How to ignore alerts for services and executables using CSF on Rocky Linux 9.3

To Ignore Alerts For Services And Executables Using CSF on Rocky Linux 9.3

Introduction:

ConfigServer Firewall (CSF) is a powerful intrusion detection and prevention system that helps to protect your server from various security threats. However, it can sometimes generate alerts for harmless or known-safe activities. To avoid receiving unnecessary alerts, you can configure CSF to ignore specific services, executables, ports, IP addresses, countries, AS numbers, or connection types.

Procedure:

Step 1: Check the OS version by using the below command

[root@linuxhelp ~]# cat /etc/os-release
NAME="Rocky Linux"
VERSION="9.3 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.3"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.3 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.3"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.3"

Step 2: Check the status of the CSF and LFD service by using the below command

[root@linuxhelp ~]# systemctl status csf lfd
● csf.service - ConfigServer Firewall & Security - csf
     Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; preset: disabled)
     Active: active (exited) since Tue 2024-05-07 22:08:53 IST; 13s ago
    Process: 3279 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)
   Main PID: 3279 (code=exited, status=0/SUCCESS)
        CPU: 978ms

May 07 22:08:52 linuxhelp systemd[1]: Starting ConfigServer Firewall & Security - csf...
May 07 22:08:53 linuxhelp csf[3279]: (restoring iptables) (restoring ip6tables)
May 07 22:08:53 linuxhelp systemd[1]: Finished ConfigServer Firewall & Security - csf.

● lfd.service - ConfigServer Firewall & Security - lfd
     Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; preset: disabled)
     Active: active (running) since Tue 2024-05-07 22:08:54 IST; 12s ago
    Process: 3308 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
   Main PID: 3321 (lfd - sleeping)
      Tasks: 5 (limit: 22834)
     Memory: 36.4M
        CPU: 9.392s
     CGroup: /system.slice/lfd.service
             ├─3321 "lfd - sleeping"
             ├─3469 "lfd - (child) system integrity alert"
             ├─3472 "lfd - (child) (PT) checking user processes"
             ├─3473 /usr/sbin/sendmail -f root -t
             └─3474 /usr/sbin/sendmail -f root -t

May 07 22:08:53 linuxhelp systemd[1]: Starting ConfigServer Firewall & Security - lfd...
May 07 22:08:54 linuxhelp systemd[1]: Started ConfigServer Firewall & Security - lfd.
May 07 22:08:57 linuxhelp sendmail[3473]: My unqualified host name (linuxhelp) unknown; sleeping for retry
May 07 22:09:03 linuxhelp sendmail[3474]: My unqualified host name (linuxhelp) unknown; sleeping for retry

Step 3: Now open csf.conf file and search for the LF_ALERT_TO by using the below command

[root@linuxhelp ~]# vim /etc/csf/csf.conf

enter your mail address in that line to send csf alert mail

Step 4: After the changes restart the CSF and LFD by using the below command

[root@linuxhelp ~]# systemctl restart csf lfd

Step 5: Now again open csf.conf file and search for the PT_USERTIME by using the below command

[root@linuxhelp ~]# vim /etc/csf/csf.conf

enter a value to set time of usage in seconds

Step 6: After the changes restart the CSF and LFD by using the below command

[root@linuxhelp ~]# systemctl restart csf lfd

Step 7: Now the mail came to your mail if any of the process is executed more than you entered in the configuration file.

Step 8: If you want to ignore the specific process alert, copy the exe line from the mail and put in the following file /etc/csf/csf.pignore

[root@linuxhelp ~]# vim /etc/csf/csf.pignore
exe:/usr/libexec/rtkit-daemon

Conclusion:

We have reached the end of this article. In this guide, we have walked you through the steps required to ignore alerts for Services and Executables using CSF on Rocky Linux 9.3. Your feedback is much welcome.

Tag : Linux CSF (ConfigServer Security & Firewall) Simple Mail Transfer Protocol
FAQ
Q
How can I check if CSF is now ignoring the service?
A
You can check the CSF logs (/var/log/lfd.log) for any related entries. If the service is correctly added to the ignore list, you should see a corresponding log entry.
Q
Do I need to restart CSF after making changes to the configuration?
A
Yes, it would help if you restarted CSF to apply the changes. You can do this with the following command:
csf -r
Q
Can I ignore alerts for multiple services at once?
A
Yes, you can. Separate each service or executable with a comma. For example:
IGNORE_ALLOW = "myservice,myexecutable"
Q
How do I add a service to the CSF ignore list?
A
Open the CSF configuration file and locate the IGNORE_ALLOW parameter. Add the service or executable to this list. For example:
IGNORE_ALLOW = "myservice"
Q
How do I ignore alerts for specific services or executables?
A
You can ignore alerts for specific services or executables by adding them to the /etc/csf/csf.ignore