ConfigServer Community Forum

There is an ongoing 404 been logged in the error_log file. This come from different ip at every hour.
May i know does CSF include feature that deal with this kind of attack?

Tue Apr 25 11:28:24 2017] File does not exist: /home/noname/public_html/660
File does not exist: /home/noname/public_html/660
File does not exist: /home/noname/public_html/660
File does not exist:...

I'm trying to synchronize LFD with Cloudflare using these scripts:

It's working as far as the BLOCK_REPORT goes but it doesn't appear that UNBLOCK_REPORT is being triggered. Even if the script is failing should it at least be logged that it was triggered? Here is the LFD log:

Apr 23 09:07:35 cp1 lfd : (cpanel) Failed cPanel login from xxx.xxx.xxx.xxx (xxxxxxx): 3 in the last 3600 secs -...

Can not run CSF I either get page error 500 or a completely blank page.

I have found when logged in through SSH, using top, CSF will be running, even though prior to that only iptables was visible as a running process, not csf/lfd. I have uninstalled and reinstalled several times. csf/lfd will run initially but within a half hour to 45 minutes it will be stopped and iptables will be running...

Recently I started getting email alerts from LFD about excessive resource usage caused by my sftp server connection.

I hadn't made any changes, and put off modifying the csf.pignore file for a couple of months.

Today I checked the csf.pignore file, and there is already an entry for

exe:/usr/libexec/openssh/sftp-server

Looking at the alerts it looks like I need to add wildcarded virtfs...

Hey,

Since the update to v10 cluster restarts fail for every member. I run csf -crs or csf --crestart and get:

Sent request to , no reply
Sent request to , no reply
Sent request to , no reply
Sent request to , no reply
Sent request to , no reply
Sent request to , no reply
{...}

All other cluster methods that we use regularly work, like --cping, --cfile, and individual bans with -cd

I have several websites made in WordPress. WordPress try to update itself regularly. When it happens, I received an email from the server for every website of this type:

Time: Tue Sep 22 08:30:35 2015 +0200
PID: 5733 (Parent PID:3407)
Account: userxxx
Time active: 76 seconds
Executable:
/usr/bin/php
Command line (often misrepresented exploits):
/usr/bin/php /home/userxxx/public_html/wp-cron.php...

Hi,

Im using CC_DENY=RU,CN

but still I just got hammered with GET requests from a RU ip.

How come it is possible? :confused:

TY

Hi,

I'm seeing the following in my logs

Apr 20 14:08:43 squirrel lfd : Messenger HTML Service died, restarted
Apr 20 14:08:43 squirrel lfd : Messenger TEXT Service died, restarted
Apr 20 14:08:43 squirrel lfd : *Error* cannot open server on port 8888: Address already in use, at line 213
Apr 20 14:08:43 squirrel lfd : *Error* cannot open server on port 8889: Address already in use, at line 213...

can anyone help me, i want block it for max 24h not perm.. but it even block it perm

# test for relay
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /reject(.*)\ (.*)\ (.*)\>/)) {
return ( Failed Relay_check from IP: $2 to: $4 ,$2, LF_SMTPAUTH , 2 , 25,143,110,465,993,995 , 3600 );
}

big thx to all my head smokes xd

Hi again.

I also wonder if it's possible NOT to block permanent (could block temporary) when the country of an IP is mine (Canada) and a rule is triggered? This way, it would have way less impact on my customer that keeps forgetting their password.

Hi to all. Good product, saved my life a few time !!
I'm now in fine tuning mode, trying to filter real alerts from all alerts.

I want to know if it's possible to NOT receive this alert when and only when it's from my IP (69.66.66.66):

Time: Sun Apr 16 10:52:57 2017 -0400
IP: 69.66.66.66 (CA/Canada/fakeptr.ca)
User: root

Hi,

I´m trying to ignore the following type of alert:

Time: Mon Apr 17 03:43:59 2017 +0200
File: /tmp/.xcloner-b80c1
Reason: Suspicious directory
Owner: myuser:myuser (563:575)
Action: No action taken

All alerts start with /tmp/.xcloner-

I have added this to csf.fignore but no go:

/tmp/\.^xcloner

any help?

Hello,

I realize this is 100% out of CSF's hands but because of some lack of support for ipt_owner in virtuozzo7 CSF now errors on all installs.

Error: iptables command failed, at line 2665

There is a bug report opened for this:

so for now, I need to know how to disable/remove this line from CSF

I have SMTP_BLOCK = 0

but am not sure what to disable in csf.conf to remove that one line from...

Hello,

I have MESSENGER html template working perfectly on 80, but can't make it work via HTTPS.
Tried this settings:
MESSENGER_HTTPS = 8887
MESSENGER_HTTPS_IN = 443,2083,2096 (also doesn't work when this is left empty)

Going to shows the block template, while timeouts.
I use latest CSF and latest cPanel 62.

Any ideas?

Thank you! :)

Greetings,

Why I don't get a notification for root accessing WHM ?
I have confirmed also via exim mail log , there is no alert for WHM root access.

Also I have contacted cPanel support team just to confirm if they can detect the issue, they replied:

---

This is indeed very strange. I'm seeing that no login alerts are even trying to be sent now. However, LFD is sending other alerts to root...

Hi
Me Install CSF in DirectAdmin.
But check site (ctrl+f5) try 4-6 next block my ip
me add ip in allow list but not show site and DirectAdmin.

sorry bad lange.

Hello!

I am trying to setup CSF on my VPS and love how powerful and versatile it is. I have been able to customize it a bit for my applications (Auto-bans, Wordpress logins, etc.), and it has been stopping a lot of naughty traffic thus far.

Although it is stopping all of these break in attempts, i am curious which users (or domains) generate the most hacking attempts. Would it be possible to...

Unable to connect to retry in 94 seconds. An Upgrade button will appearacne here if new version is detected

The current version is currently working on DirectAdmin is Config Server & Firewall Security - csf v9.10

It may be possible that that button only appears when a software update is available ???

The first set of lfd blocking statistics Blocks by lfd in last 24 hours and Block triggers in last 24 hours show stats from 11 days ago and not latest 24 hours. Yesterday showed same stats from March 2 (etc).. Other graphs are correct. Error confirmed by comparing with csf.deny file. Not critical but it is annoying.

:( Specs:

- DDos from facebook

- User-agent
173.252.124.57 - - GET / HTTP/1.1 444 13710 - facebookexternalhit/1.1 (+

OS: Cloudlinux 6
Panel: Directadmin Custombuild 2.0

Csf Config:
LF_CXS = 1
LF_CXS_PERM = 1
LF_MODSEC = 5
MODSEC_LOG = /var/log/httpd/modsec_audit.log
LDF On

Log in audit log security
--64513437-H--
Message: Access denied with code 444 (phase 1). Pattern match...