ConfigServer Community Forum

Hi,

I'm starting make a rule to csf block ips of fail on asterisk SIP user login.

This is line of log:

NOTICE chan_sip.c: Registration from ' 8260 ' failed for '2.2.2.2:5075' - No matching peer found

111.111.111.111 is asterisk server ip
2.2.2.2 is a source of attack ip

log file: /var/log/asterisk/full

I create this regex, but on my testes not work?

if (($lgfile eq $config{CUSTOM3_LOG})...

I had a maxed out csf.deny

if I then do

csf -d 1.2.3.4/24

it will happily remove do not delete lines

there were clearly other lines available to delete in the csf.deny

mostly auto NETBLOCK and PERMBLOCK, but they were left untouched

Hello.
I am being hammered from anonymous TOR ips.
I have enabled the TOR blocklist and it's working.
I can read at lfd.log Retrieved and blocking blocklist TOR IP address ranges
But I am still being hammered with SQLInyections from that IPs.
When I inspect the iptables rules, I see that the TOR chain is incomplete, with 1961 entries. While at the torproject website the list is of arround 2200...

Hi There,

First of all i would to say thanks to CSF and it's entire team for making an outstanding firewall utility and that too for free!

I would like you to make Reset default settings for CSF & it's other tool, if anything goes wrong after making changes to csf firewall settings we can simply use Reset Default Settings

It would be good if you can implement this feature ASAP.

Vote Guys, if...

hello all -

Sergio was kind enough to introduce me to regex.custom.pm. i need to block access to the wordpress file wp-login.php .

here is what i am proposing to do:

1) file /etc/httpd/conf/httpd.conf

change:
CUSTOM2_LOG = /var/log/messages
to:
CUSTOM2_LOG = /var/log/virtualmin/marksdomain.com_access_log

2) file /usr/local/csf/bin/regex.custom.pm

add:

if (($lgfile eq...

Hello,

The URL in csf.blocklists is invalid:

#RBN|86400|0|
I went through the EmergingThreats website and found these links which may be of interest:

Detail: - lists a number of links to text files which contain ips.
- last update seems to be February 2012 so not sure how accurate this list would be over two years on. There's no date in the list itself so I don't know if the list is...

Hi

I am using Filezilla to upload files to my server, I start to upload them and it works fine, then I get blocked by the firewall meaning I can't access anything until the block times out.

Can you tell me how I adjust these settings so that it does not keep blocking me please?

Thanks
M

Good Day,

This is my first time using CSF as my firewall for my VPS, I have it working now because certain ports were closed when i enable CSF, but i would like to know as to what logfile should i look if i wanted to see CSF blocked ips or what log file should i tail to see it working? I have it installed on a debian system. Thanks!

hello all -

when i issue a command such as:
csf --deny 111.222.333.444 ;

do i also need to issue the command:
csf --restart ;

to make this IP number actually blocked?

i notice even though there is an IP ## in the csf.deny file, that IP can still reach our server.

hello all -

i have a crontab script that runs every two minutes scanning logfiles for brute-force wordpress login attempts. if i find more than 40 in a one minute period, my script issues the following command something like:

csf --deny 111.222.333.444 ;

this seems to do the same thing as the Quick Deny button.

is there a command line equivalent of the Quick Ignore button? i am thinking this...

My vps keeps down for the past 3 consecutive days and I had to reboot to bring the server back. After talking to my vps provider, they told me that there's nothing wrong on their end. So I did a little investigation on my end.

I have looked at my /var/log/messages, and found out that

Mar 30 05:00:09 servername lfd : SYSLOG check
...
Mar 31 05:00:08 servername lfd : SYSLOG check
after logging...

I have a very strange problem with CSF running on a VPS with cPanel.

This started to happen at a random moment.
When trying to access any site hosted on that VPS, the title of the page loads and so do some of the first bytes. Sometimes the header of the webpage is shown, sometimes not. The browser shows as the page is loading, but nothing more happens.

I checked the logs, but haven't seen...

I want to block any offender that generates that kind of message in syslog:

Mar 30 20:20:43 ns drupal: SOMESITEURL|1396203643|BOTCHA|110.82.153.175|SOMESITEURL/contact|SOMESITEURL/contact|0||contact-mail-page post blocked by BOTCHA: submission looks like from a spambot.
(SOMESITEURL = what is says, because this forum is absolutely paranoid, not allowing an URL to appear in posts)

I put this...

I'd like the option to ban a whole /24 or larger when a custom trigger or other event happens.

Bonus if there are individual settings for temp ban vs perm ban

(ie. a temp ban, just the single ip, temp moving to perm ban = whole /24, or maybe other way around)

I could have sworn csf/lfd already had something like this but maybe I am mistaken.

Am I correct in that there is no extra burden on...

The warning is less effective . Not sure what that means specifically?

Is the concern a server could be tricked into contacting an outbound ip?

I think that risk is fairly low if not completely unlikely in most cases?

The idea is if you are using nearly 1000 rules, converting to inbound only could reduce the memory/cpu resource use?

LF_BLOCKINONLY
By default csf will create both an inbound...

My server was hit with brute force pop3 logins from one IP continually for about 17 hours until I blocked it. The server maillog registered 41,161 entries for the IP for these hours.

I don't know why this was not blocked automatically by the server but this is the settings for blocking brute force pop3:

LF_TRIGGER = 0
LF_TRIGGER_PERM = 1
LF_SELECT = 0
LF_POP3D = 10
LF_POP3D_PERM = 1
POP3D_LOG...

I have noticed a brute force attack on my server

2014-03-27 01:34:02 courier_login authenticator failed for URLremoved (DATASERV-PC) :45213: 435 Unable to authenticate at present (set_id=admin): socket read timed out inside and{...} condition
2014-03-27 01:34:14 courier_login authenticator failed for URLremoved (DATASERV-PC) :22865: 435 Unable to authenticate at present (set_id=admin): socket...

Hi,

I recently installed CSF on my VPS and found out that the IP deny doesn't work.

I wanted to try and see if the IP deny works, so I blocked one my of the IP addresses. When I tried accessing the site from the the blocked IP address, I can still access the site.

Any ideas why?

I installed at 22:04 and by 22:57 I have 11 (now 13 by 23:02) restarts - and this is my second server, the first one is also constantly doing this. I thought it was an issue on the old (ancient) server, but this one is new today.

Then I thought it was a warning of brute force attacks, but I don't think it is, the program itself seems to be constantly crashing and restarting. 11 times in 53...