When I first upgraded my server to Debian 12 (Bookworm), I encountered a significant issue with the CSF (Config Server Firewall). Debian 12 uses a new logging system called journal
, which is not fully compatible with CSF. To make CSF work, I had to revert to the older logging system used in previous Debian versions. This workaround, however, came with its own set of challenges.
The Problem
The primary issue was that the old logging system’s paths were not correctly configured in the csf.conf
file. This misconfiguration meant that CSF could not detect SASL SMTP authentication login failures. As a result, my server was compromised for almost a year without my knowledge. The firewall failed to provide the necessary security alerts, leaving my server vulnerable to unauthorized access.
The Solution
To resolve this issue, I had to take the following steps:
- Install the Old Logging System: I installed the older logging system compatible with CSF and setting up the traditional syslog.
- Configure the Correct Log Paths: The next crucial step was to ensure that the log paths in the
csf.conf
file were correctly set. This required careful attention to detail, as any incorrect path would render the firewall ineffective. - Verify CSF Functionality: After configuring the log paths, I tested CSF to ensure it was correctly detecting and logging SASL SMTP authentication failures. This involved simulating login attempts and checking the logs for any discrepancies.
- Regular Monitoring and Updates: To prevent future issues, I set up regular monitoring and ensured that all configurations were up-to-date. This included keeping an eye on any updates to CSF and Debian that might affect the firewall’s functionality.
Editing csf.conf
This is how you edit csf.conf
to make CSF firewall work as expected and resolve the issue:
- Open the
csf.conf
file in your preferred text editor:sudo nano /etc/csf/csf.conf
- Locate the log paths section and update the paths to match the old logging system. For example:
# Log file locations LF_SSHD_LOG = "/var/log/auth.log" LF_FTPD_LOG = "/var/log/mail.log" LF_SMTPAUTH_LOG = "/var/log/mail.log"
- Save the changes and exit the editor.
- Restart CSF to apply the changes:
sudo csf -r
Visual Guide
I am including an image of the working log path configuration that resolved my issue. I hope this helps anyone facing the same problem, as CSF firewall up to version 14.22 still has this issue.
Lessons Learned
This experience taught me the importance of thorough testing and verification when making significant changes to server configurations. It also highlighted the need for regular monitoring and updates to ensure that security measures remain effective.
If you’re utilizing Debian 12 with CSF, it’s crucial to be aware of the logging issue and take the necessary steps to configure your logging system properly. Neglecting this could leave your server susceptible to attacks without your knowledge.