Login Failure Detection
LFD monitors authentication logs in real time and blocks IPs that exceed configurable failure thresholds across multiple services.
How LFD Works
- The daemon tails authentication log files (e.g.,
/var/log/auth.log,/var/log/secure). - Each line is matched against service-specific regex patterns to detect failed login attempts.
- A per-IP failure counter is maintained for each service.
- When the counter exceeds the configured threshold, the IP is blocked for the specified duration.
- Counters reset after a configurable idle period with no new failures.
Monitored Services
| Service | Setting | Default | Log Source |
|---|---|---|---|
| SSH (sshd) | LF_SSHD | 5 | /var/log/auth.log or /var/log/secure |
| FTP (Pure-FTPd, ProFTPD, vsftpd) | LF_FTPD | 10 | /var/log/auth.log |
| IMAP (Dovecot, Courier) | LF_IMAPD | 10 | /var/log/mail.log |
| POP3 (Dovecot, Courier) | LF_POP3D | 10 | /var/log/mail.log |
| SMTP Auth | LF_SMTPD | 10 | /var/log/mail.log |
| DirectAdmin | LF_DA | 10 | /var/log/directadmin/login.log |
| cPanel / WHM | LF_CPANEL | 10 | /usr/local/cpanel/logs/login_log |
| Webmin | LF_WEBMIN | 10 | /var/log/webmin/miniserv.log |
| ModSecurity | LF_MODSEC | 5 | /var/log/apache2/modsec_audit.log or /var/log/httpd/modsec_audit.log |
Tip: Set a service threshold to
0 to disable monitoring for that specific service. For example, LF_FTPD=0 disables FTP failure detection.
Block Duration
# Temporary block (default: 1 hour)
LF_BLOCK_TIME=3600
# Or make LFD blocks permanent
LF_BLOCK_PERM=0When LF_BLOCK_PERM=1, blocked IPs are added to /etc/vistoshield/deny.list and remain blocked until manually removed.
Warning: Permanent blocks can quickly grow your deny list. Use this only if you also have a process to periodically review and clean the list.
Custom Log Paths
If your system uses non-standard log locations, override them in the config:
# Custom log paths
LOG_AUTH=/var/log/auth.log
LOG_MAIL=/var/log/mail.log
LOG_DA=/var/log/directadmin/login.log
LOG_WEBMIN=/var/log/webmin/miniserv.log
LOG_MODSEC=/var/log/apache2/modsec_audit.logWhitelisted IPs
IPs in /etc/vistoshield/allow.list are never blocked by LFD, regardless of how many failures they generate. Always whitelist your own IP addresses:
# /etc/vistoshield/allow.list
203.0.113.10 # Your office IP
10.0.0.0/8 # Internal networkViewing LFD Activity
# View recent LFD blocks
vistoshield list --type lfd
# Check LFD statistics
vistoshield status
# Watch LFD in real time
tail -f /var/log/vistoshield/vistoshield.log | grep LFDExample: Hardened SSH Configuration
For servers exposed to heavy SSH scanning, use aggressive thresholds:
LF_SSHD=3 # Block after just 3 failures
LF_BLOCK_TIME=86400 # 24-hour block
PORTFLOOD=22;tcp;3;120 # Max 3 new SSH connections per 2 minutes