ConfigServer Community Forum

Hi,

I´m trying to ignore the following type of alert:

Time: Mon Apr 17 03:43:59 2017 +0200
File: /tmp/.xcloner-b80c1
Reason: Suspicious directory
Owner: myuser:myuser (563:575)
Action: No action taken

All alerts start with /tmp/.xcloner-

I have added this to csf.fignore but no go:

/tmp/\.^xcloner

any help?

Hello,

I realize this is 100% out of CSF's hands but because of some lack of support for ipt_owner in virtuozzo7 CSF now errors on all installs.

Error: iptables command failed, at line 2665

There is a bug report opened for this:

so for now, I need to know how to disable/remove this line from CSF

I have SMTP_BLOCK = 0

but am not sure what to disable in csf.conf to remove that one line from...

Hello,

I have MESSENGER html template working perfectly on 80, but can't make it work via HTTPS.
Tried this settings:
MESSENGER_HTTPS = 8887
MESSENGER_HTTPS_IN = 443,2083,2096 (also doesn't work when this is left empty)

Going to shows the block template, while timeouts.
I use latest CSF and latest cPanel 62.

Any ideas?

Thank you! :)

Greetings,

Why I don't get a notification for root accessing WHM ?
I have confirmed also via exim mail log , there is no alert for WHM root access.

Also I have contacted cPanel support team just to confirm if they can detect the issue, they replied:

---

This is indeed very strange. I'm seeing that no login alerts are even trying to be sent now. However, LFD is sending other alerts to root...

Hi
Me Install CSF in DirectAdmin.
But check site (ctrl+f5) try 4-6 next block my ip
me add ip in allow list but not show site and DirectAdmin.

sorry bad lange.

Hello!

I am trying to setup CSF on my VPS and love how powerful and versatile it is. I have been able to customize it a bit for my applications (Auto-bans, Wordpress logins, etc.), and it has been stopping a lot of naughty traffic thus far.

Although it is stopping all of these break in attempts, i am curious which users (or domains) generate the most hacking attempts. Would it be possible to...

Unable to connect to retry in 94 seconds. An Upgrade button will appearacne here if new version is detected

The current version is currently working on DirectAdmin is Config Server & Firewall Security - csf v9.10

It may be possible that that button only appears when a software update is available ???

The first set of lfd blocking statistics Blocks by lfd in last 24 hours and Block triggers in last 24 hours show stats from 11 days ago and not latest 24 hours. Yesterday showed same stats from March 2 (etc).. Other graphs are correct. Error confirmed by comparing with csf.deny file. Not critical but it is annoying.

:( Specs:

- DDos from facebook

- User-agent
173.252.124.57 - - GET / HTTP/1.1 444 13710 - facebookexternalhit/1.1 (+

OS: Cloudlinux 6
Panel: Directadmin Custombuild 2.0

Csf Config:
LF_CXS = 1
LF_CXS_PERM = 1
LF_MODSEC = 5
MODSEC_LOG = /var/log/httpd/modsec_audit.log
LDF On

Log in audit log security
--64513437-H--
Message: Access denied with code 444 (phase 1). Pattern match...

Hi guys

I'm using csf v10.05 to block brute force attempts and it's working well but with one minor issue:

It's also blocking genuine access to the websites.

I'm using the CC_DENY = country codes here and I was mistakenly under the impression it would ONLY block WHM or root level access through SSH.

Is there a better solution to what I am doing...? Could I for example whitelist my country and...

Hi,
I been running my server without any issues for over a year now.
Starting a couple days ago I started receiving this: Excessive resource usage: rpcuser every hour out of no where.
I understand I can add this to the ignore list but I just wanted to see if anybody knows if this is some kind of hacking attempt or if the server may be compromised in any way.

Thanks for any help.

Hello

Im using OpenLitespeed (last version) with CentOS7.
I'd like to block offending IPs but sound like that, following this im unable to do that.

I've configured OpenLitespeed to put logs in the form of vhost1.access.log vshost2.access.log in /usr/local/lsws/logs/vhosts/

Here's an example

444.444.444.155 - - GET /xmlrpc.php HTTP/1.1 404 655 - Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)...

Hello all.

I have a fully dedicated VPS with GoDaddy. The only thing they manage is the physical server the VPS resides on and ensure that my VPS is up...I am 100% responsible for all configurations, maintenance etc. I downloaded CSF and installed it and then ran the ./csftest.pl script to see what its doing, I get the following:

# ./csftest.pl
Testing ip_tables/iptable_filter...OK
Testing...

In my log file I have seen someone to brute a lot of vulns, there are over 256 entries, but they only try twice for each attack, then try another vuln.

However the string of
x=upload&mode=upload&upload=&ssp=RfVbHu&u=&action=upload&chdir=./&do=upload&pass=wcwc2016&login=go%21&H=
is always present.

GET...

Hi,

How to allow ossec agent to communicate? Which place do need to allow udp port in csf?

Thanks./

Since I re-installed CSF on my new server I get continual emails every few minutes.

They are about blocking access to IP's, port scanning, etc.

How can I stop them from sending emails every few minutes?

Thanks,

Greetings,

How to block IP with authentication failure to Samba service just like or similar to SSH service.

Thanks,

Hi,
I really like the CSF tool but am getting lots of alerts for suspicious process and excessive resource usage . These are for processes I know about and am ok with the resource usage.
I've got them filtered to go into a special mail folder, but the constant alerting obscures when I get an email I want to read. Similarly, I'll never know if I really DO have something problematic because the...

Hello,

I'm trying to create custom regex in CSF to block failed logins for SoftEther VPN .

Here is part of the log file :

2017-04-03 18:22:28.210 OpenVPN Session 124 (55.55.55.55:49490 -> 192.168.0.19:1194) Channel 0: Failed to connect a channel.
2017-04-03 18:22:28.246 Connection CID-114 terminated by the cause User authentication failed. (code 9).
2017-04-03 18:22:28.246 Connection CID-114...

Hi there,

I have tried using different paths and regular expressions pointing to the executable that is causing me constant excessive resource emails but I can't seem to find the right one. I am currently getting that the executable is the following:

Executable: /opt/cpanel/ea-php56/root/usr/bin/lsphp.cagefs

I tried doing

pexe:/opt/cpanel/ea-*/root/usr/bin/lsphp...