ConfigServer Community Forum

hello all -

when i issue a command such as:
csf --deny 111.222.333.444 ;

do i also need to issue the command:
csf --restart ;

to make this IP number actually blocked?

i notice even though there is an IP ## in the csf.deny file, that IP can still reach our server.

hello all -

i have a crontab script that runs every two minutes scanning logfiles for brute-force wordpress login attempts. if i find more than 40 in a one minute period, my script issues the following command something like:

csf --deny 111.222.333.444 ;

this seems to do the same thing as the Quick Deny button.

is there a command line equivalent of the Quick Ignore button? i am thinking this...

My vps keeps down for the past 3 consecutive days and I had to reboot to bring the server back. After talking to my vps provider, they told me that there's nothing wrong on their end. So I did a little investigation on my end.

I have looked at my /var/log/messages, and found out that

Mar 30 05:00:09 servername lfd : SYSLOG check
...
Mar 31 05:00:08 servername lfd : SYSLOG check
after logging...

I have a very strange problem with CSF running on a VPS with cPanel.

This started to happen at a random moment.
When trying to access any site hosted on that VPS, the title of the page loads and so do some of the first bytes. Sometimes the header of the webpage is shown, sometimes not. The browser shows as the page is loading, but nothing more happens.

I checked the logs, but haven't seen...

I want to block any offender that generates that kind of message in syslog:

Mar 30 20:20:43 ns drupal: SOMESITEURL|1396203643|BOTCHA|110.82.153.175|SOMESITEURL/contact|SOMESITEURL/contact|0||contact-mail-page post blocked by BOTCHA: submission looks like from a spambot.
(SOMESITEURL = what is says, because this forum is absolutely paranoid, not allowing an URL to appear in posts)

I put this...

I'd like the option to ban a whole /24 or larger when a custom trigger or other event happens.

Bonus if there are individual settings for temp ban vs perm ban

(ie. a temp ban, just the single ip, temp moving to perm ban = whole /24, or maybe other way around)

I could have sworn csf/lfd already had something like this but maybe I am mistaken.

Am I correct in that there is no extra burden on...

The warning is less effective . Not sure what that means specifically?

Is the concern a server could be tricked into contacting an outbound ip?

I think that risk is fairly low if not completely unlikely in most cases?

The idea is if you are using nearly 1000 rules, converting to inbound only could reduce the memory/cpu resource use?

LF_BLOCKINONLY
By default csf will create both an inbound...

My server was hit with brute force pop3 logins from one IP continually for about 17 hours until I blocked it. The server maillog registered 41,161 entries for the IP for these hours.

I don't know why this was not blocked automatically by the server but this is the settings for blocking brute force pop3:

LF_TRIGGER = 0
LF_TRIGGER_PERM = 1
LF_SELECT = 0
LF_POP3D = 10
LF_POP3D_PERM = 1
POP3D_LOG...

I have noticed a brute force attack on my server

2014-03-27 01:34:02 courier_login authenticator failed for URLremoved (DATASERV-PC) :45213: 435 Unable to authenticate at present (set_id=admin): socket read timed out inside and{...} condition
2014-03-27 01:34:14 courier_login authenticator failed for URLremoved (DATASERV-PC) :22865: 435 Unable to authenticate at present (set_id=admin): socket...

Hi,

I recently installed CSF on my VPS and found out that the IP deny doesn't work.

I wanted to try and see if the IP deny works, so I blocked one my of the IP addresses. When I tried accessing the site from the the blocked IP address, I can still access the site.

Any ideas why?

I installed at 22:04 and by 22:57 I have 11 (now 13 by 23:02) restarts - and this is my second server, the first one is also constantly doing this. I thought it was an issue on the old (ancient) server, but this one is new today.

Then I thought it was a warning of brute force attacks, but I don't think it is, the program itself seems to be constantly crashing and restarting. 11 times in 53...

For some odd reason CSF is blocking Softether VPN from working.

Essentially I keep csf enabled but flush all the firewall rules. I then connect via VPN(L2TP) and connect successfully (ip is assigned) however the internet will not work. If i disable CSF the VPN works fine with internet passing through and everything. Again: When i have CSF enabled I am allowing all ports in and out (for testing...

Hi,

I have only been using csf for a week or so now and I keep getting emails every couple hours saying

Server:
Primary IP:
Service: lfd
Notification Type: failed
Notification: lfd failed @ Sat Mar 29 18:07:43 2014. A restart was attempted automagically.
Service Check Method:
Number of Restart Attempts: 1
Syslog Messages:
Mar 29 14:05:01 alpha lfd : SYSLOG check
Mar 29 14:00:00 alpha...

Hello ,

On VPS Centos 6 64 we have installed firewall, when a client was to import example something on Wordpress or upload on website something or even install script he gets timeout and erros. When the firewall gets disabled all working perfectly! Any advice?

How to disable the below message to get to the email ????

Time: Sun Mar 30 22:15:15 2014 +0300
IP: xxxxxxxx (IT/Italy/host52-118-dynamic-telecomitalia)
Failures: 5 (smtpauth)
Interval: 3600 seconds
Blocked: Permanent Block

Hello,

I am trying to find a way to control the sending of distributed attack emails notifications only. I can't seem to find a way to do this. The reason is there are so many of these notifications, upwards of a thousand a day, for smtp and ftp.

Is there a way to manage specific lfd email notifications?

L

Used the web-based configuration manager to set the config for CSF.

I see that there is a setting to take an IP / IP range from a temporary block to a permanent block.

I've enabled this functionality as such:

LF_PERMBLOCK = 1
LF_PERMBLOCK_INTERVAL = 86400
LF_PERMBLOCK_COUNT = 4
LF_PERMBLOCK_ALERT = 1

However, I am unsure where these settings are used. En general, what I am looking at doing is...

Getting hundreds of these attacks:

82.98.162.20 - - GET /administrator/index.php HTTP/1.0 401 -

I have enabled the HTACCESS and MODSEC and set the log files to the proper place, but these are not being stopped.

I have a setup with DirectAdmin and CSF.

Default HTACCESS_LOG = /var/log/httpd/error_log is set.
BUT this monitors only a site configured at /var/www

DA puts an error.log file for every virtual domain in /var/log/httpd/domains/domain.tld.subdomain.error.log

If I am not mistaken these log files in /var/log/httpd/domains are NOT monitored!

The preferred method of monitoring all error.log files...

Hello, i know that I can use this url:
cloudflare(dot)com/api.html?a=ban&key= &u=CLOUDFLARE_LOGIN&tkn=CLOUDFLARE_API_TOKEN
 
to send banned ips to cloud flare, and this

cloudflare(dot)com/api.html?a=nul&key= &u=CLOUDFLARE_LOGIN&tkn=CLOUDFLARE_API_TOKEN
to remove the ban.

The situation is pretty simple and common: we have CSF on the server, and some sites without cloudflare can block the...