ConfigServer Community Forum

Hello

The old csf.blocklist file contains wrong url of Emerging Threats - Russian Business Networks List. (and the new one doesnt contain that)
The new url is:

Bests

csaba

Hi

I am trying to disable email alerts for any blocks that occur. I have disabled as many LF_*_ALERT or similar I can find, including LF_EMAIL_ALERT = 0 . I only want to leave open SSH Logins alerts.

BUT I am still getting emails like the following, and I cannot see any config setting to disable these, can someone help?

Time: Sat Jul 19 05:57:39 2014 +0100
IP: 1.0.201.185...

Hi All,

I modified the email template usertracking.txt to include load averages. A simple cut and paste from the appropriate section of loadalert.txt. The variables aren't replaced?

I get as an email:

lfd on {snip}: Excessive processes running under user {snip}
From: root@{snip}
To: root@{snip}

Time:          Tue Mar 11 10:41:29 2014 -0500
Account:       {snip}
Process Count: 32 (Not...

Hello

1) When I turn off CSF and run this command manually everything is working fine.

iptables -t nat -A POSTROUTING -s 192.168.100.0/30 -j SNAT --to-source 5.175.xx.xx

iptables -t nat -A PREROUTING -p tcp -d 5.175.xx.xx --dport 80 -j DNAT --to-destination 192.168.100.2:80
iptables -A FORWARD -p tcp -d 192.168.100.2 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

2)When I...

Our new CloudLinux 7.1 VPS has an extra warning when running Check Server Security...

Check for dhclient: dhclient appears to be running which suggests that the server is obtaining an IP address via DHCP. This can pose a security risk. You should configure static IP addresses for all ethernet controllers

Here is our /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE= Ethernet # same as previous...

Hello,

(csf v7.69, ec2-ubuntu 14.04 86_x64)

I use ipset on my CSF. (when LF_IPSET = 0, iptables work perfect!)
I've been trying a simple disaster scenario. According to my scenario, I should block all countries except one to reduce effects of a DDOS attack.

After I set CC_DENY and CC_ALLOW parameters for an example, I checked whether it works or not. Unfortunately it didn't work.

I...

Hi,
I can't figure out why these proftpd login attempts are not blocked.

Snippet from /var/log/proftpd/proftpd.log

2015-05-18 11:56:02,688 server.xxx.xxx proftpd server.xxx.xxx (2002:706f:bfed::706f:bfed ): USER valid_user (Login failed): Incorrect password

2015-05-18 11:56:21,583 server.xxx.xxx proftpd server.xxx.xxx (112.111.191.237 ): USER oneuser: no such user found from 112.111.191.237 to...

How do you increase this?

We have thousands of email in queue from csf about this being exceeded.

I searched the php.ini options in the WHM and nothing is there for virtual and the memory is set to 1024 already so it's not that.

Hello,

I have used CSF on quite a few VPS machines. However, I am seeing this error in the lfd.log every few minutes:

*Lock Error* still active - section skipped

The error occurs for LF_DIRWATCH as well.

I have tried to increase the intervals, but the error still occurs (I did do a restart). Oddly, I use almost the same configuration on every server and I have not seen this error before. Any...

Hello,

I run CSF on Ubuntu 14. I have a crontab (root) running a script which creates a backup and then encrypts it using gpg.

The thing is, the tar file is created but gpg does not encrypt it. The error log shows :

cron : (*system*csf-cron) WRONG FILE OWNER (/etc/cron.d/csf-cron)

BUT the tar file owner is ROOT which is correct.

if i run the command directly in shell it works. Via crontb...

Hi,

Bit of an odd one. It seems that CSF is creating an ACCEPT rule at the bottom of the OUTPUT chain.

# csf -X
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -F
# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain...

When SMTP_BLOCK = 0, but SMTP_ALLOWLOCAL = 1, attempts to connect to a port on the SMTP_PORTS list by a user not in SMTP_ALLOWUSER are actually redirected to loopback device.

I'd suggest that either SMTP_ALLOWLOCAL = 1 be ignored when SMTP_BLOCK = 0, or that the description of SMTP_ALLOWLOCAL be clarified. The description presently reads enable this option to allow outgoing SMTP connections to...

Hi,

Is someone can explain me does it mean and what should i do?
This IP from RU did this several times on the server on a website with a WP install.
i am relatively new with csf and server administration
Any help will be much appreciate !
thx
JC

Executable:

/usr/bin/php

Command Line (often faked in exploits):

/usr/bin/php /home/clientname/public_html/index.php

Network connections by the...

After upgrade today from 6.X to 7.01 on 3 servers – all servers are virtual root servers running under Debian Wheezy – I'm getting those errors:

csf: FASTSTART loading csf.allow (IPv4)
csf: FASTSTART loading Blocklist OPENBL (IPv4)
Error: FASTTART: iptables-restore: line 6217 failed, at line 3759

csf: FASTSTART loading csf.allow (IPv4)
csf: FASTSTART loading Blocklist SPAMEDROP (IPv4)...

Recently I have been receiving hundreds of e-mails per day for failed SMTP authentications.

These are from many countries including Serbia, Russia, Taiwan, Vietnam, Libya and many more.

The site is running cPanel and the sites on the server send out e-mail, but any mail clients are set to send out e-mails via our own ISP (rather than via the server).

Is there a way to block access to any...

I have a question about the operation of the system CSF firewall vs.cPanel's IP Deny Manager.

Say we host 30 domains, and say that two of the domains we host are getting hammered by a single IP - 221.231.103.199
That IP is part of a /24 originating in China.

Now the owners of the domains can go into cPanel IP Deny Manager and add 221.231.103.0/24 in order to block all ip addresses in the /24...

We are using a CSF Global_Deny list with IPs that are blocked. This works great at filtering BOTs and other HTTP pests.

However the Global_Deny list appears to be blocking incoming SMTP traffic as well. :(

Is it possible to override the Global_Deny setting on a per user basis and/or for SMTP traffic?

Thanks in advance...

Hello,

We have CSF and Cpanel and have been using it with good results for years now.

We have a new issue our datacenter is giving us a hard time about (and we understand it). We have a CMS installation that is attempting to exploit remote wordpress installs by brute forcing. The offended servers are complaining to our datacenter (understandably so) and of course our datacenter wants this to...

I have configured the following setting in CSF/LFD:

# Enable login failure detection of DirectAdmin connections
# This option also detects login failures on DA for Roundcube, SquirrelMail and
# phpMyAdmin if installed and logging enabled via CustomBuild v2+
#
# If you do not want to scan for one or more of DIRECTADMIN_LOG_*, simply set
# the respective option to
LF_DIRECTADMIN = 5...

Just a quick note here; I noticed that while LFD was blocking some pure-ftpd bruteforce attempts, there were still times when my server was getting hammered repeatedly. Pure-ftpd logs in /var/log/messages, and the bruteforce attempts that were not being blocked looked like:

Apr 13 23:41:32 brightstar pure-ftpd: (?@84-241-32-107.shatel.ir) New connection from 84-241-32-107.shatel.ir

Of course...