Resolving CSF Firewall Issues on Debian 12

When I first upgraded my server to Debian 12 (Bookworm), I encountered a significant issue with the CSF (Config Server Firewall). Debian 12 uses a new logging system called journal, which is not fully compatible with CSF. To make CSF work, I had to revert to the older logging system used in previous Debian versions. This workaround, however, came with its own set of challenges.

The Problem

The primary issue was that the old logging system’s paths were not correctly configured in the csf.conf file. This misconfiguration meant that CSF could not detect SASL SMTP authentication login failures. As a result, my server was compromised for almost a year without my knowledge. The firewall failed to provide the necessary security alerts, leaving my server vulnerable to unauthorized access.

The Solution

To resolve this issue, I had to take the following steps:

  1. Install the Old Logging System: I installed the older logging system compatible with CSF and setting up the traditional syslog.
  2. Configure the Correct Log Paths: The next crucial step was to ensure that the log paths in the csf.conf file were correctly set. This required careful attention to detail, as any incorrect path would render the firewall ineffective.
  3. Verify CSF Functionality: After configuring the log paths, I tested CSF to ensure it was correctly detecting and logging SASL SMTP authentication failures. This involved simulating login attempts and checking the logs for any discrepancies.
  4. Regular Monitoring and Updates: To prevent future issues, I set up regular monitoring and ensured that all configurations were up-to-date. This included keeping an eye on any updates to CSF and Debian that might affect the firewall’s functionality.

Editing csf.conf

This is how you edit csf.conf to make CSF firewall work as expected and resolve the issue:

  1. Open the csf.conf file in your preferred text editor: sudo nano /etc/csf/csf.conf
  2. Locate the log paths section and update the paths to match the old logging system. For example: # Log file locations LF_SSHD_LOG = "/var/log/auth.log" LF_FTPD_LOG = "/var/log/mail.log" LF_SMTPAUTH_LOG = "/var/log/mail.log"
  3. Save the changes and exit the editor.
  4. Restart CSF to apply the changes: sudo csf -r

Visual Guide

I am including an image of the working log path configuration that resolved my issue. I hope this helps anyone facing the same problem, as CSF firewall up to version 14.22 still has this issue.

Resolving CSF Firewall Issues on Debian 12, smtp pop3 imap sasl auth login failure not detected

Lessons Learned

This experience taught me the importance of thorough testing and verification when making significant changes to server configurations. It also highlighted the need for regular monitoring and updates to ensure that security measures remain effective.

If you’re utilizing Debian 12 with CSF, it’s crucial to be aware of the logging issue and take the necessary steps to configure your logging system properly. Neglecting this could leave your server susceptible to attacks without your knowledge.

Read More:

  1. Troubleshooting Video Issues During Calls
  2. Troubleshooting Smart Ring Pairing Issues
  3. Troubleshooting Common Solar Panel Issues: A Homeowner’s Guide
  4. Troubleshooting Graphics Driver Issues in Windows 11
  5. Navigating Post-Rollback Driver Issues in Windows 11
  6. Troubleshooting Audio Issues During Video Calls
  7. Some Common Audio Issues During Zoom Meetings
  8. Debian 12 and csf 14.20 are not good friends
  9. The “SYSLOG Check Failed” error in ConfigServer Security & Firewall (CSF)

Users Discussion Section

Share
Copy Link
×
Scroll to Top