LF_SUDO_EMAIL_ALERT = "0" still sending emails on v14.15

bendix · Post by **bendix** » 09 Dec 2021, 18:07

Hi,

LF_SUDO_EMAIL_ALERT = "0"

is ignored.

I have some scripts that use sudo to be executed, and I got a lot of emails even if the variable is set to 0.

Code: Select all

lfd on srv1: SUDO login alert - Successful login from user1(uid=0) to user2

I've added UID 0 to csf.uidignore but still no working..

Can you please fix it?

Thank you!

Post by **ForumAdmin** » 10 Dec 2021, 10:27

csf.uidignore has nothing to do with the LF_SUDO_EMAIL_ALERT option. lfd cannot log if LF_SUDO_EMAIL_ALERT is disabled, which might suggest that you failed to restart lfd after changing it, or there's an issue with your /etc/csf/csf.conf file.

bendix · Post by **bendix** » 12 Dec 2021, 14:36

I totally restarted csf and lfd after each modification. I still get SUDO alerts, what do you need to debug this?

Here is csf.conf:

Code: Select all

TESTING = "0"
TESTING_INTERVAL = "5"
RESTRICT_SYSLOG = "3"
RESTRICT_SYSLOG_GROUP = "mysyslog"
RESTRICT_UI = "1"
AUTO_UPDATES = "1"
LF_SPI = "1"
TCP_IN = "22,25,53,80,110,143,443,465,587,993,995,2222,10000,20000,24441,65000:65535"
TCP_OUT = "7,22,25,53,80,110,113,443,587,873,993,995,2222,2703,10000,20000,65000:65535"
UDP_IN = "53,161,6277"
UDP_OUT = "53,113,123,6277,24441"
ICMP_IN = "1"
ICMP_IN_RATE = "1/s"
ICMP_OUT = "1"
ICMP_OUT_RATE = "0"
ICMP_TIMESTAMPDROP = "1"
IPV6 = "1"
IPV6_ICMP_STRICT = "0"
IPV6_SPI = "0"
TCP6_IN = "22,25,53,80,110,143,443,465,587,993,995,2222,10000,20000,24441,65000:65535"
TCP6_OUT = "7,22,25,53,80,110,113,443,587,873,993,995,2222,2703,10000,20000,65000:65535"
UDP6_IN = "53,161,6277"
UDP6_OUT = "53,113,123,6277,24441"
ETH_DEVICE = ""
ETH6_DEVICE = ""
ETH_DEVICE_SKIP = ""
USE_CONNTRACK = "1"
USE_FTPHELPER = "0"
SYSLOG_CHECK = "0"
IGNORE_ALLOW = "0"
DNS_STRICT = "0"
DNS_STRICT_NS = "0"
DENY_IP_LIMIT = "200"
DENY_TEMP_IP_LIMIT = "100"
LF_DAEMON = "1"
LF_CSF = "1"
FASTSTART = "1"
LF_IPSET = "0"
WAITLOCK = "1"
WAITLOCK_TIMEOUT = "300"
LF_IPSET_HASHSIZE = "1024"
LF_IPSET_MAXELEM = "65536"
LFDSTART = "0"
VERBOSE = "1"
PACKET_FILTER = "1"
LF_LOOKUPS = "1"
STYLE_CUSTOM = "1"
STYLE_MOBILE = "1"
SMTP_BLOCK = "0"
SMTP_ALLOWLOCAL = "1"
SMTP_REDIRECT = "0"
SMTP_PORTS = "25,465,587"
SMTP_ALLOWUSER = "postfix"
SMTP_ALLOWGROUP = "postfix,postdrop"
SMTPAUTH_RESTRICT = "0"
SYNFLOOD = "1"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"
CONNLIMIT = ""
PORTFLOOD = ""
UDPFLOOD = "0"
UDPFLOOD_LIMIT = "100/s"
UDPFLOOD_BURST = "500"
UDPFLOOD_ALLOWUSER = "named"
SYSLOG = "0"
DROP = "DROP"
DROP_OUT = "REJECT"
DROP_LOGGING = "1"
DROP_IP_LOGGING = "0"
DROP_OUT_LOGGING = "1"
DROP_UID_LOGGING = "1"
DROP_ONLYRES = "0"
DROP_NOLOG = "23,67,68,111,113,135:139,445,500,513,520"
DROP_PF_LOGGING = "0"
CONNLIMIT_LOGGING = "0"
UDPFLOOD_LOGGING = "1"
LOGFLOOD_ALERT = "0"
LF_ALERT_TO = "admin@domain.com"
LF_ALERT_FROM = "root@localhost"
LF_ALERT_SMTP = ""
BLOCK_REPORT = ""
UNBLOCK_REPORT = ""
X_ARF = "0"
X_ARF_FROM = ""
X_ARF_TO = ""
X_ARF_ABUSE = "0"
LF_PERMBLOCK = "1"
LF_PERMBLOCK_INTERVAL = "86400"
LF_PERMBLOCK_COUNT = "4"
LF_PERMBLOCK_ALERT = "0"
LF_NETBLOCK = "0"
LF_NETBLOCK_INTERVAL = "86400"
LF_NETBLOCK_COUNT = "4"
LF_NETBLOCK_CLASS = "C"
LF_NETBLOCK_ALERT = "1"
LF_NETBLOCK_IPV6 = ""
SAFECHAINUPDATE = "1"
DYNDNS = "0"
DYNDNS_IGNORE = "0"
LF_GLOBAL = "0"
GLOBAL_ALLOW = ""
GLOBAL_DENY = ""
GLOBAL_IGNORE = ""
GLOBAL_DYNDNS = ""
GLOBAL_DYNDNS_INTERVAL = "600"
GLOBAL_DYNDNS_IGNORE = "0"
LF_BOGON_SKIP = ""
URLGET = "2"
URLPROXY = ""
MM_LICENSE_KEY = ""
CC_SRC = "2"
CC_DENY = ""
CC_ALLOW = ""
CC_ALLOW_FILTER = ""
CC_ALLOW_PORTS = ""
CC_ALLOW_PORTS_TCP = ""
CC_ALLOW_PORTS_UDP = ""
CC_DENY_PORTS = ""
CC_DENY_PORTS_TCP = ""
CC_DENY_PORTS_UDP = ""
CC_IGNORE = ""
CC_ALLOW_SMTPAUTH = ""
CC_MESSENGER_ALLOW = ""
CC_MESSENGER_DENY = ""
CC_DROP_CIDR = ""
CC_LOOKUPS = "1"
CC6_LOOKUPS = "0"
CC_INTERVAL = "14"
LF_TRIGGER = "0"
LF_TRIGGER_PERM = "1"
LF_SELECT = "0"
LF_EMAIL_ALERT = "0"
LF_TEMP_EMAIL_ALERT = "1"
LF_SSHD = "5"
LF_SSHD_PERM = "1"
LF_FTPD = "10"
LF_FTPD_PERM = "1"
LF_SMTPAUTH = "5"
LF_SMTPAUTH_PERM = "1"
LF_EXIMSYNTAX = "10"
LF_EXIMSYNTAX_PERM = "1"
LF_POP3D = "0"
LF_POP3D_PERM = "1"
LF_IMAPD = "0"
LF_IMAPD_PERM = "1"
LF_HTACCESS = "5"
LF_HTACCESS_PERM = "1"
LF_MODSEC = "5"
LF_MODSEC_PERM = "1"
LF_BIND = "0"
LF_BIND_PERM = "1"
LF_SUHOSIN = "0"
LF_SUHOSIN_PERM = "1"
LF_CXS = "0"
LF_CXS_PERM = "1"
LF_QOS = "0"
LF_QOS_PERM = "1"
LF_SYMLINK = "0"
LF_SYMLINK_PERM = "1"
LF_WEBMIN = "0"
LF_WEBMIN_PERM = "1"
LF_SSH_EMAIL_ALERT = "1"
LF_SU_EMAIL_ALERT = "1"
LF_SUDO_EMAIL_ALERT = "0"
LF_WEBMIN_EMAIL_ALERT = "1"
LF_CONSOLE_EMAIL_ALERT = "1"
LF_APACHE_404 = "0"
LF_APACHE_404_PERM = "3600"
LF_APACHE_403 = "0"
LF_APACHE_403_PERM = "3600"
LF_APACHE_401 = "0"
LF_APACHE_ERRPORT = "0"
LF_APACHE_401_PERM = "3600"
LF_MODSECIPDB_ALERT = "0"
LF_MODSECIPDB_FILE = "/var/run/modsecurity/data/ip.pag"
LF_EXPLOIT = "300"
LF_EXPLOIT_IGNORE = ""
LF_INTERVAL = "3600"
LF_PARSE = "5"
LF_FLUSH = "3600"
LF_REPEATBLOCK = "0"
LF_BLOCKINONLY = "0"
CF_ENABLE = "0"
CF_BLOCK = "block"
CF_TEMP = "3600"
LF_DIRWATCH = "300"
LF_DIRWATCH_DISABLE = "0"
LF_DIRWATCH_FILE = "0"
LF_INTEGRITY = "3600"
LF_DISTATTACK = "0"
LF_DISTATTACK_UNIQ = "2"
LF_DISTFTP = "0"
LF_DISTFTP_UNIQ = "3"
LF_DISTFTP_PERM = "1"
LF_DISTFTP_ALERT = "1"
LF_DISTSMTP = "0"
LF_DISTSMTP_UNIQ = "3"
LF_DISTSMTP_PERM = "1"
LF_DISTSMTP_ALERT = "1"
LF_DIST_INTERVAL = "300"
LF_DIST_ACTION = ""
LT_POP3D = "0"
LT_IMAPD = "0"
LT_EMAIL_ALERT = "0"
LT_SKIPPERMBLOCK = "0"
CT_LIMIT = "100"
CT_INTERVAL = "30"
CT_EMAIL_ALERT = "0"
CT_PERMANENT = "0"
CT_BLOCK_TIME = "1800"
CT_SKIP_TIME_WAIT = "0"
CT_STATES = ""
CT_PORTS = ""
CT_SUBNET_LIMIT = "0"
PT_LIMIT = "0"
PT_INTERVAL = "60"
PT_SKIP_HTTP = "0"
PT_DELETED = "0"
PT_DELETED_ACTION = ""
PT_USERPROC = "10"
PT_USERMEM = "512"
PT_USERRSS = "256"
PT_USERTIME = "1800"
PT_USERKILL = "0"
PT_USERKILL_ALERT = "1"
PT_USER_ACTION = ""
PT_LOAD = "30"
PT_LOAD_AVG = "5"
PT_LOAD_LEVEL = "6"
PT_LOAD_SKIP = "3600"
PT_APACHESTATUS = "http://127.0.0.1/server-status"
PT_LOAD_ACTION = ""
PT_FORKBOMB = "0"
PT_SSHDKILL = "0"
PT_SSHDHUNG = "0"
PS_INTERVAL = "0"
PS_LIMIT = "10"
PS_PORTS = "0:65535,ICMP"
PS_DIVERSITY = "1"
PS_PERMANENT = "0"
PS_BLOCK_TIME = "3600"
PS_EMAIL_ALERT = "0"
UID_INTERVAL = "0"
UID_LIMIT = "10"
UID_PORTS = "0:65535,ICMP"
AT_ALERT = "2"
AT_INTERVAL = "60"
AT_NEW = "1"
AT_OLD = "1"
AT_PASSWD = "1"
AT_UID = "1"
AT_GID = "1"
AT_DIR = "1"
AT_SHELL = "1"
UI = "0"
UI_PORT = "6666"
UI_IP = ""
UI_USER = "username"
UI_PASS = "password"
UI_TIMEOUT = "300"
UI_CHILDREN = "5"
UI_RETRY = "5"
UI_BAN = "1"
UI_ALLOW = "1"
UI_BLOCK = "1"
UI_ALERT = "4"
UI_CIPHER = "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH"
UI_SSL_VERSION = "SSLv23:!SSLv3:!SSLv2"
UI_CXS = "0"
UI_CSE = "0"
MESSENGER = "0"
MESSENGER_TEMP = "1"
MESSENGER_PERM = "1"
MESSENGER_USER = "csf"
MESSENGER_HTTPS_CONF = "/etc/httpd/conf.d/ssl.conf"
MESSENGER_HTTPS_KEY = "/etc/pki/tls/private/localhost.key"
MESSENGER_HTTPS_CRT = "/etc/pki/tls/certs/localhost.crt"
MESSENGER_HTTPS = "8887"
MESSENGER_HTTPS_IN = "443"
MESSENGER_HTML = "8888"
MESSENGER_HTML_IN = "80"
MESSENGER_TEXT = "8889"
MESSENGER_TEXT_IN = "21"
MESSENGER_RATE = "100/s"
MESSENGER_BURST = "150"
MESSENGER_CHILDREN = "20"
MESSENGER_HTTPS_SKIPMAIL = "1"
MESSENGERV3 = "0"
MESSENGERV3LOCATION = "/etc/httpd/conf.d/"
MESSENGERV3RESTART = "service httpd restart"
MESSENGERV3TEST = "/usr/sbin/apachectl -t"
MESSENGERV3HTTPS_CONF = "/etc/httpd/conf/httpd.conf"
MESSENGERV3WEBSERVER = "apache"
MESSENGERV3PERMS = "711"
MESSENGERV3GROUP = "apache"
MESSENGERV3PHPHANDLER = ""
RECAPTCHA_SITEKEY = ""
RECAPTCHA_SECRET = ""
RECAPTCHA_ALERT = "1"
RECAPTCHA_NAT = ""
CLUSTER_SENDTO = ""
CLUSTER_RECVFROM = ""
CLUSTER_MASTER = ""
CLUSTER_NAT = ""
CLUSTER_LOCALADDR = ""
CLUSTER_PORT = "7777"
CLUSTER_KEY = ""
CLUSTER_BLOCK = "1"
CLUSTER_CONFIG = "0"
CLUSTER_CHILDREN = "10"
PORTKNOCKING = ""
PORTKNOCKING_LOG = "1"
PORTKNOCKING_ALERT = "0"
LOGSCANNER = "0"
LOGSCANNER_INTERVAL = "hourly"
LOGSCANNER_STYLE = "1"
LOGSCANNER_EMPTY = "1"
LOGSCANNER_LINES = "5000"
ST_ENABLE = "1"
ST_IPTABLES = "100"
ST_LOOKUP = "0"
ST_SYSTEM = "0"
ST_SYSTEM_MAXDAYS = "30"
ST_MYSQL = "0"
ST_MYSQL_USER = "root"
ST_MYSQL_PASS = ""
ST_MYSQL_HOST = "localhost"
ST_APACHE = "0"
ST_DISKW = "0"
ST_DISKW_FREQ = "5"
ST_DISKW_DD = "if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync"
DOCKER = "0"
DOCKER_DEVICE = "docker0"
DOCKER_NETWORK4 = "172.17.0.0/16"
DOCKER_NETWORK6 = "2001:db8:1::/64"
IPTABLES = "/sbin/iptables"
IPTABLES_SAVE = "/sbin/iptables-save"
IPTABLES_RESTORE = "/sbin/iptables-restore"
IP6TABLES = "/sbin/ip6tables"
IP6TABLES_SAVE = "/sbin/ip6tables-save"
IP6TABLES_RESTORE = "/sbin/ip6tables-restore"
MODPROBE = "/sbin/modprobe"
IFCONFIG = "/sbin/ifconfig"
SENDMAIL = "/usr/sbin/sendmail"
PS = "/bin/ps"
VMSTAT = "/usr/bin/vmstat"
NETSTAT = "/bin/netstat"
LS = "/bin/ls"
MD5SUM = "/usr/bin/md5sum"
TAR = "/bin/tar"
CHATTR = "/usr/bin/chattr"
UNZIP = "/usr/bin/unzip"
GUNZIP = "/bin/gunzip"
DD = "/bin/dd"
TAIL = "/usr/bin/tail"
GREP = "/bin/grep"
ZGREP = "/usr/bin/zgrep"
IPSET = "/usr/sbin/ipset"
SYSTEMCTL = "/usr/bin/systemctl"
HOST = "/usr/bin/host"
IP = "/sbin/ip"
CURL = "/usr/bin/curl"
WGET = "/usr/bin/wget"
HTACCESS_LOG = "/var/log/httpd/error_log"
MODSEC_LOG = "/var/log/httpd/error_log"
SSHD_LOG = "/var/log/secure"
SU_LOG = "/var/log/secure"
SUDO_LOG = "/var/log/secure"
FTPD_LOG = "/var/log/messages"
SMTPAUTH_LOG = "/var/log/secure"
POP3D_LOG = "/var/log/maillog"
IMAPD_LOG = "/var/log/maillog"
IPTABLES_LOG = "/var/log/messages"
SUHOSIN_LOG = "/var/log/messages"
BIND_LOG = "/var/log/messages"
SYSLOG_LOG = "/var/log/messages"
WEBMIN_LOG = "/var/log/secure"
CUSTOM1_LOG = "/var/log/customlog"
CUSTOM2_LOG = "/var/log/customlog"
CUSTOM3_LOG = "/var/log/customlog"
CUSTOM4_LOG = "/var/log/customlog"
CUSTOM5_LOG = "/var/log/customlog"
CUSTOM6_LOG = "/var/log/customlog"
CUSTOM7_LOG = "/var/log/customlog"
CUSTOM8_LOG = "/var/log/customlog"
CUSTOM9_LOG = "/var/log/customlog"
PORTS_pop3d = "110,995"
PORTS_imapd = "143,993"
PORTS_htpasswd = "80,443"
PORTS_mod_security = "80,443"
PORTS_mod_qos = "80,443"
PORTS_symlink = "80,443"
PORTS_suhosin = "80,443"
PORTS_cxs = "80,443"
PORTS_bind = "53;udp,53;tcp"
PORTS_ftpd = "20,21"
PORTS_webmin = "10000"
PORTS_smtpauth = "25,465,587"
PORTS_eximsyntax = "25,465,587"
PORTS_sshd = "22"
GENERIC = "1"
DEBUG = "0"

Thank you.

bendix · Post by **bendix** » 12 Dec 2021, 15:06

I've also set:

Code: Select all

LF_ALERT_TO = ""

but send the email anyway to root@localhost.

Any help is appreciated.

Sergio · Post by **Sergio** » 14 Dec 2021, 21:46

Work around:
1. Enter into the webmail of the email receiving the alerts.
2. In the main screen of webmail enter into EMAIL FILTERS.
3. Create a new filter called: DELETE SUDO
4. On the first line of the filter select "BODY" and "CONTAINS"
5. And write:
lfd on srv1: SUDO login alert - Successful login
6. The last option set it to "DELETE"

On doing that you will delete all those emails.

bendix · Post by **bendix** » 14 Dec 2021, 21:51

Thank you Sergio, but this will not work for me. I need this bug fixed for good.

ConfigServer Community Forum

LF_SUDO_EMAIL_ALERT = "0" still sending emails on v14.15

LF_SUDO_EMAIL_ALERT = "0" still sending emails on v14.15

Re: LF_SUDO_EMAIL_ALERT = "0" still sending emails on v14.15

Re: LF_SUDO_EMAIL_ALERT = "0" still sending emails on v14.15

Re: LF_SUDO_EMAIL_ALERT = "0" still sending emails on v14.15

Re: LF_SUDO_EMAIL_ALERT = "0" still sending emails on v14.15

Re: LF_SUDO_EMAIL_ALERT = "0" still sending emails on v14.15