ConfigServer Community Forum

Im using ConfigServer Security & Firewall - csf v8.08
csf deny some IPs randomly, and i get no email from CSF for blocking that IP
It even blocks my own using IP also and it force me to go to WHM and do Firewall Restart.
and then problem resolve.

I even check those blocked IPs in Firewall Deny IPs , but i see those IPs not listed.
I dont know why this happens, please help me

sometimes my users...

Hi,

I just spun up a new VPS, running Centos 7.1 and I have installed csf 8.08.

The first installation only gave me a score something like 45/69 (My other VPS has a max score of 140!)

So I uninstalled msg using the uninstall script and re-installed...
It is worth noting that after each install attempt, CSF is listed as not running and I need to run it manually.

I am getting errors in the...

I have try to prevent sending Suspicious File Alert emails which contain:

File: /tmp/netatop-0.5/netatop.init
Reason: Script, starts with #!

File: /tmp/netatop-0.5/mkversion
Reason: Script, starts with #!

by adding

exe:/tmp/netatop-0.5/netatop.init
exe:/tmp/netatop-0.5/mkversion

to the csf.pignore file but somehow those two lines are not getting excluded from the alert emails.

Any...

Good evening, I disabled my php.ini on the line enable_dl = on = off to enable_dl.
But in the config server firewall still get a warning message asking to disable dl.
Obs. In my php.ini this off

I am getting alerts for memory usage and a user. Errors such as these are spamming my inbox:
• lfd on server: Excessive resource usage: username (13319 (Parent PID:10223))

And so forth. I changed the memory for PT_USERMEM in /etc/csf/csf.conf to 500 from 200 and issued `csf -r`. Sadly I am still getting erros about exceeding the amount of memory. Similarly I have tried to use csf.pignore with...

Hi,

Is it possible to distinguish between real hacking attempts where a series of passwords is tried and a user who has input a wrong password in their mail program?

I have business clients that travel all the time and work together out of different venues each time.
Outlook for mac has the annoying habit of suggesting that the password might be wrong each time there is any issue with the...

I am experiencing a strange issue with Csf and amazon Ses. The email sending through amazon ses works fine for few days and then it get blocked.

After restarting it works fine, how do i diagnose this ?

Unable to connect to retry in 300 seconds. An Upgrade button will appear here if new version is detected

Anyone else have this issue. Never had issue for over a year. They are white listed in the firewall.

Was wondering if someone could shed some light on this log message and tell me whether it is a normal spam assassin call that is being blocked by csf and if that is normal or is something misconfigured in csf? The dst port is 24441 which Pyzor uses to communicate with the server. I am seeing these every hour and it is quite annoying to say the least. Is there something amiss or can I somehow stop...

Recently did a new install of Config Server Firewall and performed most of the suggestions from the Check Server Security. Unfortunately in my haste, I changed something I should not have.

Now temporary/shared URL's ( are no longer accessible. Thsi means that the shared SSL certificate cannot be used and peeps are emailing me about page not found errors.

Other than changing everything back,...

Hello,

cPanel admin said my server is probably under DDoS attack.

It used the following command line to find many SYN_FLOOD

root@host # netstat -an|grep :80|grep SYN|awk {'print $5'}|cut -d: -f 1|sort|uniq -c | grep -v 1
5 106.67.111.131
5 175.143.154.42
2 197.232.245.42
3 202.69.15.64
5 208.54.39.240
2 216.123.13.109
5 76.171.160.2
5 92.97.47.199

and we used the following command...

One IP is being blocked in iptables even when I already added to the csf.allow and csf.ignore I don't know what CSF rule is doing that, because I don't find anything related to the IP in system logs. If I check the iptables I found a DROP line when the IP is already blocked. Yesterday I enabled the WATCH_MODE but I don't know how to identify the cause of the block for the IP.

Any ideas?

This...

Hi Team,

We have installed an email application (Sendy) to our virtual server.
*Added the dns names for the region for amazon
*Added user/cmd ignore list

However it is still getting banned by CT_LIMIT. We have increased this to 1000 to prevent the issue however I was wondering if there is a way we can exclude this process/user from the CT_LIMIT.

Thank you

Hello,

In file csf.blocklists, one can enable various external IP blacklists to be included in CSF.

I want to ask how many IPs is too much to be blocked?

I have around 3GB RAM free. One spare CPU core, not sure how to count how many IPs i can afford to block.

openbl.org list has around 2300 IPs

Here someone have a time to move some deny ips into an external blacklist file, not sure what is...

Hello,

I receive a lot of messages regarding sonarpush using excessive resources:

lfd on host.xxxxx.org: Excessive resource usage: systuser (1220 (Parent PID:1220))
Time: Tue Nov 3 15:47:08 2015 +0100
Account: systuser
Resource: Process Time
Exceeded: 228641 > 1800 (seconds)
Executable: /usr/local/lp/apps/sonarpush/sonarpush
Command Line: SonarPush 0.5.236
PID: 1220 (Parent PID:1220)
Killed:...

Hello

I have block access for some countries by CSF .
now a group of visitors from the same ISP can't access to my website but their country should blocked also this IPs not include in /etc/csf/csf.deny file .

1- How can i exactly check if CC DENY caused to blocked IPs or other reasons caused it ?

2- Does csf get latest IP list from geoip automatically or i should update geoip list manually ?...

On an 11.50 server my backups are being killed by LFD and I can't figure out why

# csf -v
csf: v8.08 (cPanel)
# grep pkg /etc/csf/csf.pignore
cmd:pkgacct*
exe:/usr/local/cpanel/bin/pkgacct
exe:/usr/local/cpanel/scripts/pkgacct
#

This is the notification:

On Fri, Nov 14, 2015 at 6:55 AM, wrote:
Time: Fri Nov 13 07:55:55 2015 -0500
Account: $USER
Resource: Process Time
Exceeded: 1853 > 1800...

Guys.

Could someone help me with a custom regex to block failed cpanel logins.

I see quite a number of these daily.
Dropping connection from xx.xxx.xx.xx because of tcp_wrappers at cpsrvd.pl line 4191

If there are only one or two entries, then i don't worry too much, but occasionally, i'll get some hacker/robot etc, that will have 30 or more attempts, and quite often coming back for another go...

CentOS 7 rc1 is out today and was testing it with CSF

seems it cannot find ifconfig

after install:

*** USE_CONNTRACK Enabled
open3: exec of /sbin/ifconfig failed at ./auto.generic.pl line 153.

csf -r
Error: /sbin/ifconfig (ifconfig binary location) -v does not exist!, at line 2221

./csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing...

I'm trying to get LF_MODSEC to block IPs that trigger mod_security rules, but so far it's not working as I expect. Here are my settings:

MODSEC_LOG = /var/log/httpd/error_log
All vhosts are set to put errors in this log

LF_TRIGGER = 0
LF_TRIGGER_PERM = 0
LF_MODSEC = 5
LF_MODSEC_PERM = 86400

Here are some example rule triggers from /var/log/httpd/error_log. Each of these examples is repeated...