ConfigServer Security & Firewall (CSF) – How to reduce the email alerts

ConfigServer Security & Firewall

ConfigServer Security & Firewall (CSF) is great, but the email alerts can certainly be a little overwhelming so here’s a very quick, dirty copy + paste to disable the most of the common email alerts sent out by CSF. 

Now depending what you’re hosting, you might want to keep some of these alerts enabled, but some of them are just unnecessary. For example, any server with a public-facing IP address will be port-scanned and have its SSH port brute-forced. In an ideal world we’d have SSH locked down via access-lists with the port closed to public but it’s not always achievable. In this case not many people need to know if an IP address was blocked 5 times for failing to login to their SSH service so long as adequate steps have been taken to protect the service.

You should definitely read the csf.conf file in-depth for further explanation of what each one of these parameters does within CSF but we’ll go ahead and assume you know what these do and that you don’t particularly want the email notifications!

Go ahead and open up SSH to your server. These commands should be run as root.

First you’ll want to make a backup of the your /etc/csf/csf.conf file just in case anything goes wrong or stops working.

cp /etc/csf/csf.conf /etc/csf/csf.conf-bak

Next up just paste the following into your SSH terminal.

sed -i 's/LOGFLOOD_ALERT = "[0-9]*"/LOGFLOOD_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/LF_PERMBLOCK_ALERT = "[0-9]*"/LF_PERMBLOCK_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/LF_NETBLOCK_ALERT = "[0-9]*"/LF_NETBLOCK_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/LF_EMAIL_ALERT = "[0-9]*"/LF_EMAIL_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/LF_SSH_EMAIL_ALERT = "[0-9]*"/LF_SSH_EMAIL_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/LF_SU_EMAIL_ALERT = "[0-9]*"/LF_SU_EMAIL_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/LT_EMAIL_ALERT = "[0-9]*"/LT_EMAIL_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/RT_RELAY_ALERT = "[0-9]*"/RT_RELAY_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/RT_AUTHRELAY_ALERT = "[0-9]*"/RT_AUTHRELAY_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/RT_LOCALRELAY_ALERT = "[0-9]*"/RT_LOCALRELAY_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/RT_LOCALHOSTRELAY_ALERT = "[0-9]*"/RT_LOCALHOSTRELAY_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/CT_EMAIL_ALERT = "[0-9]*"/CT_EMAIL_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/PT_USERKILL_ALERT = "[0-9]*"/PT_USERKILL_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/PS_EMAIL_ALERT = "[0-9]*"/PS_EMAIL_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/AT_ALERT = "[0-9]*"/AT_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/AT_ALERT = "[0-9]*"/AT_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/AT_ALERT = "[0-9]*"/AT_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/PORTKNOCKING_ALERT = "[0-9]*"/PORTKNOCKING_ALERT = "0"/' /etc/csf/csf.conf
sed -i 's/LF_DIRWATCH = "[0-9]*"/LF_DIRWATCH = "0"/' /etc/csf/csf.conf
sed -i 's/PT_LOAD = "[0-9]*"/PT_LOAD = "0"/'  /etc/csf/csf.conf
sed -i 's/PT_LIMIT = "[0-9]*"/PT_LIMIT = "0"/' /etc/csf/csf.conf
sed -i 's/PT_USERPROC = "[0-9]*"/PT_USERPROC = "0"/' /etc/csf/csf.conf
sed -i 's/PT_USERMEM = "[0-9]*"/PT_USERMEM = "0"/' /etc/csf/csf.conf
sed -i 's/PT_USERTIME = "[0-9]*"/PT_USERTIME = "0"/' /etc/csf/csf.conf

And restart ConfigServer Security & Firewall to apply the changes.

csf -ra

We use “-ra” to restart both CSF service and the related LFD service.

Enjoy the substantially less email spam 🙂

For more guides related to WHM please see here.

Email

AmazonSES SmartHost – Relay specific domains in WHM / Exim.

So, if you’ve found this guide then you probably already know what AmazonSES and SmartHosts are. In this guide I’ll demonstrate how to specifiy certain domains to be relayed through an AmazonSES SmartHost.

cPanels Blog here explains very well what a SmartHost is. We are going to be following the content of this guide somewhat below with a few extra steps to allow us to specify the domains.

Note: This requires root access to WHM to complete.

Configuring the AmazonSES SmartHost in WHM.

We’ll be jumping right into the WHM/Exim Configuration here, this guide assumes you have already set-up your AmazonSES account, verified your domain and added an “identity” for sending test emails to.

Prepare your AmazonSES SMTP Details. You will need:
SMTP Host (server name): Usually ends amazonaws.com
In this example I will be using “email-smtp.eu-west-2.amazonaws.com” however you MUST use the one specified in your account.
SMTP Username and SMTP Password

AmazonSES SmartHost SMTP Info

Classic Console.

In WHM -> Exim Configuration Manager

Login to WHM, go to Exim Configuration Manager, select the Advanced Tab and find the AUTH section similar to the image below.

Copy in the contents of the box below, but change the USERNAME and PASSWORD to your SMTP Username and Password provided in the Amazon SES Management Console.

## AmazonSES 
ses_login: 
driver = plaintext 
public_name = LOGIN 
client_send = : USERNAME : PASSWORD
## End AmazonSES
AmazonSES SmartHost Auth Section

Here’s my example in a test environment.

Next up we want to add the ROUTERSTART section. Copy in the below but replace YOUR_SERVER_IP with your actual server IP address.

# Added for Amazon SES
smarthost_dkim:
  driver = manualroute
  domains = !"+local_domains +smart_hosts"
  condition = "${if eq{${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}{$value}}}{}{false}{true}}"
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : YOUR_SERVER_IP
  headers_add = "${perl{mailtrapheaders}}"
  require_files = "+/var/cpanel/domain_keys/private/${sender_address_domain}"
  transport = remote_smtp_smart_dkim
  route_list = !+local_domains "${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}}"

smarthost_regular:
  driver = manualroute
  domains = !"+local_domains +smart_hosts"
  condition = "${if eq{${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}{$value}}}{}{false}{true}}"
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : YOUR_SERVER_IP
  headers_add = "${perl{mailtrapheaders}}"
  transport = remote_smtp_smart_regular
  route_list = !+local_domains "${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}}"
###

AmazonSES SmartHost ROUTERSTART

Here’s my example in a test environment.

Note: If your server has multiple IP addresses then you want to add each IP address to this line which would then look like this (obviously replacing 1.1.1.1 and 1.1.1.2 here with your public IP addresses)

ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 1.1.1.1 : 1.1.1.2

Next up we have the TRANSPORTSTART Section box to fill with the below, nothing needs changing in the code below so copy it straight in

# Added for Amazon SES
remote_smtp_smart_dkim:
  driver = smtp
  hosts_require_auth = *
  hosts_require_tls = *
  interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
  helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}
  dkim_domain = $sender_address_domain
  dkim_selector = default
  dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"
  dkim_canon = relaxed

remote_smtp_smart_regular:
  driver = smtp
  hosts_require_tls = *
  hosts_require_auth = *
  interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}}
  helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}}
###

AmazonSES SmartHost TRANSPORTSTART Exim Config

Here’s my example in a test environment.

And that’s it for the WHM side of things so go ahead and save the configuration.

AmazonSES SmartHost File Modifications in SSH / Terminal

We need to edit a few files so go ahead and open up an SSH session or you can use the Terminal inside WHM.

Let’s start with /etc/exim.conf.local

Find the @CONFIG@ line and add the below inside it.

# Added for Amazon SES
hostlist smart_hosts = lsearch;/etc/smarthosts
###

Save and exit.

Here’s my example (note the @AUTH@ part should already be populated with the changes made earlier, we are only added the above hostlist line underneath @CONFIG@)

AmazonSES SmartHost eximconflocal

Next up is the /etc/smarthosts file, this won’t exist already so you need to create the file. This is the file which specifies which domains on your server will be relaying through the AmazonSES SmartHost. Don’t forget that you must create the domain the Amazon SES Management Console and verify the domain using CNAME records first!

Copy the following into the file but replace domain1.com and domain2.com with the actual domains on your server.

Replace Amazon_SES_Server with the SMTP Host shown to you in the Amazon SES Management Console.

# Added for Amazon SES
domain1.com: Amazon_SES_Server
domain2.com: Amazon_SES_Server
###

AmazonSES SmartHost etc-smarthosts

Finally we want to create /etc/staticroutes – this will contain the same contents as your /etc/smarthosts file. The easiest way to do this is just copy the file with:

cp /etc/smarthosts /etc/staticroutes

That’s it! We just need to rebuild the exim configuration to perform a quick syntax check and activate the changes.

/scripts/buildeximconf

To confirm, what we’ve just configured is to have emails sent from the domains specified in /etc/smarthosts and /etc/staticroutes to be relayed through AmazonSES. All other domains not specified will continue to be sent directly from your server.

At this point I’d recommend heading into cPanel -> Webmail for one of the domains and sending a test email to an outside recipient (or the identity you’ve set-up in AmazonSES!) to check delivery works okay.

Additional notes: I have discovered that upon performing these changes when you go back to Exim Configuration Manager you might see the following warning:

AmazonSES SmartHost exim-warning

I set this to contain just “amazonses.com” and the warning disappeared. I then removed it and saved the configuration again and the warning was still gone. *Shrugs*.

Remember to add the following to the SPF record of any domains that will be relaying through the AmazonSES SmartHost.

include:amazonses.com 

For more WHM related guides please see here

Adapted from the guide kindly provided here.