ConfigServer Community Forum

Hello,

cPanel admin said my server is probably under DDoS attack.

It used the following command line to find many SYN_FLOOD

root@host # netstat -an|grep :80|grep SYN|awk {'print $5'}|cut -d: -f 1|sort|uniq -c | grep -v 1
5 106.67.111.131
5 175.143.154.42
2 197.232.245.42
3 202.69.15.64
5 208.54.39.240
2 216.123.13.109
5 76.171.160.2
5 92.97.47.199

and we used the following command...

One IP is being blocked in iptables even when I already added to the csf.allow and csf.ignore I don't know what CSF rule is doing that, because I don't find anything related to the IP in system logs. If I check the iptables I found a DROP line when the IP is already blocked. Yesterday I enabled the WATCH_MODE but I don't know how to identify the cause of the block for the IP.

Any ideas?

This...

Hi Team,

We have installed an email application (Sendy) to our virtual server.
*Added the dns names for the region for amazon
*Added user/cmd ignore list

However it is still getting banned by CT_LIMIT. We have increased this to 1000 to prevent the issue however I was wondering if there is a way we can exclude this process/user from the CT_LIMIT.

Thank you

Hello,

In file csf.blocklists, one can enable various external IP blacklists to be included in CSF.

I want to ask how many IPs is too much to be blocked?

I have around 3GB RAM free. One spare CPU core, not sure how to count how many IPs i can afford to block.

openbl.org list has around 2300 IPs

Here someone have a time to move some deny ips into an external blacklist file, not sure what is...

Hello,

I receive a lot of messages regarding sonarpush using excessive resources:

lfd on host.xxxxx.org: Excessive resource usage: systuser (1220 (Parent PID:1220))
Time: Tue Nov 3 15:47:08 2015 +0100
Account: systuser
Resource: Process Time
Exceeded: 228641 > 1800 (seconds)
Executable: /usr/local/lp/apps/sonarpush/sonarpush
Command Line: SonarPush 0.5.236
PID: 1220 (Parent PID:1220)
Killed:...

Hello

I have block access for some countries by CSF .
now a group of visitors from the same ISP can't access to my website but their country should blocked also this IPs not include in /etc/csf/csf.deny file .

1- How can i exactly check if CC DENY caused to blocked IPs or other reasons caused it ?

2- Does csf get latest IP list from geoip automatically or i should update geoip list manually ?...

On an 11.50 server my backups are being killed by LFD and I can't figure out why

# csf -v
csf: v8.08 (cPanel)
# grep pkg /etc/csf/csf.pignore
cmd:pkgacct*
exe:/usr/local/cpanel/bin/pkgacct
exe:/usr/local/cpanel/scripts/pkgacct
#

This is the notification:

On Fri, Nov 14, 2015 at 6:55 AM, wrote:
Time: Fri Nov 13 07:55:55 2015 -0500
Account: $USER
Resource: Process Time
Exceeded: 1853 > 1800...

Guys.

Could someone help me with a custom regex to block failed cpanel logins.

I see quite a number of these daily.
Dropping connection from xx.xxx.xx.xx because of tcp_wrappers at cpsrvd.pl line 4191

If there are only one or two entries, then i don't worry too much, but occasionally, i'll get some hacker/robot etc, that will have 30 or more attempts, and quite often coming back for another go...

CentOS 7 rc1 is out today and was testing it with CSF

seems it cannot find ifconfig

after install:

*** USE_CONNTRACK Enabled
open3: exec of /sbin/ifconfig failed at ./auto.generic.pl line 153.

csf -r
Error: /sbin/ifconfig (ifconfig binary location) -v does not exist!, at line 2221

./csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing...

I'm trying to get LF_MODSEC to block IPs that trigger mod_security rules, but so far it's not working as I expect. Here are my settings:

MODSEC_LOG = /var/log/httpd/error_log
All vhosts are set to put errors in this log

LF_TRIGGER = 0
LF_TRIGGER_PERM = 0
LF_MODSEC = 5
LF_MODSEC_PERM = 86400

Here are some example rule triggers from /var/log/httpd/error_log. Each of these examples is repeated...

Server Details;
OS: Ubuntu 12.04 LTS
Virtualmin/Webmin

I have a joomla site getting brute force attacks. Joomla brute force attack extensions can limit the login attempts, but the server is still loaded with calls to the blocked login. I'd rather block the IP via CSF.

I have an extension using the following code;
error_log(sprintf($this->params->get('message'), $response ));
It writes to the...

Hello,

I discover the csf autoupdate function (AUTO_UPDATES = 1 in csf.conf). But I have few questions :

1) The update is triggered daily with /etc/cron.d/csf_update.
I only receive update report mail when there is an update, this is good. But how does this works?
The cron daemon only sends update mail when there is a real update? It could not know this, so
what is the trick?

2) Is there a...

Hi Members,

Can someone help me to track down and block following behavior with custom regex?:

=================================
2015-10-25 12:47:50 H=(115-87-13-177.skybandalarga.com.br) :21944 F= rejected RCPT : Sender verify failed
2015-10-25 12:47:51 H=(dynamic.vdc.vn) :59451 sender verify fail for :
2015-10-25 12:47:51 H=(dynamic.vdc.vn) :59451 F= rejected RCPT : Sender verify failed...

Hi

Our server is running WHM 11.52 and the latest CSF. As per I've enabled reseller privileges in the firewall config AND manually in /var/cpanel/resellers, but now when accessing CSF via the reseller WHM I get the error:

HTTP error 401

cgi/configserver/csf.cgi

You do not have permission to access this page.

AppConfig for “csf,” requires that you must have one of the following acls:...

Since the latest update we see on at least 1 server till now an strange issue with a temporary block due to a port scan.

We excluded 1 IP to access port 3306 in the csf.allow file ; but this morning suddenly the IP was blocked in the firewall due to a temporary port scan; i have checked the logs and this showed the IP only tried to access port 3306 ; no other ports.

Only difference is that...

Complete VPS down

After installing Config Server Firewall, all settings are properly checked before I Config Server Firewall puts online.

Config Server Firewall worked well, and blocked several IP addresses. However, several IP addresses, he did not block, I have also used the following setting as listed below.

After adding the following countries and IN BR went the entire VPS Server Down....

Hello,

I have just installed CSF on my server and i see it blocks all outcomming connections by default. I see my some website does not work such as whois website, send email (using external smtp server), ...
How to fix it ?

Hi I have hostgator VPS account and some keeps getting access to my server. They generated thousands of files in various newly created folders. I change my cpanel password and scan my pc for keyloggers. However, they still have access to my server. I need your help to rectify this problem. I pay alot for my vps server and google is not liking my sites due to generated content

Will csf fix cpanel...

I have tried looking though the forum only to read that the regex has been updated but the authentication failures are not being blocked after multiple tries. I have it set to block ftp after 3 attempts but it never blocks any users like the sshd login attempts do. Can anyone give me any advice to what I may have over looked or how to add a custom regex to catch the people trying to hack my...

Hi All,

I have a Cpanel/WHM server running CSF & LFD and we are getting pounded with spam coming in to our hosted email accounts, about every 5 mintues, 24/7. These are coming from outside of our server TO email addresses on our server.

I set the RT_RELAY_LIMIT to 2 messages and Permanent Block but the senders keep changing the source relay IP, below is a sample.

I can't figure out how to...