ConfigServer Community Forum

Hi, i'm getting tens of thousands emails per month from cxs and the subject for most of them is in the form of :
cxs on server.server.com (Hits:1)(Viruses:0)(Fingerprints:0)
Is there a way to get this reports only when a virus is detected ?

The command that is shown in the email body is :
(/usr/sbin/cxs --allusers --nobayes --clamdsock /var/clamd --defapache nobody --doptions Mv --exploitscan...

Hello, I am in latest version 10.11 , deactivated LF_CSF and activated WAITLOCK but still have this warning message that LF is down from the cPanel

Hi,

I originally posted on to but realised it was marked as

We have the reCaptcha working on all servers except one. The one server shows Failed to pass human test. Please try again.

I can see that on all the other servers there is an unblock.txt file in eacg /home/csf/ directories. This non-working server does not have this file. I've checked that the csf user has permission to write to...

Hi

lfd/csf block PageSpeed Insights website speed test

if i have enabled csf/lfd i can check website using PageSpeed Insights

if firewall disabled PageSpeed Insights works fine

any sugestions ?

regards

We have a CentOS 7 server where we are running CSF v10.04.

On this server we have Qmail as the MTA (part of Plesk 12.5) and it logs to rsyslog via the 'root' user.

I checked /etc/csf/csf.syslogusers and root is already included in the file by default. However, root does not get added to the mysyslog group as confirmed by the following command:

# groups root
root : root

We have restarted...

In /etc/csf.allow, if I want to enable an IPv6 address for a specific port, is the syntax the same, i.e.:

tcp:in:d=22:s=2601:589:4600:3f05::/64

It does not seem to allow the IPv6 address. Is there a different syntax for allowing IPv6 for a specific port/source address? Thanks.

Rob

Hello everyone!

Im having trouble keeping custom configurations in our CSF installation. We are running WHM build 39, and csf v10.09 (just updated)

The problem occurs after this lfd log output:

May 26 00:00:03 hos lfd : TERM
May 26 00:00:03 hos lfd : daemon stopped
May 26 00:00:07 hos lfd : daemon started on - csf v10.08 (cPanel)

After that restart, no custom settings remain in csf.conf, and...

Hi all,

I've been getting numerous suspicious process alerts each day, listing /usr/bin/php as the suspicious process but no actual process beyond that. I'm not sure if this is a false positive or not - and even if it is I don't know how to block it because it doesn't seem wise to ignore everything under php.

Can anyone help interpret this? I've searched high and low in this and other forums...

Hi there,

I'm trying custom regex to prevent Joomla Brutefoce login base on Wordpress Bruteforce login.
But it's not working. Somebody help me where i'm wrong ?
This is my regex

# joomla
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] POST \/administrator\/index\.php.* 200/)) {
return ( Failed Joomla login from ,$1, joomla , 2 , 80,443 , 3600 );
}

What's the easiest way to block all SMTP traffic from a centos server (with cPanel) and CSF installed?

I'm wanting to test a transferred site on a new server and don't want emails to be sent whilst it's being tested.

Can I set LF_ALERT_TO to multiple email addresses? If so, what is the format?

Hello CSF

I installed your wonderful plugin on Tuesday of this week.

Since then I've received 539 emails from LFD saying:

lfd on mail.myserver.tld: Suspicious process running under user myusername

Its found the same files for each domain on my server and they seem to be files from WordFence

Here follows the email:

Executable:...

Hello,
I want to know that geoip database is on auto update or I need to update it manually?
If I need to update it manually, how should I do that? (please explain it briefly)
Thanks

My VPS (CentOS6 with CWP) logs failed logins in /var/log/dovecot-info.log:

May 05 15:20:13 pop3-login: Info: Disconnected (auth failed, 1 attempts): user= , method=PLAIN, rip=IP, lip=IP
but they are not blocked by CSF.

I've added this custom regex but still doesn't block them:
if (($lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /^\S+\s+\S+\s+\S+ pop3\-login.*auth failed.*rip\=(\S+)/)) {...

One of my client's IP is not included in csf.deny list, however they cannot still access the server.

When I csf -g 173.xxx.xxx.xx , it returns this result:

Chain num pkts bytes target prot opt in out source destination

PREROUTING 2001 0 0 REDIRECT tcp -- venet0 * 173.xxx.xxx.xx 0.0.0.0/0 multiport dports 80,2082,2095 redir ports 8888
PREROUTING 2002 0 0 REDIRECT tcp -- venet0 *...

Hello, we recently installed cPanel on the new server and then deployed the CSF with LDF.
After this we started to receive the following email:

Subject:
fd on srv1.microtecsistemas.com.br: Excessive resource usage: mysql (54708 (Parent PID:54708))

Body:
Time: Tue Mar 14 23:00:54 2017 -0300
Account: mysql
Resource: Process Time
Exceeded: 439200 > 1800 (seconds)
Executable: /usr/bin/bash...

Hi,

It looks like that default logs path for e.g. modsecurity is not correct. Can I use?

MODSEC_LOG = /var/log/virtualmin/*.error.log

Also many paths under /etc/csf/csf.pignore are not correct for virtualmin. Could you please add separate config for virtualmin?

Thanks,

I am trying to understand what the Exceeded number below actually means. I am assuming that it means the process has run for 219,000 seconds, which exceeds the threshold of 1800.

Isn't it a good thing that MySQL is running all the time.

So what does the code expect that monitors process time? I guess the logic is if something runs for more than 1800 seconds, it's run too long. It seems that,...

My LFD web UI was working fine. I clicked disable firewall and it stopped responding. I then enabled the firewall with csf -e as root, and the firewall was enabled (apparently)... but now I get connection refused when I try to connect to the LFD web UI. I've tried rebooting the machine and I get the same problem. I tried connecting from localhost and it still gives me connection refused . There...

Hi,

EDIT: OS is CentOS 7 / CSF Version 10.06

How can I test if custom regex is firing or working?

CUSTOM1_LOG is set as /var/log/maillog

I have this in regex.custom.pm
if (($globlogs{CUSTOM1_LOG} {$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\ : warning:.*\ : SASL *? authentication failed/)) {
return ( Failed SASL login from ,$1, mysaslmatch , 3 , 25 , 3600 );
}

Sample log...