ConfigServer Community Forum

I have been beating my head on this for quite a while. I have lost track at all of the things I have tried. I am getting notices of the following:

Executable:

/opt/cpanel/ea-php74/root/usr/bin/php.cagefs

Command Line (often faked in exploits):

/usr/local/bin/ea-php74 -q /home/p42portal/public_html/modules/addons/DNSManager2/cron/cron.php

Network connections by the process (if any):

udp:...

Hello Forum,
I want to block an IP Adresse in the range of 91.241.72.0 to 91.241.72.254. Due to spam and multiple IP Adresse in that range.
So i added 91.241.72.0/24 #do not delete to /etc/csf/csf.deny.
And yes i restarted the firewall.

Then i tried to ping 91.241.72.1 from my host... no ping.. Great I thought it works.
The next day I got spam from that IP range agian. WTF!

After some...

Hi, i have two servers that every hour the settings are reseting, and removes on special cofig on TCP_IN, TCP_OUT and SMTP_ALLOWUSER,
i tryed to fix this reinstalling, searching for a cronjob but i already not found what is happening, on the logs there is no not about the resetting

Unless I have an IP address/port entry in the csf.allow (tcp|in|d=5061|s=my_ip_address/32), incoming SIP signaling with TLS transport (not UDP) on port 5061 is blocked.
I suspect SPI is rejecting this traffic.
Is it possible to turn off SPI on specific ports?

port 5061 is being opened with port knocking. I can see incoming traffic on tcp 5061 port with tcpdump, so I guess port has been...

I recently discovered a very odd entry in the lfd.log file (I have replaced my actual domain with 'domain.com'):

Dec 19 14:20:11 cobalt lfd : here: []
Dec 20 00:28:25 cobalt lfd : here: []
Dec 20 17:15:07 cobalt lfd : here: []
Dec 20 19:54:16 cobalt lfd : here: []
Dec 20 22:59:28 cobalt lfd : here: []
Dec 20 23:00:48 cobalt lfd : here: []
Dec 21 00:35:36 cobalt lfd : here: []
Dec 21...

Any idea how to make CSF Firewall only logging to file not the console ?
Using CloudLinux 8.5 with cPanel, last time i check the server it was correctly logging into the log file, but now it's shows the log too in the console.

Hi All,

We have seen a behaviour in all CloudLinux 8 servers with the introduction of nftables with iptables with connections using PASV.

To this test, we have ensured that on TCP_IN ports for FTP are defined between 50000-59000 and Pure-FTPD configured to use that ports.

With CSF enabled, when we try to connect to a remote FTP and it tries to list directories, this is the result:

# ftp...

Hi,

LF_SUDO_EMAIL_ALERT = 0 is ignored.

I have some scripts that use sudo to be executed, and I got a lot of emails even if the variable is set to 0.

lfd on srv1: SUDO login alert - Successful login from user1(uid=0) to user2

I've added UID 0 to csf.uidignore but still no working..

Can you please fix it?

Thank you!

Recently I started get these error messages. They are for one customer only.
Can anyone tell me what a possible cause may be.

Time: Tue Dec 14 16:16:03 2021 +1300
Type: AUTHRELAY, Remote IP - 124.248.134.94 (NZ/New Zealand/124-248-134-94.dynamic.lightwire.co.nz)
Count: 101 emails relayed
Blocked: No

2021-12-14 07:57:43 1mx2gw-0002Ok-OM <=email@domain.co.nz...

Hi

I recently installed ConfigServer Security & Firewall - csf v14.15 on my VPS and there is an apparently easy problem to solve. A single client has access to the webmail blocked by the Firewall. The internet provider that serves you very often changes the internet IP. There are customers that the provider is another and changes with 30 days or more the IP address, but this provider is messing...

Hi

CC_ALLOW_PORTS_TCP seems to not be working for port 587 in combination with the Dutch (NL) country filter.

The connecting IP's came from NL but were not able to connect.

Thanks

I have six clustered CSF 14.15 servers, all with UDPFLOOD_ALLOWUSER = bind set, but I am receiving UID xxx (bind) Tracking Hit reports from all servers. This seemed to start happening after I enabled IPv6.

Anyone else seeing the same thing?

Dear all:

I've been using csf at least 5 years, great product.

I have setup a new server and installed it as usual. But as soon I enabled it, all the network goes crazy, the network latency pikes high, making almost unusable :confused: , I thought I was having issues with the ISP, but I then disabled csf and everything back to normal, enabled it, and the network slow down inmediately.

OS:...

Hi,

I just installed CSF, test it and run in normal mode (disable testing).

The problem is if I try to block IP, it continue working for sites under CloudFlare protection. Blocking working for sites without CloudFlare.

How I can setup it to block bad HTTP requests for CF sites? I already use CloudFlare firewall but it take 5 minutes to block any IP and my site work unstable. Thanks

Last night the server using CWP Pro comming with CSF and LFD upgraded to the latest version.

One of our websites/shop running on that server started having issues on the checkout page.

Page load times of normal cached pages got a little extra delay in it.
The checkout page however gotten an extra delay of between 20-60 seconds......

Yes u read this right 20-60 seconds delay on page load

When...

The /usr/local/csf/bin/regex.custom.pm file allows you to set up blocking for failed Wordpress login attempts, for example:

if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] \w*(?:GET) \/wp-login\.php.* /)) {
return ( Failed WordPress GET ,$1, WPLOGINGET , 5 , 80,443,21,25,22,23 , 1 );
}
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] \w*(?:POST) \/wp-login\.php.* /))...

Hi all! :)

I just wanted to confirm whether wildcards are supported in csf.redirect or not. The documentation seems to suggest that they are, but I get this:

Error: csf: Invalid csf.redirect format , at line 3249

With this:

# /usr/local/csf/bin/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing...

I added several repeat offender ASN's to CC_DENY. Was really excited about this because it could make my life a lot easier.

However, I was dismayed to see IP's from within those ASN's still hitting Apache. The field is setup like this:

CC_DENY = AS12345, AS23456, AS34567

Is this the proper format? I added 20 ASN's, are there any settings to adjust to allow so many? Perhaps DENY_IP_LIMIT? I'm...

Hi all!
We have these settings in place in CSF configuration file:

LF_DISTSMTP = 5
LF_DISTSMTP_UNIQ = 3
LF_DISTSMTP_PERM = 1
LF_DISTSMTP_ALERT = On
LF_DIST_INTERVAL = 300

And some DISTSMTP triggers have been intercepted because of some customer of ours having used Gmail for sending mail messages via our server's MTA.

So we received some mail warings (subj: distributed SMTP Logins on account...

Hello Team,

I need urgent help for CSF issue. On our production server FTP failed attempts not blocked by csf. I am really frustrated and I am literally checking this issue since 4 days.

For example:

Nov 10 04:27:52 w212 pure-ftpd : (?@152.57.198.52) Authentication failed for user
Nov 10 04:27:52 w212 pure-ftpd : (?@152.57.198.52) Logout.
Nov 10 04:27:58 w212 pure-ftpd : (?@152.57.198.52) New...