ConfigServer Community Forum

Hi,

seems that the bug reported in this previous topic is happening again.

On several of our servers it was not working until we did apply the same fix.

Is there a way to skip the Apache status check in LFD altogether?

I tried setting: PT_APACHESTATUS =
but lfd log keeps showing lfd: STATS: Unable to retrieve Apache Server Status - Unable to download: Cannot parse URL: '?auto'

Hi! I run a server on WHM/CPanel, with several sites on it. Since 5 days ago, someone is attacking this site, sending LOTs of requests to the site. Even if I suspend the site, I still get hundreds of requests per minute, from several IPs around the world.

Is there any way I can stop this kind of attacks using CSF/LFD?

Time: Thu Oct 28 22:21:17 2021 +0000
Uptime: 152156 seconds
Executable:
/usr/local/cpanel/3rdparty/perl/532/bin/perl

Is this a false signal?

Hi I've done some searches and saw a few hits:

I'm fairly new to defending my own server against attacks and thought that it would be helpful to automatically populate csf.deny with data from various blacklists. The above search results show this has been brought up a few times, but it seems the conclusion is there is too much data to effectively do that with csf (limitation of software...

Hi, I have some servers acting as Wireguard endpoints that need to accept traffic from certain ports and forward them to another host on a LAN at the other end of the Wireguard tunnel. Incoming data on the ports are accepted and forwarded to the appropriate host. Outgoing data is masqueraded. The TCPMSS clamp is required to ensure the forwarded packets respect the tunnel MTU. In this case as you...

How are the IP's/ranges loaded into Ipset? Are they simply added to the csf.deny and csf processes them into Ipset or other method? Is there a way to easily bulk add deny IP's?

I have an existing ipset how do I add that to the deny?

All I've seen essentially is make sure it's installed and change the conf to 1.

Thanks!

I don't know if this is a CSF bug or something else so I post it here.

In Centos 7, it was enough to put these lines in the csf.pignore file:
exe:/usr/bin/spamc
exe:/usr/bin/spamd
cmd:spamd child
no problems with perl mails about spamd and spamd child anymore.

Since Centos 8 this is change, no clue as to why.
On is about a suspicious process, the other one about excessive resource usage....

I'm using a file with IP addresses and ranges as a permanent block list. When I search for an abusive IP address (5.188.62.76) in CSF I see that it's blocked by 5.188.62.0/24 resulting in the following output:
Table Chain num pkts bytes target prot opt in out source destination

filter DENYIN 37291 0 0 DROP all -- !lo * 5.188.62.0/24 0.0.0.0/0

filter DENYOUT 37291 0 0 LOGDROPOUT all -- * !lo...

Hey,
I'm unable to start lfd on centOS 8.2 with DirectAdmin v.1.61.3. iptables v1.8.4 (nf_tables). CSF and LFD in newest versions.

Logs:

CSF:
csf : iptables v1.8.4 (nf_tables): RULE_APPEND failed (Invalid argument): rule in chain OUTPUT
csf : LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
csf : iptables v1.8.4 (nf_tables): RULE_APPEND failed (Invalid argument): rule in chain INPUT...

Good Day

I would like to know if it is possible to exclude a domain name from csf. A client of mine is constantly blocked when using his email on his pc via Outlook. Have one through all settings and setup the account numerous times.

Any suggestions will be helpful.

Thanks in advance.

Can someone help me ? I have the following problem.

I configured CSF on a new server and everything was working perfectly, but after I added a few more ips via Cpanel Interface (range of 16 ips) my server crashed, I couldn't access whm or ssh, luckily I have physical access to the machine and to the monitor and I was able to disable the csf with the command csf -xe after disabling everything...

Good morning!
I am new to csf so sorry if this a repeat thread. How do I use the csf firewall app in WHM to white list IP address ranges? The documentation I have read is not very clear.

Thanks in advance.

Eric

Hello

the LFD keeps failing and recovered every fed minutes

The service “lfd” appears to be down.
The system’s command to check or to restart this service failed.

i have tried to investigate the issue by

# service lfd status
Redirecting to /bin/systemctl status lfd.service
● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled;...

Hi guys!

I made a custom regex rule that worked in the begging but now looks like it's not triggered anymore.

Here it is:

if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] \w*(?:POST) .*\/admin\/ HTTP.*301.* /)) {
return ( OC Admin attack ,$1, OC-admin-login , 1 , 80,443 , 8600 );
}

and in the /etc/csf/csf.conf:

CUSTOM3_LOG =...

Hello.

I hope everyone is safe and healthy.

The most recent update (Oct. 4, 2021) of ConfigServer wiped out all my previous settings. Does it make a backup somewhere?

Thank you.

helo
lets say our server has 2 ip A and B.
but i only want to block ip A to access country CN.
how do we achieve that?

cc_deny , yes we can use that but for ip source A and B.. how do we only apply ip A?

I've got a user that keeps getting blocked for a custom LFD rule to block 3 consecutive Worpress failed logins within 3600 seconds. But they swear they are not getting failed logins. The rule is the widely published rule:

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] POST \/wp-login\.php.* 200/)) {
return ( Failed WordPress login from ,$1, wordpress , 5 , 80,443 , 3600 );
}...

Our CS&F works well but we are getting Excessive resource usage warnings that I can't see how to stop using csf.pignore.
And I can't see a solution in the forums.

Our developer uses the Visual Studio Code remote extension and the executable link varies for each hosting account e.g:
Executable: /home/murrayheatingand/.vscode-server/bin/7f6ab5485bbc008386c4386d08766667e155244e/node
Executable:...

Genuine transaction or website access or wordpress-admin updates are blocking csf with the following reason.

Temporary Blocks: IP:157.33.50.133 Port:80 Dir:inout TTL:518400 (Blocked port 80 with Directadmin Brute Force Manager)

How to prevent this or how to prevent the genuine traffics.?? its happening for all.