ConfigServer Community Forum

Hi. I've been using CSF for a while on a PVE (LXC) server.
The host has an interface vmbr0 for public address and a vmbr10 that we use as an internal network (10.0.X.X)
Most LXC containers only have one of the internal network address as we use a Nginx proxy in one of them to receive all the external traffic. This to the local containers is an eth0 address. Additional IPs are routed through the...

Hello, I just installed csf and the first time using it. when I check csf status I find that's running but got only this warning:
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

How to resolve it, thanks

Hello,

Somebody use fredomedosvsd@gmail.com mail address and all other types like

fr.e.dom.ed.os.v.sd@gmail.com
fr.e.dom.e.do.sv.sd.@gmail.com
f.re.domedosvs.d@gmail.com
fr.edome.dos.v.s.d@gmail.com
f.r.e.d.o.m.edosv.s.d.@gmail.com

......

Tousend of types :( I'm already use LFD Blocklist database but not help :( How can I stop that spammer ? Because they are using some script and attack my...

Hello,

I keep seeing a ton of these errors - Failed IMAP login from

They are from me and I am getting mail however I do notice a lot of times it failing.

So I am looking for a solution to either exempt myself (not the best practice) or resolve why so many of my attempts are failing.

Im seeing those messages in the lfd log.

If you need me to provide any additional information feel free to...

I get a lfd on host.******: Suspicious File Alert.

Time: Mon Jun 29 11:45:17 2020 -0400
File: /tmp/libjansi-64-git-Spigot-db6de12-18fbb24-5095707643582958365.so
Reason: Linux Binary
Owner: kar***:kar*** (1050:1050)
Action: No action taken

The number after /tmp/libjansi-64-git-Spigot-db6de12- always changes.
How can I ask lfd to ignore those files?
Thank you.

Hi guys,
I'm new to csf, so, please dont judge me hard if already have answers.
Could you please help me understand how to build me owr rules.
As many users we run WP sites and most attacks are over login.php and xmlrpc.php.
So, how to tell:
If xxx.xxx.xxx.xxx POST (GET) login.php (and/OR xmlrpc.php) then check this IP in csf blacklists and if is there ban it perm (temp)

This example will help...

I have OSM installed on a few servers and I'm running into some weird errors I can resolve. The original error was:
*ERROR* Net::Pcap failed to install, see /etc/osm/osmpcap.log. Packet inspection feature has been disabled in osm.
To which i installed pcap on the servers that were affected via
sudo yum install perl-Net-Pcap
yum install libpcap libpcap-devel -y

I later saw this post ( ) where...

Is it possible to block connections from China (CN) without blocking e-mail from China?

We have one account that must receive e-mail from China. If I use CC_Deny, they e-mail is denied.

I would like to block login attempts, but not block e-mail from CN.

I'm not sure if whitelisting would work, but even if it did, I wouldn't know what domains to whitelist because they are working with...

Hi all,
we installed ConfigServer Security & Firewall yesterday and last night I noticed that I cannot update (nor register) domains with registrar through WHMCS. Its a custom built module, worked fine before Csf install and registrar confirmed there is no problem at their end.
Does anyone know what setting might be wrong in CSF that could possibly block registrar communication through WHMCS?...

When setting LF_MODSEC to 3 (for example), does that mean the offending IP is blocked if the *same* modsec rule is matched 3 times, or does it mean the IP is blocked on the 3rd match of *any* modsec rule?

Thanks for any clarification you can provide!

Hello dudes , after updating to v14.03 , I am facing some issues with CSF .
My CSF Automatically Stop and then after some seconds it's Automatically enabled , this happens again and again.
and in logs I see these logs -

Jun 18 20:47:35 server lfd : IPv6 Enabled...
Jun 18 20:47:35 server lfd : LOAD Tracking...
Jun 18 20:47:35 server lfd : Country Code Lookups...
Jun 18 20:47:35 server lfd :...

I'm happy to report that CSF works fine on Centos 8. I fired up a test Centos 8 VM and everything seems to work fine.

# cat /etc/redhat-release
CentOS Linux release 8.0.1905 (Core)

# uname -a
Linux centos8.example.com 4.18.0-80.7.1.el8_0.x86_64 #1 SMP Sat Aug 3 15:14:00 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

The only issues I've run into:

When doing a minimal install of Centos 8 the...

I have CSF installed on a Ubuntu 18.04 machine. We just installed libvirt on the machine and have VMs that are using the internal network adapter virbr0. When libvirt starts, it adds the following rules:

# Generated by iptables-save v1.6.1 on Tue Jun 16 11:48:26 2020
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24...

Hi,

i need to protect FORWARD rules , csf.redirect

-A INPUT ! -i lo -j LOCALINPUT
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYNFLOOD
-A INPUT ! -i lo -p tcp -j INVALID
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 8 -j LOGDROPIN
-A INPUT ! -i lo -p icmp -j ACCEPT
-A INPUT ! -i lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT !...

When you login to CloudLinux via SSH you get a welcome message something like There have been 9,980 failed login attempts since the last successful login. I was thinking CC_DENY should reduce this number significantly, however I still have a lot of IP's included in that number that are from countries I have blocked. For example in the welcome message it also tells you the last IP blocked, and I...

Hey guys!

I'm hosting a domain for a friend who used to use other hosting provider.
One of his employee is not longer working for him, but this person still have in her smartphone (Actually not her anymore, since she sold it to someone else, but didn't factory reset the smartphone) her old old mail account connected . But this mail box no longer exist, so lfd treats this as a imapd attack.
This...

I cannot seem to get this to work. I am running openlitespeed with mod_security 3.0 module on a non-cPanel CentOS 8 server and it denies access when using test URL, and logs the event like it supposed to, but LFD completely ignores it.

csf.conf has the following:
LF_MODSEC = 5
LF_MODSEC_PERM = 1
MODSEC_LOG = /usr/local/lsws/logs/error.log

I even tried...
MODSEC_LOG =...

Hello,

We'd like to disable the email alerts for certain types of alerts. For example, we don't need an email when there is a POP/IMAP/SMTP login failure, as it's easy to search the logs for there.

Thanks!

Hello,

I'm wondering if CSF has any way to do some aggregate monitoring across a set of clustered servers to look for bad actor IP addresses.

For example even a single IP that is hitting lots of websites across all of our servers is suspicious.

It's really suspicious if it's hitting /xmlrpc.php on multiple sites across our servers and a strong sign it's a bot net or some type of scanning....