Questions[csf](server)

I want to access docker containers only locally behind the csf firewall on a remote Ubuntu server. I changed the DOCKER settings options in /etc/csf/csf.conf to 1 to allow docker to change iptable rules.

If I am starting my container with -p 8000:8000, the port 8000 is exposed to the whole world (I can access the website with mydomain.com:8000, as expected, but not what I wanted). If I am starting the container with -p 127.0.0.1:8000:8000 I can't access it with mydomain.com:8000 (which is great), but in both cases calling localhost:8000 will result in an ERR_EMPTY_RESPONSE error in Chrome or curl: (52) Empty reply from server in the terminal.

Tried it with different containers and different ports. After disabling csf, it works without the empty-reply-error so is must be related to csf.

How to configure csf to expose and access docker container over specific ports only locally?

Sidenote: I am working remotely on the server with ssh [email protected] -L 8000:localhost:8000.

I modify my /etc/hosts.allow file as

sshd : 192.168.0.0/255.255.255.0 : allow
sshd : xxx.xxx.xxx.* : allow
sshd : ALL : deny

(where the xxx represent my actual IP address numbers and the wildcard * represents the full range 0-255) then restart sshd and Apache web server. I watch over the following week as IP addresses from foreign countries continue to appear in /etc/csf/csf.deny.

116.31.116.15 # lfd: (sshd) Failed SSH login from 116.31.116.15 (CN/China/-): 5 in the last 300 secs ...

Is my expectation correct that denied IP addresses in the hosts.allow file should not even be presented with a login screen to attempt to login, and thus the entries in the csf.deny log prove my hosts.allow file isn't doing what I want?

Or, am I being misled by the generic error message (5 in the last 300 secs) because in reality those IP addresses have not actually attempted to enter a user and password 5 times?

My goal is prevent non-approved IP addresses from being able to even enter a username and password. How can I tell that I'm achieving this or not?

What should I expect the csf.deny file to show when their IP is in fact denied?

I repeatedly receive a "Suspicious Process" notice from lfd. I'm 100% positive that the PHP script triggering this warning is safe. I wrote it myself and it makes some cross server calls that must look suspicious to csf.

Now I know how to whitelist various executables and command lines in csf, however due to my setup it appears that csf recognises this script simply as PHP with no unique command line:

Executable:
/usr/bin/php

Command Line (often faked in exploits):
/usr/bin/php

Obviously I could whitelist this with something like "exe:/usr/bin/php" in the csf.pignore file but this would whitelist all other PHP scripts as well.

Is there a way that I can whitelist this specific script (taking into account that the command line is simply "/usr/bin/php" as well) without white-listing the all PHP scripts? Or is there another way around this?

I'm using csf and noticed a lot of brute force password attempts into a particular pop3 account. csf does not appear to be blocking the IP addresses as it does with other processes. Is there a switch or config option that someone can point me to that instructs csf to block all failed dovecot login attempts?

I recently installed CSF firewall and have made live a new server which is accepting around 600req/second.

Its basically a reverse proxy and I found in pingdom and munin that for a particular time, the response times of the server increased by 3 folds. I looked into logs and exactly at that point, I found loads of entries like this:

Feb 27 15:22:09 li235-57 dhclient: DHCPREQUEST of <My IP address> on eth0 to 207.192.68.72 port 67
Feb 27 15:22:09 li235-57 dhclient: send_packet: Operation not permitted

Can you help me understand what went wrong and what exactly happened? Is there any settings I should change in CSF or any pointer to debug this further?