ConfigServer Community Forum

I have created a file /etc/csf/csf.custom.deny which contains a single line:
11.22.33.44 # LHB

Then in csf.deny at the top I have a line:
include /etc/csf/csf.custom.deny # do not delete

I then restart csf and lfd (this is on a cPanel system on Centos using ipset)

When I lookup the address 11.22.33.44 via CSF, it does not appear. And if I look in the ipset chain chain_DENY the address does not...

In the new year, i'll potentially be migrating to a new server.
Is there a backup/restore feature in CSF so I can migrate my config over.
Or a cfg file buried away somewhere ?

I'll also need the same for mail scanner.

I'm having a really hard issue to figure out.

I have 2 computers on my local network. Several times now, one of the computers is unable to access several of the sites on my server, but the other can access them just fine! I confirmed that both have the same IP address, no VPN or anything.

If I disable CSF, both computers can access the sites with no problem.

I used Search for IP address , and...

I've pounded on this for quite some time now with the two following custom rules. Log locations set in the conf file, but nothing working. Please make recommendations if you run across this post.

The built in IMAP rules in CSF do not work on my server. Never have. Non standard Debian/Postfix/Dovecot setup to blame I suppose.

Trying to prevent the following. Below are errors, followed by regex...

I'm trying to migrate a WHM/CPanel server from Centos 7 to Alma Linux 8. In Alma Linux, Host Access control does not allow the same configuration as Centos.

In Centos host access control you can select the Daemon, the IP(s), and Allow or Deny. So for example in my Centos config I allow my IP to access SSHD and then I set the next rule to deny all other IPs to that same Daemon.

In Alma Linux...

I'm using Cloudflare, and dealing with attacks that LOOK like they're coming from Amazon / Cloudflare IPs. At 3:06pm today my server load went from 0.68 to 150 inside of 1 second :-O

When Cloudflare sends the IP, it shows up as X-Forwarded-For. I use Apache's mod_remoteip to change that to REMOTE_ADDR in Apache config, using:

RemoteIPHeader X-Forwarded-For

But I'm not whether CSF would see the...

I've been getting a ton of suspicious process alerts lately about a Perl script that hasn't been modified since 2020. So I'm pretty sure these are false alerts.

The email says:

Time: Tue Dec 12 15:18:14 2023 -0500
PID: 19935 (Parent PID:23922)
Account: nobody
Uptime: 99 seconds

Executable:

/usr/bin/perl

Command Line (often faked in exploits):

/usr/bin/perl...

I stopped receiving alert emails about SSH root logins, on all the servers i use CSF+LFD on... did something change in a recent update?

Hello.

I am starting to have a very large SMTP_ALLOWUSER. How do you create groups for use of SMTP_ALLOWGROUP? Presently it shows mail,mailman.

Thank you,
Larry

Hello,

I have a DNS querys problem with query.senderbase.org: since 3 weeks. After check I found a this page

I think Senderbase replace with Talosintelligence. Any idea this point ?

Regards

I'm using csf 14.20 on an Ubuntu Jammy system behind a 1GB FIOS connection. With csf/lfd running, I get throughput of about 30M/s, which increases to about 800M/s with csf/lfd disabled. I'm using a fairly generic csf.conf (shown below) and have tried to improve performance by reducing DENY_IP_LIMIT and DENY_TEMP_IP_LIMIT to 100, but obviously it's still subpar. Any suggestions for how to narrow...

For a server I manage, I explicitly want to receive notification emails of successful ssh logins. I've enabled this, and allow-listed my own fixed IP address.

My customer can login to one account using ssh, but doesn't have a fixed ip. Is there a way to allow-list the public ssh key he's using?

An example of such notification would be:

Nov 28 13:05:51 srv sshd : Accepted publickey for...

Hello,

Currently, I get a ton of emails like this:
lfd on : Suspicious File Alert
Time: Mon Nov 27 10:17:20 2023 +0100
File: /tmp/xxxxxxxx.o
Reason: Linux Binary
Owner: varnish:varnish (xxx:xxx)
Action: No action taken

These files are created by Varnish when it compiles the VCL for reloading.

However, I already whitelisted the varnish user from /etc/csf/csf.fignore like this:
user:varnish...

I have tried searching for all the synonyms I could think of for transfer, copy, new server in relation to CSF, and have come up with nothing...

Searched here and on the COnfigServer website.

I am needing to move all my sites from one server to a new server. The old server will get turned off later.

And I would REALLY like to know how to copy all my settings for CSF from the old server to the...

Hi,
I have already looked around this form , but did not come to a positive conclusion in the end.
I have been working for years with csf (and now also with cxs ). Now I am getting 'weird' messages on /opt/cpanel/ea php81/root/usr/sbin/php-fpm. Especially since multiple files are being opened/transferred.

I have investigated the ip's and they are from cloudflare and google (even 1 from...

Hi all

Updated post after further investigation.

It looks like CSF has not been blocking IPs based on ModSec events for over 30 days, at least. This is across two WHM CentOS servers.

LFD Stats only show CT_LIMIT, LF_DISTATTACK, and LF_PERMBLOCK_CONT triggers, but no LF_MODSEC events in the last 30 days.

ModSec looks like its doing what it should, and I can see the usual events. There's been...

Recently I disabled WP-CRON for wordpress and started using CPANEL with WGET to replace it. I've started getting emails lfd on XXXXX: Suspicious process running under user . I found some instructions on where to go to tell CSF to ignore these in the /etc/csf/csf.pignore edit, but I'm unclear exactly how to do this. Here is what the LFD emails are showing:

Executable:...

Hi guys,

We have configured the alert template (/usr/local/csf/tpl/alert.txt) on multiple servers to send email to a particular email account

This has been working fine for a number of years.

All of a sudden on one server it no longer works. We are puzzled as to why this would be the case.

Any ideas?

Thanks
Sasha

SYSTEM INFORMATION
OS type and version Rocky linux 8.8
Webmin version 2.101
Virtualmin version. 7.8.2
Config server Firewall(CSF) verison 14.20(generic)

I want to see alerts of outgoing emails from my server when they cross a certain limit and I have configured everything accordingly but alerts are not coming in my given email. Everything is working fine except Relay Tracking. We are using...

I've always used CC_ALLOW_FILTER to block non-US IPs, but I recently began using Cloudflare and now all connections come from a Cloudflare IP! My server load has skyrocketed, so I don't think that CSF is able to block non-US IPs anymore.

I blocked them in Apache configuration, but I think that runs after CSF, too, so I'm still getting the Apache connection for each request. And I'm talking about...