ConfigServer Community Forum

Hello,

I use csf with cPanel(up-to-date) and set CC_ALLOW worked for about one week and after that started to block IP-s from the country specified at CC_ALLOW. This behavior happened on two independent servers with the same architecture.
I think is not normal. What do you think?

Istvan

I searched but not sure I'm searching for the proper thing. I have one customer that has more than 30 users using email. They constantly are kicking off the firewall and I have to reset it.
Is there a way to restrict the firewall from blocking people using one domain on the server?
I understand this could cause trouble.

Does anyone have a working set of rules they use with CSF to help reduce impact from repeated login attempts on WordPress?

These attempts take place with /xmlrpc.php (multiple attempts in one post) and /wp-login.php (single attempt). Often one IP will try many, many times (eg yesterday, 3000 in 2 days).

It would help a lot if CSF was able to auto-block them with some built-in solution; far more...

Hi,

I'm looking for a solution/workaround NOT to block ip addresses from country ABC when hit by lfd (fx login failures, etc.)
Are there any easy way?

I have been looking at
Which can generate a list (not sure if it's complete, but that's ok) of CIDR for Whole country. But the list will naturally be QUITE long. So I fear that it will have performance influence when putting list of 100000s...

best,

in how far can we redirect blocked ip to other server,
so we can tell wy whe has blocked the user ip and what see can do

now when ip is blocked, see don`t now anny thing, then ony default page from the brouwser it self

Hi Guys, when we receive massive attack, we receive a lot of emails, when say:

Interval: 300 seconds
Blocked: Permanent Block (IP match in csf.allow, block may not work)

When try block this from GUI CSF say this ip is on csf.allow. Next to view this file... ip is not present.

But when we edit csf.block & putting ip manually, CSF block attacks from this ip.

I have other server with CSF, same...

The server admin address gets the following alerts about once a minute:

Time: Mon Mar 27 13:19:19 2017 -0400
PID: 3696 (Parent PID:1399)
Account: grais40
Uptime: 88 seconds

Executable:

/usr/local/cpanel/3rdparty/perl/524/bin/perl

Command Line (often faked in exploits):

cpdavd (CalDAV/CardDAV) - authenticated as user@example.com

Network connections by the process (if any):

tcp:...

There's a lot out there about various methods to secure SSH access better.

But on a Cpanel server, in my opinion, access to WHM gives the user a degree of privileges near that of logging into SSH via root. So I have a few questions for discussion.

First, let me setup the context for the application of these methods. It's a server that does not have to be HIIPA or FICA compliant. It just has one...

Hi,

I am trying to configure the HTTPS messenger service to give an HTML error message when an IP address is blocked. It's working, but very slow. When I usee httpie, I get the following error:
http: error: SSLError: certificate verify failed (_ssl.c:579) while doing GET request to URL:
With Firefox, it works, but takes well over a minute before the page loads. I have no idea where the holdup...

Hi,
CSF stops almost every night. I receive the following error message:

/var/log/lfd.log

Jun 19 03:20:16 server lfd : iptables appears to have been flushed - running *csf startup*...
Jun 19 03:20:18 server lfd : csf startup completed
Jun 19 03:20:18 server lfd : *Error* csf reported an error (see /etc/csf/csf.error). *lfd stopped*, at line 7146
Jun 19 03:20:18 server lfd : daemon stopped
Jun...

Csf Enabled but stopped. Can not restart.
I test the installation with perl /usr/local/csf/bin/csftest.pl and it tells me the following error.

 Testing ip_tables / iptable_filter ... FAILED - Required for csf to function
Testing ipt_LOG ... FAILED - Required for csf to function

Testing ipt_multiport / xt_multiport ... FAILED - Required
For csf to function
Testing ipt_REJECT ... FAILED -...

i have csf setup and its working very good (blocking everything i configured) but its not blocking 404 after 60 404s

my 404 logs look like this

GET /site/cfg000b HTTP/1.1 404 12095 - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

do i need to have any custom settings or why is this not working?

Hello,

I use scanmyserver.com to do an audit of my server. I was looking through the ModSec logs and saw an IP address that was there more than five times, performing a scan. I was curious as to why csf hadn't blocked them. So I went into the GUI and searched for the IP and then realized the IP belonged to scanmyserver, however, the IP address is also listed in the GreenSnow blocklist.

How does...

Hello,

If I wanted to whitelist my server's IPv6 local loopback address, do I need to whitelist:

::1/128
fe80::/10

Or would
::1/128

be enough? Essentially, is it a good idea to whitelist the link-local address (fe80)? Also, should it be fe80::/10 or fe80::/64? I'm still struggling a little with the IPv6 stuff.

Thanks!!!

So it didn't take me long to realize that IP's are not actually being banned when using Cloudflare because iptables isn't looking for X-Forwarded-For in the header (is this even possible?) So the attack comes from Cloudflare IP, which of course is whitelisted, so the server is completely unprotected.

So after reading the documentation, I found BLOCK_REPORT which I can use to fire off an API call...

Anyone knows how can I fix this?

When I restart I also get this message:

open3: exec of /usr/sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 4947.

Hi friends..

I want setup allow for some country. In my case I want allow 80 port for France. I setup this and all is work perfect.
But problem is next.

I have two servers, First is in DC1 and second is in DC2. This servers have same system OS Ubuntu 14.04.

on DC1 all work perfect but on DC2 this don't want work.

On DC2 work only allow over IP or over DynDNS but allow country don't want...

First question:

How are the rules applied? Is the csf.deny applied first and then csf.allow - or is csf.allow applied first?

Here is my issue.

In the csf.allow file, I have IP ranges allowed for port 80 and port 443 - idea is to prevent them from being blocked:

tcp|in|d=80|s=1.1.1.0/24
tcp|in|d=443|s=1.1.1.0/24

However, computers within that range seem to have mis-configured mail clients....

Hello
I have a mail user witch IP is continuously TCP_IN blocked for portscan.
When I look at the log it uses an MAC-destination:MAC-source:Mac-type combination that is always the same but with different IP all over the world.
But my mailuser says he has a fixed IP !
Does anyone know what is happening ?
Thanks for your help.
Marc