LFD handles temp block
emails.
csf.conf settings (verified, no typos):
LF_EMAIL_ALERT = "1"
LF_TEMP_EMAIL_ALERT = "0"
LF_DISTATTACK = "15"
LF_DISTATTACK_UNIQ = "2"
Expected behavior:
With LF_TEMP_EMAIL_ALERT = "0", no emails should be sent for any temporary blocks, including distributed SSH attack
blocks.
Actual behavior:
Every LF_DISTATTACK temporary block sends an email alert. On a server facing typical internet SSH brute force traffic,
this produces dozens of unwanted emails per hour. Normal LF_SSHD temp blocks correctly produce no email with the same
settings.
Root cause:
In /usr/sbin/lfd, the blockdistattack function (around line 2657 in v16.08) checks only LF_EMAIL_ALERT:
if ( $config{LF_EMAIL_ALERT} ) {
The normal block path (around line 2525) correctly checks both:
if ( $config{LF_EMAIL_ALERT} and ( $perm or ( !$perm and $config{LF_TEMP_EMAIL_ALERT} ) ) ) {
The blockdistftp and blockdistsmtp functions are also fine — they have their own LF_DISTFTP_ALERT and
LF_DISTSMTP_ALERT toggles. Only blockdistattack is missing a temp check.
Suggested fix:
Change the condition in blockdistattack from:
if ( $config{LF_EMAIL_ALERT} ) {
to:
if ( $config{LF_EMAIL_ALERT} and ( $perm or ( !$perm and $config{LF_TEMP_EMAIL_ALERT} ) ) ) {
This matches the pattern used in the main ipblock email path and respects the admin's LF_TEMP_EMAIL_ALERT setting.
Logs › Lfd
lfd.log showing the blocks that generated unwanted emails:
Mar 10 12:41:26 hosting1 lfd[2968458]: 103.74.123.88 (VN/Vietnam/sv123088.bkns.vn), 5 distributed sshd attacks on
account [root] in the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Mar 10 12:41:26 hosting1 lfd[2968458]: 157.10.252.74 (ID/Indonesia/ip157-10-252-74.cloudhost.web.id), 5 distributed
sshd attacks on account [root] in the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Mar 10 12:41:26 hosting1 lfd[2968458]: 43.162.103.157 (US/United States/-), 5 distributed sshd attacks on account
[root] in the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Mar 10 12:43:27 hosting1 lfd[2969626]: 206.189.149.194 (SG/Singapore/-), 5 distributed sshd attacks on account [root]
in the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Mar 10 12:43:27 hosting1 lfd[2969626]: 181.191.128.18 (BR/Brazil/static-181-191-128-18.fabconnectprovedor.net.br), 5
distributed sshd attacks on account [root] in the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Mar 10 13:01:10 hosting1 lfd[2981060]: 36.50.55.18 (VN/Vietnam/-), 5 distributed sshd attacks on account [clawd] in
the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Each of these temp blocks generated an email despite LF_TEMP_EMAIL_ALERT = "0".
Config › csf.conf
csf.conf settings (verified, no typos):
LF_EMAIL_ALERT = "1"
LF_TEMP_EMAIL_ALERT = "0"
LF_DISTATTACK = "15"
LF_DISTATTACK_UNIQ = "2"
Screenshots
No response
CSF › Version
15.10
CSF › Release
Stable
System › OS
Linux
System › Distro & Version
Cloudlinux 7.9
Control Panel › Name
cPanel
Priority
Low
Issue Description
CSF Version: v16.08 (cPanel fork) — also confirmed present in v15.10 source (same original codebase)
Description:
The blockdistattack function in /usr/sbin/lfd sends email alerts for every temporary distributed SSH attack block,
regardless of the LF_TEMP_EMAIL_ALERT setting. This is inconsistent with how the rest of LFD handles temp block
emails.
csf.conf settings (verified, no typos):
LF_EMAIL_ALERT = "1"
LF_TEMP_EMAIL_ALERT = "0"
LF_DISTATTACK = "15"
LF_DISTATTACK_UNIQ = "2"
Expected behavior:
With LF_TEMP_EMAIL_ALERT = "0", no emails should be sent for any temporary blocks, including distributed SSH attack
blocks.
Actual behavior:
Every LF_DISTATTACK temporary block sends an email alert. On a server facing typical internet SSH brute force traffic,
this produces dozens of unwanted emails per hour. Normal LF_SSHD temp blocks correctly produce no email with the same
settings.
lfd.log showing the blocks that generated unwanted emails:
Mar 10 12:41:26 hosting1 lfd[2968458]: 103.74.123.88 (VN/Vietnam/sv123088.bkns.vn), 5 distributed sshd attacks on
account [root] in the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Mar 10 12:41:26 hosting1 lfd[2968458]: 157.10.252.74 (ID/Indonesia/ip157-10-252-74.cloudhost.web.id), 5 distributed
sshd attacks on account [root] in the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Mar 10 12:41:26 hosting1 lfd[2968458]: 43.162.103.157 (US/United States/-), 5 distributed sshd attacks on account
[root] in the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Mar 10 12:43:27 hosting1 lfd[2969626]: 206.189.149.194 (SG/Singapore/-), 5 distributed sshd attacks on account [root]
in the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Mar 10 12:43:27 hosting1 lfd[2969626]: 181.191.128.18 (BR/Brazil/static-181-191-128-18.fabconnectprovedor.net.br), 5
distributed sshd attacks on account [root] in the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Mar 10 13:01:10 hosting1 lfd[2981060]: 36.50.55.18 (VN/Vietnam/-), 5 distributed sshd attacks on account [clawd] in
the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Each of these temp blocks generated an email despite LF_TEMP_EMAIL_ALERT = "0".
Root cause:
In /usr/sbin/lfd, the blockdistattack function (around line 2657 in v16.08) checks only LF_EMAIL_ALERT:
if ( $config{LF_EMAIL_ALERT} ) {
The normal block path (around line 2525) correctly checks both:
if ( $config{LF_EMAIL_ALERT} and ( $perm or ( !$perm and $config{LF_TEMP_EMAIL_ALERT} ) ) ) {
The blockdistftp and blockdistsmtp functions are also fine — they have their own LF_DISTFTP_ALERT and
LF_DISTSMTP_ALERT toggles. Only blockdistattack is missing a temp check.
Suggested fix:
Change the condition in blockdistattack from:
if ( $config{LF_EMAIL_ALERT} ) {
to:
if ( $config{LF_EMAIL_ALERT} and ( $perm or ( !$perm and $config{LF_TEMP_EMAIL_ALERT} ) ) ) {
This matches the pattern used in the main ipblock email path and respects the admin's LF_TEMP_EMAIL_ALERT setting.
Steps To Reproduce
CSF Version: v16.08 (cPanel fork) — also confirmed present in v15.10 source (same original codebase)
Description:
The blockdistattack function in /usr/sbin/lfd sends email alerts for every temporary distributed SSH attack block,
regardless of the LF_TEMP_EMAIL_ALERT setting. This is inconsistent with how the rest of LFD handles temp block
emails.
csf.conf settings (verified, no typos):
LF_EMAIL_ALERT = "1"
LF_TEMP_EMAIL_ALERT = "0"
LF_DISTATTACK = "15"
LF_DISTATTACK_UNIQ = "2"
Expected behavior:
With LF_TEMP_EMAIL_ALERT = "0", no emails should be sent for any temporary blocks, including distributed SSH attack
blocks.
Actual behavior:
Every LF_DISTATTACK temporary block sends an email alert. On a server facing typical internet SSH brute force traffic,
this produces dozens of unwanted emails per hour. Normal LF_SSHD temp blocks correctly produce no email with the same
settings.
Root cause:
In /usr/sbin/lfd, the blockdistattack function (around line 2657 in v16.08) checks only LF_EMAIL_ALERT:
if ( $config{LF_EMAIL_ALERT} ) {
The normal block path (around line 2525) correctly checks both:
if ( $config{LF_EMAIL_ALERT} and ( $perm or ( !$perm and $config{LF_TEMP_EMAIL_ALERT} ) ) ) {
The blockdistftp and blockdistsmtp functions are also fine — they have their own LF_DISTFTP_ALERT and
LF_DISTSMTP_ALERT toggles. Only blockdistattack is missing a temp check.
Suggested fix:
Change the condition in blockdistattack from:
if ( $config{LF_EMAIL_ALERT} ) {
to:
if ( $config{LF_EMAIL_ALERT} and ( $perm or ( !$perm and $config{LF_TEMP_EMAIL_ALERT} ) ) ) {
This matches the pattern used in the main ipblock email path and respects the admin's LF_TEMP_EMAIL_ALERT setting.
Logs › Lfd
lfd.log showing the blocks that generated unwanted emails:
Mar 10 12:41:26 hosting1 lfd[2968458]: 103.74.123.88 (VN/Vietnam/sv123088.bkns.vn), 5 distributed sshd attacks on
account [root] in the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Mar 10 12:41:26 hosting1 lfd[2968458]: 157.10.252.74 (ID/Indonesia/ip157-10-252-74.cloudhost.web.id), 5 distributed
sshd attacks on account [root] in the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Mar 10 12:41:26 hosting1 lfd[2968458]: 43.162.103.157 (US/United States/-), 5 distributed sshd attacks on account
[root] in the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Mar 10 12:43:27 hosting1 lfd[2969626]: 206.189.149.194 (SG/Singapore/-), 5 distributed sshd attacks on account [root]
in the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Mar 10 12:43:27 hosting1 lfd[2969626]: 181.191.128.18 (BR/Brazil/static-181-191-128-18.fabconnectprovedor.net.br), 5
distributed sshd attacks on account [root] in the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Mar 10 13:01:10 hosting1 lfd[2981060]: 36.50.55.18 (VN/Vietnam/-), 5 distributed sshd attacks on account [clawd] in
the last 3600 secs - Blocked in csf for 3600 secs [LF_DISTATTACK]
Each of these temp blocks generated an email despite LF_TEMP_EMAIL_ALERT = "0".
Config › csf.conf
csf.conf settings (verified, no typos):
LF_EMAIL_ALERT = "1"
LF_TEMP_EMAIL_ALERT = "0"
LF_DISTATTACK = "15"
LF_DISTATTACK_UNIQ = "2"
Screenshots
No response