What Is the Login Failure Daemon (LFD)? Print

  • CSF, Security, Firewall, Brute-Force Attack, LFD, Login Failure Daemon
  • 0

Login Falure Daemon or LFD, periodically checks for brute-force login attempts and if found, will block the IP address attempting to attack your server. WHM provides you with control over the LFD settings and provides you with ways to monitor login attempts to help detect Brute-Force attacks. This tutorial will walk you through the LFD settings in WHM.

LFD Statistics

  1. To locate LFD statistics in WHM, click on the Plugins link on the home page of WHM. 
  2. From here, select ConfigServer Security & Firewall.
  3. In the Server Information section, you can view your LFD Statisticsviewstats.png This tells you:
    • How many IP's were blocked in the last 24 hours.
    • IP Blocks by LFD in the last 30 days.
    • Blocks and block triggers in the last 12 months.
    • The total top 30 country code blocks by LFD.

These statistics can help you decide if you want to block IP addresses from specific countries, check your logs to see if you are experiencing a brute-force attack and determine if you need to increase security on your server.

LFD Settings

    • The LFD - Login Failure Daemon section of CSF allows you to view statuses and edit the configuration. 
    • LFD Status will show you the details of the lfd.service and if it is currently running. You will also see warnings if any part of the service is not working or unresponsive. 
    • After changing the configuration of LFD, it is recommended that you restart the service. Click lfd Restart from the lfd section of CSF.
    • When you have certain IP addresses, processes, scripts, scanners and users that you know are safe and want LFD to allow them access without the potential of being blocked, you can add them to the ignore file. There is a drop-down list in the Login Failure Daemon section that will navigate you to the correct list where you can add the exceptions you need.


      Once these files are updated, you will need to restart or reload CSF for the changes to go into effect.

    • Edit the Directory File Watching file (csf.dirwatch) by adding a list of directories and files to create alerts that will be sent to you if the directories and files are changed.


      You must specify full paths for each entry. An example would be /var/spool/cron . A restart of LFD is needed for changes to take effect.

    • You can edit the Dynamic DNS file (csf.dyndns) and allow all listed domains to be allowed through the firewall. 
    • LFD provides alert emails for alerts and tracking of login attempts and failures. You can edit the email templates to include additional information or have specific information omitted that is not necessary. Click on the drop-down menu to choose the alert text to change. 
    • The LFD Log Scanner Files contain log files or log lines that you want scanned and have a report sent to you periodically. You can add additional files and lines at the bottom of the document.


      You will want to restart CSF for your changes to take effect.

    • LFD has built in IP Blocklists that you can enable to help prevent attacks on your server. If there are other lists you would like to add, make sure you follow the syntax instructions in the file.


      A restart of CSF and LFD needs to be done if you uncomment the blocklist line or add your own.

    • The LFD Syslog Users file (/etc/csf/csf.syslogusers) contains usernames allowed to log via syslog/rsyslog. All the users that exist on the server listed here will be added to the system group. You can add accounts that log through syslog that are not listed but you need to have them listed.


      Only add user accounts and/or the default apache account (nobody) if absolutely necessary, otherwise, you will compromise the effectiveness of the csf.syslogusers file.


Was this answer helpful?

« Back