See also Zimbra Collaboration Server - Open Source Edition

http://configserver.com/cp/csf.html

http://configserver.com/free/csf/readme.txt

http://www.woktron.com/secure/knowledgebase/77/Installation-CSF-Firewall-on-CentOS-5-and-6.html

http://blog.softlayer.com/2013/iptables-tips-and-tricks-csf-configuration

http://pawapv.wordpress.com/2013/09/10/csf-firewall-installation-and-configuration/

http://www.bsntech.com/installing-configserver-firewall-on-ubuntu-1204/

• Advanced Firewall
  • Replaces ufw and firewalld
• Log File Monitoring
  • Replaces fail2ban
• Webmin Module
  • Easy web browser management
• IP Block Lists
  • Preconfigured
  • Just enable the lists you want to use

These commands also install Webmin, which enables a web GUI for CSF and host management.

apt-get install unzip ipset libwww-perl liblist-compare-perl liblwp-protocol-https-perl \
libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl \
libsocket6-perl libgd-graph-perl

echo -e "\n# Webmin\ndeb http://download.webmin.com/download/repository sarge contrib\ndeb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib" >> /etc/apt/sources.list
wget -q http://www.webmin.com/jcameron-key.asc -O- | sudo apt-key add -
add-apt-repository universe && apt update

apt install webmin unzip ipset libwww-perl liblist-compare-perl \
liblwp-protocol-https-perl libio-socket-ssl-perl libcrypt-ssleay-perl \
libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libgd-graph-perl

You may optionally want to open a few holes in the default firewall just in case it ever gets turned back on.

systemctl status ufw.service
ufw status verbose
ufw allow from <your_management_ip_cidr> proto tcp to any port 10000 #Webmin

http://www.maxwhale.com/how-to-install-csf-on-webmin/

http://www.ask-gabe.com/server-admin/how-to-install-csf-config-server-firewall-with-webmin-support/

To ease installation, CSF automatically opens ports for network services that are currently running.

Upon installation, CSF starts in Testing Mode. You must take it out of Testing Mode after revising the configuration.

Upon installation, check the OS Specific Settings and verify that your OS was detected properly and that the Log file locations are correct.

rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Do not enable the log restriction feature of CSF when using Virtualmin, at least not without serious research and testing. RESTRICT_SYSLOG = 0

If using RESTRICT_SYSLOG = 3, you must create and add any important users (running services) to the mysyslog group:

ps -aux
groupadd mysyslog         # if the group doesn't already exist
usermod -G mysyslog root
# syslog daemon messagebus systemd-network systemd-resolve
# clamav www-data, proftpd, postfix, mysql, dovecot, opendkim, postgrey, zimbra, lool
grep mysyslog /etc/group

Webmin → Webmin Configuration → Webmin Modules → From local file → /etc/csf/csfwebmin.tgz → Install Module

If you have another firewall configured, stop it and make sure it doesn't auto-start or just remove it.

Disable the the existing firewall; enable and start CSF and LFD:

ufw disable
systemctl disable firewalld.service && systemctl stop firewalld.service
systemctl disable fail2ban.service && systemctl stop fail2ban.service
csf -e && lfd -e
csf -s && lfd -s

The CSF install script will enable CSF to auto-start.

Disable and stop iptables and firewalld:

service iptables stop && chkconfig iptables off
service ip6tables stop && chkconfig ip6tables off
systemctl stop firewalld && systemctl disable firewalld

Enable and start CSF and LFD:

chkconfig csf on
csf -e && lfd -e
csf -s && lfd -s

perl /usr/local/csf/bin/csftest.pl

vim /etc/csf/csf.ignore

Disable repeated message reduction in rsyslog to more accurately count login failures:

grep -r Repeat /etc/rsyslog.*

sudo sed -i 's/RepeatedMsgReduction\ on/RepeatedMsgReduction\ off/' /etc/rsyslog.conf
sudo service rsyslog restart
sudo csf -ra

http://www.linuxbrigade.com/learn-the-csf-command-line-options/

http://www.hostdime.com/resources/csf-ssh-command-line-commands/

Admin URL: https://ip.of.csf.host:10000/

Webmin → Webmin Configuration → Webmin Modules → From local file > /etc/csf/csfwebmin.tgz > Install Module

Settings shown are for Virtualmin hosting server.

http://www.woktron.com/secure/knowledgebase/77/Installation-CSF-Firewall-on-CentOS-5-and-6.html

https://www.digitalocean.com/community/articles/how-to-install-and-configure-config-server-firewall-csf-on-ubuntu

Webmin → System → ConfigServer Security & Firewall

• s is for source, d is for destination (ports or addresses).
• in (incoming) or out (outgoing) is allowed.
• tcp, udp or icmp are the protocol choices.
• If you just place an IP address on the line, all traffic will be allowed to and from that IP.
• CIDR address blocks are also allowed.

Edit /etc/csf/csf.allow:

vim /etc/csf/csf.allow

To allow access to port 25 from a particular IP address, add a line like:

tcp|in|d=25|s=1.2.3.4

To allow outbound mail to port 587 to a particular mail server IP address, add a line like:

tcp|out|d=587|d=1.2.3.4

To allow Webmin access:

# Webmin Access
tcp|in|d=10000|s=1.2.3.4   # Allow from your management IP or CIDR

To allow a range of ports to and from a remote host:

tcp|in|d=10000_10010|s=1.2.3.4
tcp|out|d=10001_10010|d=1.2.3.4

Restart CSF with csf -ra.

There is a backup and restore function of the web interface under Firewall Profiles.

Backups are stored in /var/lib/csf/backup/.

http://www.host-stage.net/client-area/knowledgebase/53/How-To-Backup-or-Restore-or-Export-your-CSF-Firewall-Configuration.html

cd /etc/csf/
tar cvfz csfbackup.tgz csf.conf csf.allow csf.dyndns csf.deny csf.*ignore csf.blocklists

Copy the csfbackup.tgz file to the new server and move it into /etc/csf/ before extracting.

cd /etc/csf/ && tar -xzvf csfbackup.tgz

You may need to manually deal with /usr/local/csf/bin/regex.custom.pm if you have customized LFD.

CSF logs to syslog (/var/log/messages or /var/log/syslog).

LFD generally logs to /var/log/lfd.log but can optionally log to syslog as well.

DROP_NOLOG = 67,68,111,113,135:139,445,500,513,520,5678

These ports are specifically blocked from being logged either to conserve hard drive space or make the log file easier to read. Here we add port 5678 (router neighbor discovery).

If you do this, be sure to change IPTABLES_LOG in csf.conf.

You may find a busy server syslog gets polluted by iptables firewall lines. This will separate the iptables stuff into a separate log file.

# Log CSF iptables to a separate file & discard it from all subsequent rules:
:msg, startswith, "Firewall: " -/var/log/iptables.log
& stop

Restart the rsyslog service:

systemctl restart rsyslog.service

/var/log/iptables.log
{
        rotate 7
        daily
        missingok
        notifempty
        delaycompress
        compress
        create 0600 root root
        postrotate
                systemctl restart rsyslog.service ; sleep 5
        endscript
}

On Ubuntu systems, the log line begins with a timestamp that looks something like [306786.268889] which is harder to match so we use contains instead of startswith.

# Log CSF iptables to a separate file & discard it from all subsequent rules:
:msg, contains, "Firewall: " -/var/log/iptables.log
& stop

/var/log/iptables.log
{
        rotate 7
        daily
        missingok
        notifempty
        delaycompress
        compress
        create 0640 syslog adm
        postrotate
                systemctl restart rsyslog.service ; sleep 5
        endscript
}

systemctl restart rsyslog.service

/usr/sbin/logrotate -f /etc/logrotate.conf

Research: http://forum.configserver.com/viewtopic.php?t=7719

Edit csf.blocklists (self documnented) and un-comment at least the CIDR lists:

• SPAMDROP
• SPAMEDROP
• DSHIELD

While the CIDR lists above will cover about 92%, you may also consider these other lists, if you have resources to spare (CPU, memory):

• BOGON (includes private IP ranges - use outside the firewall)
• HONEYPOT
• BFB
• OPENBL
• MAXMIND
• CIARMY
• AUTOSHUN

Edit csf.dyndns and add the dynamic DNS host names (FQDNs) you want to permit through the firewall.

The default DENY_TEMP_IP_LIMIT settling is 1000. It is often necessary to increase this limit, assuming you have the resources.

Temporary bans do not take advantage of ipset. If the number of bans is very high, it can take a long time to restart CSF and will use more CPU and RAM.

The temporary bans are kept in a file: /var/lib/csf/csf.tempban

Try flushing all the temporary and/or permanent blocks:

csf -tf && csf -df && csf -ra

WATCH_MODE = "0"

If you are ever stuck trying to troubleshoot a problem, you might consider turning this option on. You can use it to track the actions to watched IP addresses to see where they are getting blocked or accepted.

https://www.iplocation.net/

You may want to check the results to see where they are from, then decide which to block permanently in csf.deny.

grep "SASL LOGIN authentication failed" /var/log/mail.log |grep -Eo "unknown\[([0-9]{1,3}[\.]){3}[0-9]{1,3}" |grep -Eo "([0-9]{1,3}[\.]){3}[0-9]{1,3}" |sort |uniq

Use this command to look for attempts at a particular domain:

grep "auth failed" /var/log/mail.log |grep somedomain |grep -Eo "rip=([0-9]{1,3}[\.]){3}[0-9]{1,3}" |grep -Eo "([0-9]{1,3}[\.]){3}[0-9]{1,3}" |sort |uniq

Results of install script on a Virtualmin server:

TCP ports currently listening for incoming connections:
22,25,53,110,143,587,993,995,3306,10000,20000

UDP ports currently listening for incoming connections:
53,123,10000,20000

IPv6 TCP ports currently listening for incoming connections:
21,22,25,53,80,110,143,443,587,993,995

IPv6 UDP ports currently listening for incoming connections:
53,123

Note: The port details above are for information only, csf hasn't been auto-configured.

Don't forget to:
1. Configure the following options in the CSF configuration to suite your server: TCP_*, UDP_*, IPV6, TCP6_*, UDP6_*
2. Restart ''csf'' and ''lfd''
3. Set ''TESTING'' to ''0'' once you're happy with the firewall, ''lfd'' will not run until you do so

Adding current SSH session IP address to the csf whitelist in csf.allow:
Adding 192.168.0.69 to csf.allow only while in TESTING mode (not iptables ACCEPT)
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration
`/etc/csf/csfwebmin.tgz' -> `/usr/local/csf/csfwebmin.tgz'

Installation Completed

Custom RegEx: https://forum.configserver.com/viewtopic.php?t=7517

LFD does more than just monitor log files for login failures.

LFD, in some opinions, is the best reason to implement the CSF firewall!

After a fresh install of CSF+LFD, you will probably get many e-mail warning messages sent to root by LFD's process and suspicious file tracking mechanisms. You will probably want to deal with these issues to make the tracking mechanisms truly useful, but you can just turn them off.

Make sure you have root mail routed to a real user! If you don't you could fill up the disk with unread e-mail messages.

See also: Route Administrative Mail to a Real Administrator

You will need to make adjustments to the LFD configuration to make the e-mail notices truly useful…and they are!.

After modifying an 'ignore' file, restart LFD:

service lfd restart

Virtualmin SMTP: https://www.virtualmin.com/comment/737419#comment-737419

The Postfix MTA is not directly supported by LFD. You must use custom settings. Is this still true?

http://forum.configserver.com/viewtopic.php?f=6&t=6968

Add a custom RegEx to detect SMTP authentication failures:

vim /usr/local/csf/bin/regex.custom.pm

Insert:

# Postfix
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
return ("Failed SASL login from",$1,"mysaslmatch","3","25","600");
}

Now, edit the CSF configuration to tell it to monitor the proper log file for the new RegEx:

vim /etc/csf/csf.conf

Change:

CUSTOM1_LOG = "/var/log/maillog"

https://forum.configserver.com/viewtopic.php?f=6&t=7517&p=29227&hilit=postfix#p29227

CUSTOM1_LOG = "/var/log/mail.log"

# Postfix
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (postfix\/smtpd|postfix\/smtps\/smtpd)\[[[:digit:]]+\]: warning: [-._[:alnum:]]+\[([.[:digit:]]+)\]: SASL (LOGIN|PLAIN|(DIGEST|CRAM)-MD5|APOP) authentication failed.*/)) {
    return ("Failed SMTP AUTH from",$1,"csmtpautherr","5","25,587","3600");
}

needs verification

/var/log/maillog

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ .* postfix\/s.*\/smtpd\[\d+\]: warning: .*\[(\d+\.\d+\.\d+\.\d+)\]: SASL (LOGIN|PLAIN|login) authentication failed:/)) {
return ("Failed SASL login from",$1,"mysaslmatch","5","25,587","3600");
}

Copy the date and time from the e-mail message from LFD and use a command like this to see which user is failing to log in:

grep "Nov 13 13:20" /var/log/secure

Virtualmin ProFTPd: https://www.virtualmin.com/comment/737419#comment-737419

vim /etc/csf/csf.conf

FTPD_LOG = "/var/log/secure"

FTPD_LOG = "/var/log/proftpd/proftpd.log"

Testing…

LFD is not detecting logged problems…

vim /usr/local/csf/bin/regex.custom.pm

# ProFTPd
if (($lgfile eq $config{FTPD_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? USER (\S*): no such user found from/)) {
    return ("Failed FTP AUTH from",$2,"cftpautherr","5","20,21","3600");
}

FTPD_LOG = "/var/log/proftpd/proftpd.log"
CUSTOM1_LOG = "/var/log/mail.log"

# Postfix SASL Auth
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (postfix\/smtpd|postfix\/smtps\/smtpd)\[[[:digit:]]+\]: warning: [-._[:alnum:]]+\[([.[:digit:]]+)\]: SASL (LOGIN|PLAIN|(DIGEST|CRAM)-MD5|APOP) authentication failed.*/)) {
    return ("Failed SMTP AUTH from",$1,"csmtpautherr","5","25,465,587","3600");
}

# ProFTPd
if (($lgfile eq $config{FTPD_LOG}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? USER (\S*): no such user found from/)) {
    return ("Failed FTP AUTH from",$2,"cftpautherr","5","20,21","3600");
}

# Dovecot
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: .* \(auth failed.* rip=([.[:digit:]]+).*/)) {
    return ("Failed Dovecot AUTH from",$1,"cimapautherr","5","110,143,993,995","3600");
}

http://forum.configserver.com/viewtopic.php?f=6&t=2059

The process tracking facility of LFD monitors the various processes running on your server watching for odd behavior. Ever had a web site abused to run rougue PHP processes? LFD will let you know when it happens.

Here is a /etc/csf/csf.pignore file that has been (mostly) adjusted to ignore the normal processes running on a Virtualmin hosting server with a base CentOS 6.6 operating system:

###############################################################################
# Copyright 2006-2014, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following is a list of executables (exe) command lines (cmd) and
# usernames (user) that lfd process tracking will ignore.
#
# You must use the following format:
#
# exe:/full/path/to/file
# user:username
# cmd:command line
#
# Or, perl regular expression matching (regex):
#
# pexe:/full/path/to/file as a perl regex[*]
# puser:username as a perl regex[*]
# pcmd:command line as a perl regex[*]
#
# [*]You must remember to escape characters correctly when using regex's, e.g.:
# pexe:/home/.*/public_html/cgi-bin/script\.cgi
# puser:bob\d.*
# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*
#
# It is strongly recommended that you use command line ignores very carefully
# as any process can change what is reported to the OS.
#
# For more information see readme.txt

exe:/usr/bin/php-cgi
exe:/usr/sbin/clamd
exe:/usr/sbin/dkim-filter
exe:/usr/sbin/httpd
exe:/usr/sbin/named
exe:/usr/sbin/ntpd
exe:/usr/sbin/proftpd
exe:/usr/sbin/sshd
exe:/usr/sbin/zabbix_agentd
exe:/usr/libexec/mysqld
exe:/usr/libexec/dovecot/anvil
exe:/usr/libexec/dovecot/auth
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/imap-login
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/postfix/anvil
exe:/usr/libexec/postfix/cleanup
exe:/usr/libexec/postfix/local
exe:/usr/libexec/postfix/pickup
exe:/usr/libexec/postfix/qmgr
exe:/usr/libexec/postfix/smtpd
exe:/usr/libexec/postfix/smtp
exe:/usr/libexec/postfix/tlsmgr
exe:/usr/libexec/postfix/trivial-rewrite
exe:/usr/libexec/postfix/virtual
exe:/usr/libexec/postfix/proxymap
exe:/usr/libexec/postfix/lmtp
exe:/usr/libexec/postfix/scache
exe:/usr/libexec/postfix/master

pcmd:/usr/bin/python /usr/lib/mailman/bin/qrunner.*
pcmd:/usr/bin/python /usr/lib/mailman/bin/mailmanctl.*
pcmd:webalizer -c /etc/webmin/webalizer/var_log_virtualmin_.*
pcmd:/usr/bin/php -q /home/.*/public_html/client/crons/domainsync.php
pcmd:/usr/bin/php -q /home/.*/public_html/client/admin/cron.php
pcmd:/usr/bin/php -q /home/.*/public_html/client/pipe/pop.php

cmd:/usr/sbin/postgrey -d --unix=/var/spool/postfix/postgrey/socket
cmd:/usr/libexec/usermin/mailbox/index.cgi
cmd:/usr/bin/freshclam --quiet --datadir=/var/lib/clamav --log=/var/log/clamav/freshclam.log
cmd:spamd child
cmd:/usr/libexec/webmin/virtual-server/backup.pl
cmd:/usr/bin/python -S /usr/lib/mailman/cron/gate_news

Here is a (work in progress) csf.pignore file for a Zimbra (monolithic) mail server:

###############################################################################
# Copyright 2006-2014, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following is a list of executables (exe) command lines (cmd) and
# usernames (user) that lfd process tracking will ignore.
#
# You must use the following format:
#
# exe:/full/path/to/file
# user:username
# cmd:command line
#
# Or, perl regular expression matching (regex):
#
# pexe:/full/path/to/file as a perl regex[*]
# puser:username as a perl regex[*]
# pcmd:command line as a perl regex[*]
#
# [*]You must remember to escape characters correctly when using regex's, e.g.:
# pexe:/home/.*/public_html/cgi-bin/script\.cgi
# puser:bob\d.*
# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*
#
# It is strongly recommended that you use command line ignores very carefully
# as any process can change what is reported to the OS.
#
# For more information see readme.txt

exe:/usr/lib/courier-imap/bin/pop3d
exe:/usr/lib/courier-imap/bin/imapd
exe:/usr/sbin/pure-ftpd
exe:/usr/local/apache/bin/httpd
exe:/usr/sbin/sshd
exe:/usr/sbin/proftpd
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/pop3
exe:/usr/sbin/named
exe:/usr/sbin/ntpd
exe:/bin/dbus-daemon
exe:/usr/sbin/ntpd
exe:/usr/sbin/exim4
exe:/sbin/ntpd
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/pop3
exe:/usr/local/libexec/dovecot/pop3-login
exe:/usr/local/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/imap-login

exe:/usr/sbin/rpcbind
exe:/usr/sbin/rpc.statd
exe:/usr/sbin/chronyd
exe:/usr/bin/lsmd
exe:/usr/bin/dbus-daemon

cmd:/usr/bin/vmstat -n -S K 30
cmd:/bin/bash /opt/zimbra/bin/zmconfigdctl start norewrite
cmd:/bin/bash /opt/zimbra/bin/zmopendkimctl status norewrite
cmd:/usr/bin/perl /opt/zimbra/libexec/zmlogger
cmd:zmlogger: zmrrdfetch: server
cmd:/opt/zimbra/java/bin/java -version
cmd:/usr/bin/perl /opt/zimbra/libexec/zmlogprocess
cmd:/usr/bin/perl /opt/zimbra/bin/zmcontrol status
cmd:/usr/bin/perl /opt/zimbra/libexec/zmstatuslog
cmd:/usr/bin/perl -T /opt/zimbra/amavisd/sbin/amavisd -X no_conf_file_writable_check -c /opt/zimbra conf/amavisd.conf
cmd:/usr/bin/python -S /usr/lib/mailman/cron/gate_news

pcmd:sh -c /opt/zimbra/bin/zmantivirusctl.*
pcmd:/bin/bash /opt/zimbra/bin/zmantivirusctl.*
pcmd:/usr/bin/perl -T -w /opt/zimbra/libexec/sa-learn.*
pcmd:/bin/bash /opt/zimbra/bin/zmjava.*
pcmd:/usr/bin/perl /opt/zimbra/libexec/zmdailyreport.*
pcmd:/bin/bash -c /opt/zimbra/libexec/zmlogprocess.*
pcmd:/usr/bin/iostat -d -k.*
pcmd:/usr/bin/perl -w /opt/zimbra/libexec/zmstat-.*
pcmd:/opt/zimbra/libexec/logswatch --config-file=/opt/zimbra.*
pcmd:/bin/sh /opt/zimbra/mariadb/bin/mysqld_safe --defaults-file=/opt.*
pcmd:/opt/zimbra/java/bin/java -client -Xmx256m -Djava.net.preferIPv4Stack=true.*
pcmd:/opt/zimbra/java/bin/java -client -Xmx256m -Dzimbra.home=/opt/zimbra.*
pcmd:/opt/zimbra/java/bin/java -Dfile.encoding=UTF-8 -server -Djava.awt.headless=true.*
pcmd:/opt/zimbra/java/bin/java -client -cp /opt/zimbra/lib/jars.*
pcmd:/opt/zimbra/amavisd/sbin/amavisd.*
pcmd:/usr/bin/perl -T /opt/zimbra/amavisd/sbin/amavis-.*
pcmd:/usr/bin/perl /opt/zimbra/libexec/swatch --config-file=/opt/zimbra/conf/swatchrc.*
pcmd:/usr/bin/perl /opt/zimbra/data/tmp/.swatch_script.*
pcmd:/bin/bash /opt/zimbra/bin/zmconfigdctl .*
pcmd:/bin/bash -c /opt/zimbra/libexec/zmstatuslog .*

pexe:/opt/zimbra/postfix-.*/libexec/anvil
pexe:/opt/zimbra/mariadb-.*/bin/mysqld
pexe:/opt/zimbra/postfix-.*/libexec/lmtp
pexe:/opt/zimbra/postfix-.*/libexec/smtpd
pexe:/opt/zimbra/postfix-.*/libexec/proxymap
pexe:/opt/zimbra/postfix-.*/libexec/qmgr
pexe:/opt/zimbra/postfix-.*/libexec/tlsmgr
pexe:/opt/zimbra/httpd-.*/bin/rotatelogs
pexe:/opt/zimbra/httpd-.*/bin/httpd
pexe:/opt/zimbra/cyrus-sasl-.*/sbin/saslauthd
pexe:/opt/zimbra/postfix-.*/libexec/pickup
pexe:/opt/zimbra/postfix-.*/libexec/showq
pexe:/opt/zimbra/unbound-.*/sbin/unbound
pexe:/opt/zimbra/memcached-.*/bin/memcached
pexe:/opt/zimbra/clamav-.*/sbin/clamd
pexe:/opt/zimbra/clamav-.*/bin/freshclam
pexe:/opt/zimbra/openldap-.*/sbin/slapd
pexe:/opt/zimbra/nginx-.*/sbin/nginx
pexe:/opt/zimbra/opendkim-.*/sbin/opendkim
pexe:/opt/zimbra/postfix-.*/libexec/bounce
pexe:/opt/zimbra/postfix-.*/libexec/trivial-rewrite
pexe:/opt/zimbra/postfix-.*/libexec/cleanup
pexe:/opt/zimbra/postfix-.*/libexec/smtp

Edit the /etc/csf/csf.fignore file to ignore valid files and directories:

vim /etc/csf/csf.fignore

/tmp/\.horde
/tmp/\.horde/.*
/tmp/\.spamassassin.*tmp
/tmp/\.webmin/.*_backup.pl

https://www.namecheap.com/support/knowledgebase/article.aspx/10093/30/csflfd-security-notifications

https://www.knownhost.com/wiki/security/csf-lfd/notifications

• LF_EMAIL_ALERT - sends an email alert if an IP address is blocked by one of the triggers.
• LF_PERMBLOCK_ALERT - sends an email alert if an IP address is permanently blocked. This happens if the IP address has been temporarily blocked more than a few times (to configure, use LF_PERMBLOCK_COUNT).
• LF_NETBLOCK_ALERT - sends an email alert if an IP network class was blocked (conditions of such blocks can be configured by editing the adjacent parameters).
• LF_DISTFTP_ALERT - sends an email alert if LF_DISTFTP is triggered. The LF_DISTFTP option will keep track of all successful FTP logins. It blocks all the IPs that are suspected in being involved into an FTP distributed attack. You can configure it by editing the parameters in the Distributed Attacks section.
• LF_DISTSMTP_ALERT - sends an email alert if LF_DISTSMTP is triggered. The same scenario applies as above, but for SMTP.
• LT_EMAIL_ALERT - sends an email alert if the account exceeds a certain number of hourly logins per IP address.
• CT_EMAIL_ALERT - sends an email alert if an IP address is blocked due to connectivity tracking.