ConfigServer Community Forum

Does csf monitor postfix logs for SMTP port attackers, to be blocked ?

I need for postfix on my servers. See alot of repeated attackers, making for much of the traffic in a day

I have paid for server hardening (service was pretty fast. Hopefully the server stays ups).

The sys-admin recommended using LF_SPI = 0 because the iptables were kind of broken.

Can anyone help to explain the differences as to what additional protection you get for Dynamic firewalls instead of static ones?

From what I can tell, it's still rejecting users on failed logins, which is a lot more...

After install I got this problem. I reinstalled Debian and DA and still get this problem:

ConfigServer Security & Firewall - csf v8.05

Restarting csf...

Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain...

Hi Guys,

We have a few VNs running on Citrix and I wan to use the console but when I do I get TCP_IN blocked. Reading up, I know the destination port and want to customize the above variable.

At the moment it is : PS_PORTS = 0:65535,ICMP

I want to exclude from scanning port 5900 through to 5999 inclusive on TCP.

Reading the conf, I think I would set :

PS_PORTS = 0:5899,6000:65535,ICMP,OPEN...

Hello,

I was just wondering how I can pass the actual contents of the LF_SCRIPT_ALERT to the bash script for LF_SCRIPT_ACTION, example my LF_SCRIPT_ACTION is set to

/etc/csf/csf.lf_script_perm_action

which contains

#!/bin/bash

# email subject
SUBJECT= $HOSTNAME - Possible Spam Script

# Email To
EMAIL= email

# Email text/message
# EMAILMESSAGE= /tmp/emailmessage.txt
EMAILMESSAGE= TEST...

I just can not get the custom regex rules to work for me. I look in the CSF ip deny section and no IP's are ever blocked due to the rules below. Any help is appreciated. I missed something, just don't know what.

OS: CENTOS 5.11 x86_64 xenhvm
WHM 11.48.4 (build 4)
CSF: v7.69

I have used the custom regex rules posted by Sergio in this thread:

I copied and pasted them into...

I'm intermediate with sytem-admin and have a new dedicated server with host gator. (Not a VPS)

I have a default installation of CSF, but many users are complaining that their website is down.

I am able to view the websites on my own computer (i'm probably white-listed), and using some 3rd party website-viewing services.

When i get the IP address from my clients, they are NOT in /csf/csf.deny...

Grepping is not helping me here, maybe I am searching badly.

I assume the hard coded internal list was chosen for a reason instead of the blocklist method where they are externalized by default?

I mad some changes to csf.blocklists and every few days it gets reverted back to its default. Where do I need to change either default or to stop it from being reverted.

I am getting these every minute:

Subject:

lfd on webserver.XXX.co.uk: Excessive resource usage: xxx (4879 (Parent PID:4857))

Time: Thu Sep 10 14:52:45 2015 +0100
Account: XXX
Resource: Virtual Memory Size
Exceeded: 690 > 200 (MB)
Executable: /usr/bin/php
Command Line: /usr/bin/php /home/XXX/public_html/index.php
PID: 4879 (Parent PID:4857)
Killed: No

I've done all of the methods listed here...

I have a handful of clients that keep getting blocked by the firewall on my server ( ConfigServer Security & Firewall - csf v7.68 ):

May 7 13:58:08 secure lfd : *Port Scan* detected from xxx.xxx.xxx.xxx (US/United States/...). 11 hits in the last 130 seconds - *Blocked in csf* for 3600 secs

The one thing that they all have in common is ` OS X Yosemite ` - as soon as they upgraded their OS,...

I ran an EasyApache re-compile of Apache and a CentOS Yum update and since I can't seem to get lfd to start...
I reinstalled CFS from scratch following the guidelines, but after lfd starts it stops straight away... I can see the following in the error logs...

root@host # tail -f /var/log/lfd.log
Aug 30 20:56:37 host lfd : Email Relay Tracking...
Aug 30 20:56:37 host lfd : System Statistics......

The ARF abuse emails are no longer including the Abusix abuse contact information as of yesterday in v8.04. This is occurring on all servers. Did something change? Command-line queries do work: host -t TXT 238.16.169.83.abuse-contacts.abusix.org

Thanks.

iptables: Setting chains to policy ACCEPT: mangle nat filte
iptables: Flushing firewall rules:
iptables: Unloading modules:
root@host # csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `POSTROUTING'
Flushing chain `OUTPUT'
open3: exec of /sbin/ifconfig failed at /usr/sbin/csf line 2783.

Getting this: open3: exec of...

Good day, been quite some time since I have had to post and so long, I know my username, but every email I tried, did not work...and no way to retrieve it.

This is just one thing I have problem-issue-question about?

1) new VPS WHM latest and CentOS 6x64 and I have created a single new account.

2) I had been getting hack attempts shown in WHM in other WHM reports, even though I added the...

I've read previously here where numiptent limits have been blamed for FASTSTART failures when blocklists are downloaded/added

*Error* FASTSTART: (Blocklist IPv4)

except my openvz contain has no limit on numiptent - what else can I check ?

numiptent 18036 18036 9223372036854775807 (third number is barrier/limit)

CT | HELD Bar% Lim%| MAXH Bar% Lim%| BAR | LIM | FAIL...

Hi,

I use a wordpress website with the plugin Visitor Maps. The plugin points out the visitors IPs and which webpage they accessed. It is also listing exploit scanners that are looking for certain files inside the website directories, for instance:

/wp-content/themes/(theme-name)/(subfoldername)/css/loading.gif
/wp-content/plugins/newsletters-lite/css/jquery-countdown.css

There is no...

I've been messing around with so many configs the past 24hours without success, i'm being attacked by SYN flood and the attacker still does damage, legitimate traffic doesn't get through.
The problem is only with initializing new connections, if someone succesfully connects to my server he doesn't suffer from any delays or so.
Here is my csf.conf:
-- deleted link --

Here are the few last lines...

Hello, I am running ubuntu server 14.04 LTS and have checked that:

ipset is supported in the kernel: Yes.

that the correct path is enbled to ipset: yes

I have enabled it in csf.conf with country lists such as, for testing: uk, ru, hk

However, when restart with csf -e and view the ensuing output, I see:

Try `iptables -h' or 'iptables --help' for more information.
csf: IPSET creating set cc_...

First off, Chirpy, I want to thank you for your products. I've been using them for years, including your server hardening services. I love you!

A clients PHP script is trying to access maps.googleapis.com, which currently resolves to
216.58.218.170 (of course this resolves to other IPs based on DNS round robin)

The IP is blocked due to too many temp blocks.

IP: 216.58.218.170 (US/United...