ConfigServer Community Forum

Hello,
I want to know that geoip database is on auto update or I need to update it manually?
If I need to update it manually, how should I do that? (please explain it briefly)
Thanks

My VPS (CentOS6 with CWP) logs failed logins in /var/log/dovecot-info.log:

May 05 15:20:13 pop3-login: Info: Disconnected (auth failed, 1 attempts): user= , method=PLAIN, rip=IP, lip=IP
but they are not blocked by CSF.

I've added this custom regex but still doesn't block them:
if (($lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /^\S+\s+\S+\s+\S+ pop3\-login.*auth failed.*rip\=(\S+)/)) {...

One of my client's IP is not included in csf.deny list, however they cannot still access the server.

When I csf -g 173.xxx.xxx.xx , it returns this result:

Chain num pkts bytes target prot opt in out source destination

PREROUTING 2001 0 0 REDIRECT tcp -- venet0 * 173.xxx.xxx.xx 0.0.0.0/0 multiport dports 80,2082,2095 redir ports 8888
PREROUTING 2002 0 0 REDIRECT tcp -- venet0 *...

Hello, we recently installed cPanel on the new server and then deployed the CSF with LDF.
After this we started to receive the following email:

Subject:
fd on srv1.microtecsistemas.com.br: Excessive resource usage: mysql (54708 (Parent PID:54708))

Body:
Time: Tue Mar 14 23:00:54 2017 -0300
Account: mysql
Resource: Process Time
Exceeded: 439200 > 1800 (seconds)
Executable: /usr/bin/bash...

Hi,

It looks like that default logs path for e.g. modsecurity is not correct. Can I use?

MODSEC_LOG = /var/log/virtualmin/*.error.log

Also many paths under /etc/csf/csf.pignore are not correct for virtualmin. Could you please add separate config for virtualmin?

Thanks,

I am trying to understand what the Exceeded number below actually means. I am assuming that it means the process has run for 219,000 seconds, which exceeds the threshold of 1800.

Isn't it a good thing that MySQL is running all the time.

So what does the code expect that monitors process time? I guess the logic is if something runs for more than 1800 seconds, it's run too long. It seems that,...

My LFD web UI was working fine. I clicked disable firewall and it stopped responding. I then enabled the firewall with csf -e as root, and the firewall was enabled (apparently)... but now I get connection refused when I try to connect to the LFD web UI. I've tried rebooting the machine and I get the same problem. I tried connecting from localhost and it still gives me connection refused . There...

Hi,

EDIT: OS is CentOS 7 / CSF Version 10.06

How can I test if custom regex is firing or working?

CUSTOM1_LOG is set as /var/log/maillog

I have this in regex.custom.pm
if (($globlogs{CUSTOM1_LOG} {$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\ : warning:.*\ : SASL *? authentication failed/)) {
return ( Failed SASL login from ,$1, mysaslmatch , 3 , 25 , 3600 );
}

Sample log...

There is an ongoing 404 been logged in the error_log file. This come from different ip at every hour.
May i know does CSF include feature that deal with this kind of attack?

Tue Apr 25 11:28:24 2017] File does not exist: /home/noname/public_html/660
File does not exist: /home/noname/public_html/660
File does not exist: /home/noname/public_html/660
File does not exist:...

I'm trying to synchronize LFD with Cloudflare using these scripts:

It's working as far as the BLOCK_REPORT goes but it doesn't appear that UNBLOCK_REPORT is being triggered. Even if the script is failing should it at least be logged that it was triggered? Here is the LFD log:

Apr 23 09:07:35 cp1 lfd : (cpanel) Failed cPanel login from xxx.xxx.xxx.xxx (xxxxxxx): 3 in the last 3600 secs -...

Can not run CSF I either get page error 500 or a completely blank page.

I have found when logged in through SSH, using top, CSF will be running, even though prior to that only iptables was visible as a running process, not csf/lfd. I have uninstalled and reinstalled several times. csf/lfd will run initially but within a half hour to 45 minutes it will be stopped and iptables will be running...

Recently I started getting email alerts from LFD about excessive resource usage caused by my sftp server connection.

I hadn't made any changes, and put off modifying the csf.pignore file for a couple of months.

Today I checked the csf.pignore file, and there is already an entry for

exe:/usr/libexec/openssh/sftp-server

Looking at the alerts it looks like I need to add wildcarded virtfs...

Hey,

Since the update to v10 cluster restarts fail for every member. I run csf -crs or csf --crestart and get:

Sent request to , no reply
Sent request to , no reply
Sent request to , no reply
Sent request to , no reply
Sent request to , no reply
Sent request to , no reply
{...}

All other cluster methods that we use regularly work, like --cping, --cfile, and individual bans with -cd

I have several websites made in WordPress. WordPress try to update itself regularly. When it happens, I received an email from the server for every website of this type:

Time: Tue Sep 22 08:30:35 2015 +0200
PID: 5733 (Parent PID:3407)
Account: userxxx
Time active: 76 seconds
Executable:
/usr/bin/php
Command line (often misrepresented exploits):
/usr/bin/php /home/userxxx/public_html/wp-cron.php...

Hi,

Im using CC_DENY=RU,CN

but still I just got hammered with GET requests from a RU ip.

How come it is possible? :confused:

TY

Hi,

I'm seeing the following in my logs

Apr 20 14:08:43 squirrel lfd : Messenger HTML Service died, restarted
Apr 20 14:08:43 squirrel lfd : Messenger TEXT Service died, restarted
Apr 20 14:08:43 squirrel lfd : *Error* cannot open server on port 8888: Address already in use, at line 213
Apr 20 14:08:43 squirrel lfd : *Error* cannot open server on port 8889: Address already in use, at line 213...

can anyone help me, i want block it for max 24h not perm.. but it even block it perm

# test for relay
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /reject(.*)\ (.*)\ (.*)\>/)) {
return ( Failed Relay_check from IP: $2 to: $4 ,$2, LF_SMTPAUTH , 2 , 25,143,110,465,993,995 , 3600 );
}

big thx to all my head smokes xd

Hi again.

I also wonder if it's possible NOT to block permanent (could block temporary) when the country of an IP is mine (Canada) and a rule is triggered? This way, it would have way less impact on my customer that keeps forgetting their password.

Hi to all. Good product, saved my life a few time !!
I'm now in fine tuning mode, trying to filter real alerts from all alerts.

I want to know if it's possible to NOT receive this alert when and only when it's from my IP (69.66.66.66):

Time: Sun Apr 16 10:52:57 2017 -0400
IP: 69.66.66.66 (CA/Canada/fakeptr.ca)
User: root

Hi,

I´m trying to ignore the following type of alert:

Time: Mon Apr 17 03:43:59 2017 +0200
File: /tmp/.xcloner-b80c1
Reason: Suspicious directory
Owner: myuser:myuser (563:575)
Action: No action taken

All alerts start with /tmp/.xcloner-

I have added this to csf.fignore but no go:

/tmp/\.^xcloner

any help?