Whm / Cpanel CSF Firewall WARNING: RESTRICT_SYSLOG is disable
WARNING: RESTRICT_SYSLOG is disabled. See SECURITY WARNING in Firewall Configuration
RESTRICT_SYSLOG is disabled CSF
RESTRICT_SYSLOG warning in csf cpanel plugin



CSF

TESTING =OFF Firewall



RESTRICT_SYSLOG = 3 0

RESTRICT_SYSLOG = "0" and changing it to RESTRICT_SYSLOG = "3"

brute force attacks




SECURITY WARNING
================

Unfortunately, syslog and rsyslog allow end-users to log messages to some
system logs via the same unix socket that other local services use. This
means that any log line shown in these system logs that syslog or rsyslog
maintain can be spoofed (they are exactly the same as real log lines).

Since some of the features of lfd rely on such log lines, spoofed messages
can cause false-positive matches which can lead to confusion at best, or
blocking of any innocent IP address or making the server inaccessible at
worst.

Any option that relies on the log entries in the files listed in
/etc/syslog.conf and /etc/rsyslog.conf should therefore be considered
vulnerable to exploitation by end-users and scripts run by end-users.

NOTE: Not all log files are affected as they may not use syslog/rsyslog

The option RESTRICT_SYSLOG disables all these features that rely on affected
logs. These options are:
LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT
LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP
LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT
PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT

This list of options use the logs but are not disabled by RESTRICT_SYSLOG:
ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG

The following options are still enabled by default on new installations so
that, on balance, csf/lfd still provides expected levels of security:
LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT

If you set RESTRICT_SYSLOG to "0" or "2" and enable any of the options listed
above, it should be done with the knowledge that any of the those options
that are enabled could be triggered by spoofed log lines and lead to the
server being inaccessible in the worst case. If you do not want to take that
risk you should set RESTRICT_SYSLOG to "1" and those features will not work
but you will not be protected from the exploits that they normally help block

The recommended setting for RESTRICT_SYSLOG is "3" to restrict who can access

the syslog/rsyslog unix socket.

For further advice on how to help mitigate these issues, see
/etc/csf/readme.txt

0 = Allow those options listed above to be used and configured
1 = Disable all the options listed above and prevent them from being used
2 = Disable only alerts about this feature and do nothing else
3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **
The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts
write access to the syslog/rsyslog unix socket(s). The group must not already
exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option
to a unique name for the server

You can add users to this group by changing /etc/csf/csf.syslogusers and then
restarting lfd afterwards. This will create the system group and add the
users from csf.syslogusers if they exist to that group and will change the
permissions on the syslog/rsyslog unix socket(s). The socket(s) will be
monitored and the permissions re-applied should syslog/rsyslog be restarted

Using this option will prevent some legitimate logging, e.g. end-user cron
job logs

If you want to revert RESTRICT_SYSLOG to another option and disable this
feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then
syslog/rsyslog and the unix sockets will be reset