ConfigServer Community Forum

I'm using a subset of the OWASP ruleset, and I'm still getting lots of false positives. Almost every time that happens, the IP responsible gets a permanent block in iptables, which I think is a little strict even if they were trying to attack the server.

I've tried Googling around a bit, and I can't find a way to make bans temporary. I think a block of 5~30 minutes would be reasonable.

If the server has a high load level, I get a nice little email that contains a snapshot of the running processes, vmstat and a dump of the server-status page.

The problem here is that our server-status page is behind a http password protection so all I ever see in the report is:

Unable to retrieve Apache Server Status - Unable to download: 401 - Authorization Required

Is there any way that I...

Hi Jonathan and Sarah,
I have installed CloudLinux, as you suggest in CSF, in my servers and it is a really nice OS.

I have installed CageFS and wondering if CONNLIMIT is still needed due that CloudLinux does the same.

Regards,

Sergio

Hi,

i alreandy tryed everyting as in the doc. to ignore this process but I still become around 100 email notifications with this. Could you helpe me how I can ignore this on the csf.pignore, Process Tracking? And could this process be a virus? I opned the file session_mm_cgi-fcgi501.sem and is empty :s. Thanks in advance for any help

Here the notification:

Time: Tue May 20 23:25:11 2014...

Hello,

I really love the solution you are providing, but there is one function that we are missing.
Is it possible to make a ip block on the SSH service (port).

What I mean is to make a config file with some IP adresses, when somebody connects to SSH it will check the config file or the IP is allowed to connect to SSH.

Thanks!
Kind regards,

Sander

Can anyone explain exactly what situations cause this message? Has the CRON process been killed or not? What should I do in response to this message? I am not familiar with Linux.

Remote server: Centos with CPanel and WHM
Local email client: Thunderbird on Windows 8

I deleted many small parts of the message because your forum software complains that there are URLs in it when there are no URLs...

Hi all,

At my server If an user try to 10 times wrong password, my server banning the user's ip address. After that i should remove the ban by manually. Otherwise they cannot use their email address.

But if I want to set a bantime on my server, is that possible or not or how can i do it ?

Here is an exerpt from my lfd.log:

May 28 11:28:32 moodle2 lfd : daemon started on moodle2 - csf v7.03 (generic)
May 28 11:28:32 moodle2 lfd : CSF Tracking...
May 28 11:28:32 moodle2 lfd : IPv6 Enabled...
May 28 11:28:32 moodle2 lfd : LOAD Tracking...
May 28 11:28:32 moodle2 lfd : csf Integrated UI running up on port 6666...
May 28 11:28:32 moodle2 lfd : Country Code Filters...
May 28 11:28:32...

How can this happen? Thank you.

Time: Mon May 26 03:14:04 2014 +0300
IP: distributed ftpd attack on account
Failures: 5
Interval: 300 seconds
Blocked: Permanent Block

Log entries:

May 26 03:12:43 host pure-ftpd: (?@66.249.64.165) Authentication failed for user
May 26 03:12:25 host pure-ftpd: (?@66.249.64.134) Authentication failed for user
May 26 03:14:00 host pure-ftpd: (?@66.249.64.216)...

Hi, today i get this csf.error Error: FASTTART: (CC_DENY IPv4) [] . Try restarting csf with FASTSTART disabled, at line 3767 in /usr/sbin/csf after this command line csf -r command (used via webmin).
LFD.log entrys May 17 13:49:54 lfd : csf (re)start requested - running *csf startup*...
May 17 13:50:09 lfd : csf (re)start completed
May 17 13:50:14 lfd : *Error* You have an unresolved error when...

Hello Guys,

I would like to know if it's possible: we want to receive alerts if someone reached RT_AUTHRELAY_LIMIT limit (for example, 100) and blocks an IP (and alert) if someone reached second RT_AUTHRELAY_LIMIT limit (for example, 200).

If this possible to do?

Thanks.

As I'm still pondering (in another thread) why csf won't block an IP at all and actually miscategorizes it as IPV6, here's another email sent that appears to have issues identifying the IPs in question:

Banned the following ip addresses on Tue May 20 13:09:01 EDT 2014

2400 with 266 connections

That number 2400 is supposed to be an IP, correct?

My /var/lib/csf/csf.logtemp is quite large on both servers where I have csf installed. By quite large I mean about 500 MBs. Is that normal? Can it be cleared? If so, what is the best way to clear it if something other than deleting it and restarting csf?

I did trying restarting csf and lfd but it didn't clear the log.

FYI, the log contains entries that are months old at the beginning.

Thanks

Hi CSF community...

This will be my second question in here. I hope that I am asking to right place.

What is the best settings to prevent DDOS attacks?

Maybe the answer is simple for you, but I am a newbie, am trying to learn VPS and CSF. I've just rented a VPS this week as first time.

Hi CSF community...

This will be my first question in here. I hope that I am asking to right place.

I have been getting error emails like this:

Time: Sun May 18 07:45:11 2014 +0000
IP: 115.238.236.85 (CN/China/-)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked: Permanent Block

Log entries:

May 18 07:45:01 ** sshd : Failed password for root from 115.238.236.85 port 53445 ssh2
May 18...

I know that blocking countries in iptables is bad news - particularly if they run into 1,000 and more.

What is not clear to me is the consequence of having an absolutely huge /etc/exim.smtpauth file based on the new feature you recently provided.

For Example allowing all countries except for a few dozen would be pretty much most of the IP range. Would this kill EXIM?

The CPAN Net::CIDR package...

Hello, I am frustrated, hence the choice of a username. :(

Getting port-flooded daily, at times that I am supposed to be catching some ZZZ's.

Once the portflooding begins, this IP appears in the email notifications, of which there are plenty:

tcp6: 19.245.64.24:50654 -> :80

The port number ie 50654 in this example, varies with every entry.

I've blocked 19.245.64.24 manually and it's in...

Hi,

I cannot seem to figure out how to get CSF to ignore my WHMCS cron:

Time: Wed May 14 09:00:37 2014 +0200
Account: ***
Resource: Virtual Memory Size
Exceeded: 342 > 300 (MB)
Executable: /home/virtfs/register/usr/bin/php
Command Line: php -q /home/****/public_html/admin/cron.php
PID: 29408 (Parent PID:29407)
Killed: No

Please assist in how I can get CSF to ignore this cron

Hello,

I would suggest options to filter access to ports for dyndns. That would be great if csf.dyndns support same syntax as same as csf.allow, for example:

tcp|in|d=888|s=remotehost.dyndns

Or if you can support DYNDNS_PORTS which allow ports dyndns hosts can access in additional to TCP_IN/TCP_OUT

Let me know if you have any questions.

Thanks.

Hi,

Weird bug to report. This is from a csf download around 4 days ago. Fresh install of Ubuntu 12.04LTS. Virtualmin/Webmin control panel. The reported csf version upon csf installation is 6.48. Upgrader reports 7.03 is available.

When clicking upgrade, it runs through the upgrade sequence (sucessfully downloads replacemebt package apparently) and reports success. however, when returning to the...