ConfigServer Community Forum

I have installed Shadowsocks client (for SOCKS5 proxy) and Privoxy (for convert socks5 to http proxy) on Centos 7 (I use cPanel).

SOCKS5 is running on 127.0.0.1:1080
Privoxy is running on 127.0.0.1:8118

When the CSF is enable, the socks5 and http proxy don't work:

# curl --socks5 127.0.0.1:1080
curl: (35) Encountered end of file

But when I disable CSF (csf -x), It works:

# curl --socks5...

Hi
Is it possible to disable login failure detection of IMAP in the CSF configuration for a particular user?

I would like to make sure login failure in a single account do not add the user IP to a deny list.

Some customers just don’t understand why they are blocked, but it might be an old ipod in their network trying to continually connect with an old password.

Hi team

I am using CSF and mod Security. I have implemented an automated reporting facility to AbuseIPDB.

It all works well - except occasionally, it sends a report to AbuseIPDB but does not block in CSF

When that happens, this is what is reported in AbuseIPDB

(CT) IP 12.345.6.789 (CA/Canada/-) found to have 190 connections;

This is what shows in Hits List for Modsec (there are many...

We are getting blocks from an unknown IP range which is not visible in any of our other logs besides lfd logs. It does not cause any harm as of now but it looks like a csf bug itself. Please suggest some solution if there is available or fix it in next update.

Blocks that we are getting is as below:

Time: Mon Nov 29 05:35:47 2021 -0800
IP: 0.172.31.183 (-)
Connections: 2160
Blocked: Temporary...

Hi,

Is there some way to ignore checks for a specific email address?

My situation is that one of our cPanel users had an email address for an employee. The employee is gone, the address was deleted but the ex-employee still checks the address a thousands of time a day and they keep banning some important IP addresses. We have whitelisted the respective ranges but now we are getting many...

i need to exclude single email login with same To header from distributed attack / permblock

this is sample exim log line
1nBXpM-000DFy-Nx for email@domain.com

if i add this code to csf.logignore should work ?

^.*dovecot_login:email@domain.com.*for email@domain.com

Ever since I try CSF on a new Debian 9.4 server, LFD fails to start.
I first migrated csf.conf and allow and ignore lists etc. from a debian 7 server,
Then also tried a clean install, To no avail. Searches don't bring help either.
Some hits on sendmail requirement? Who still uses sendmail? Seriously. I'm running postfix. Done so for 20 years. Up until now CSF LFD always worked fine....

Hello friends.

How can we block sites like hackertarget.com/reverse-ip-lookup and host and block all domains on one IP address?

Is there a way to block it through CSF/LiteSpeed?

hello

i use whm/cpanel , also last weeks i receive lot of amil notification like :
lfd on servers.site.com: Excessive resource usage: host (24147 (Parent PID:1817))

Time: Wed Feb 26 18:48:07 2020 +0100
Account: host
Resource: RSS Memory Size
Exceeded: 331 > 256 (MB)
Executable: /opt/cpanel/ea-php72/root/usr/sbin/php-fpm
Command Line: php-fpm: pool host_us
PID: 24147 (Parent PID:1817)
Killed:...

Hi,

I have set LF_PERMBLOCK_ALERT = 0 and restarted CSF through WHM but I am still receiving email alerts on Excessive resource usage. Are there any other configurations that I have missed out?

We are constantly receiving Excessive Resource Usage emails, example:

Time: Sun Jan 16 10:10:34 2022 -0700
Account:
Resource: Virtual Memory Size
Exceeded: 514 > 512 (MB)
Executable: /opt/cpanel/ea-php74/root/usr/sbin/php-fpm
Command Line: php-fpm: pool
PID: 1446 (Parent PID:3470)
Killed: No

We have tried setting PT_USERMEM to 1024, and to 0 and we still receive the notices (this setting...

Its not every day I find something this perplexing, so I thought I would toss this out there to the hive mind and see if anyone can guess what might be going on here.

Server is a Centos 7, fully updated server, high end specs, bare metal, latest Release version of cPanel. Running Litespeed.

This is so weird.

So, this url:

For any of you in the forum would load perfectly normally across all...

Hello,

I am asking this question on behalf of the organisation I currently work for.

Can you please confirm this product is not vulnerable to the following CVE's in relation to the recently discovered log4j vulnerabilities

CVE-2021-44228
CVE-2021-45046
CVE-2021-45105

Thank you for your time and I apologize for the inconvenience.

Regards

Hi there,

From what I can make out, the settings are correct to only receive notifications for successful logins via SSH.

# Send an email alert if anyone logs in successfully using SSH
LF_SSH_EMAIL_ALERT = 1

LF_PERMBLOCK_ALERT = 0

Though we're still receiving alerts when there are blocks caused by failed SSH logins.

Time: Mon Jan 17 23:29:24 2022 +1000
IP: 0.0.0.0 (ZZ/Country/-)...

Hello,

I was wondering if it would be possible to send lfd notifications like: login notification, suspicious process,... to an REST API endpoint/server, instead of sending them by email? In case of an email system failure, emails are not sent, but sending them to another (monitoring) system over eg. Https (to an API) would be a good alternative.

There seems to be an option to execute a script,...

Hello,

This topic has been mentioned already. I have read all the relative posts, I think and cannot find an answer.

We are running centos 7.9, mod_security 3, CSF rules and mod_lsapi. We do see that mod_security is correctly identifying attacks in the cPanel tools. When we look in our CSF logs, we see only about a third of the IP's are being blocked.

Saw mention of the need to create a...

In what order does CSF will be triggered if I have this config set:

CT_LIMIT = 100
CT_INTERVAL = 10
CT_SKIP_TIME_WAIT = 1
CT_PORTS = 80,443

SYNFLOOD = 1

CONNLIMIT = 443;100,80;50

PORTFLOOD = 443;tcp;20;3,80;tcp;20;3

I also observe after adding CONNLIMIT and PORTFLOOD rule for port 443/80... CT_LIMIT doesn't work/block abused IP anymore.

Seems that command line help ( -h --help -?) does not work any more.
csf: v14.15 (cPanel)

I have problem with coding in file /etc/csf/csf.deny.

When I'm editing this file in Python I'm getting error: UnicodeDecodeError: 'utf-8' codec can't decode byte 0xce in position 2882: invalid continuation byte .

# file -i /etc/csf/csf.deny
/etc/csf/csf.deny: text/plain; charset=unknown-8bit

# find . -type f -print | xargs file | grep deny
./csf.deny: Non-ISO extended-ASCII text

So my...

Hello,

I would like to permanently block/ban the ips that csf detects as port flood but I cannot. I have very often back attacks of this type:

Dec 17 23:05:15 nsxxxx kernel: Firewall: *Port Flood* IN=eno1 OUT= MAC=1c:b7:2c:ae:da:45:00:ff:ff:ff:ff:fb:08:00 SRC=ip.ip.ip.ip DST=ip.ip.ip.ip LEN=53 TOS=0x00 PREC=0x00 TTL=118 ID=1329 PROTO=UDP SPT=59384 DPT=27017 LEN=33

Dec 17 23:05:19 nsxxxxx...