ConfigServer Community Forum

I have CSF configured to block SMTP Auth attacks, syntax errors, and POP3/IMAP access attempts. However, none of those appear to be being blocked at present and only SSH attacks appear to be blocked. I've double checked my configuration and it appears to be correct, but it's like CSF is ignoring it. I installed the software with CPanel but that shouldn't be the reason for that I wouldn't think....

Hello to all,
For the last few weeks, when I try to install a WordPress from a cPanel account, I receive this error:
WordPress was installed with errors:
Downloading and unpacking
Impossible to download pack 6.7.1 from

If I stop or restart CSF, it work for a few minutes, but then block again.

In TCP_IN and TCP_OUT, ports 80 and 443 are listed.

What can possibly do this?

Thank you.

Hello ,

This is my first time here , i had joined today to discuss about many email alerts i am receiving since a week or so .

There is 3 types of emails :

1- It is titled by : lfd on *server name* : Suspicious File Alert‏
and contains :

File: /tmp/systemd-private-be537481d81d48b4b230533e9c529e32-ea-php81-php-fpm.service-teQo08/tmp/python3.61
Reason: Linux Binary
Owner: *website-username*...

hi,
i've a cpanel server with regex.custom.pm, but getting ignored and no block

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^(\S+).* HTTP\/.* 403/)) {
return ( 403 bruteforce ,$1, block , 2 , 80,443 , 604800 );
}

CUSTOM1_LOG is
CUSTOM1_LOG = /var/log/apache2/domlogs/*/*
Access log with 403

1.1.1.1 - - HEAD /?play=ulti700?page=1&mqwsaWOeAy&cLLFTOZk59 HTTP/2 403 0 - Mozilla/4.0...

Hi, bit new to using ConfigServer and wondered how I can change the sensitivity of the IMAP filters to allow for more failed IMAP login attempts or change the time period.

We are getting quite a few genuine logs attempts but they are failing after 10 attempts.

Is there some setting that after a certain time period can automatically Unblock the failed IP address trying to login to IMAP.
So the...

Hi All,

Been scratching my head with this one, hopefully someone can shed some light.

We have a Centos 7 (cPanel) bare metal Dedicated server running CSF without issue.

A restore of this box was done to an alternative server from an Acronis backup. IP changed etc.

Now on the new server there is issues with port 80 and 443 being blocked and eventually figured out that disabling LF_SPI allows...

hello I receive always ldf email alerts tons of.... 500 alerts and mor at day
i've tried many solutions PT_user =0 , disabling email alerts on csf.conf
put some process in csf.pignore
tried all solutions founded on the web but nothing works
always tons of email with alerts from lfd
i have plesk and linux so not a gui not cpanel but all commands via ssh
I cannot filter email to not send via plesk...

Hello,

We have installed CSF on several of our servers, but one of our Plesk servers keeps spamming lfd Suspicious process running under user.

I have disabled all email_alert but we getting hundreds of emails per hour.

Version: csf: v14.22 (generic)
OS: VERSION= 20.04.6 LTS (Focal Fossa)

config:

LF_EMAIL_ALERT = 0
LF_TEMP_EMAIL_ALERT = 0
LF_SSH_EMAIL_ALERT = 0
LF_SU_EMAIL_ALERT = 0...

csf install on Webmin OS

| SYSTEM INFORMATION||
|------------------------------|-------------------------------|
|OS type and version|AlmaLinux 9.5|
|---|---|
|Webmin version|2.202|

I will likely post this also at the Webmin forums, but just in case it's relevant here, I saw a number of errors and if CSF supply the Webmin install template, a small layout issue after following the...

Hi,

Does anyone know how is fully disable LFD email alert from CSF ?

we already use any documentation from the cPanel, community, but still wont work, alert email still delivered and many got frozen :

-

-

here is want example of email header :

Return-path:
Received: from root by XXXXXX with local (Exim 4.98)
(envelope-from )
id 1tAjEL-00000009Pya-1n98
for root@XXXXXXX;
Tue, 12 Nov 2024...

Hi,

I have been trying to configure CSF and Docker under a Plesk server. There are many posts in forums reporting that when Docker creates a NAT redirect to certain port, that port is exposed to the entire world.

I tried to use this csfpost tool but apparently It hasn´t worked.

In some way, installing netfilters tool for saving iptables rules I have managed to store a set of iptables rules...

In searching here I was unable to see whether CSF is compatible with nftables. I only found info on iptables-nft.

My application is cPanel servers running Almalinux, on which firewalld is installed and running on nftables. My question is simply will CSF drop in to that system and run fine? (I would assume yes, that nftables is fully supported, and that no tweaks are needed. But I didn't find the...

Can someone provide a regex that handles this line in /var/log/secure? I tried a couple of things, and don't seem to get it, even trying to copy and adapt one that's already there. Here's the line:

Nov 11 13:00:01 boston systemd : pam_unix(systemd-user:session): session opened for user root(uid=0) by root(uid=0)

I'm getting these in LFD Log Scanner reports

WHM 118.0.25
Almalinux 8.10.0 kvm
CSF 14.22, mailscanner 5.4.4 w/ MSFE 9.26

I have blocked the IP address 128.245.64.22 in CSF:
Table Chain num pkts bytes target prot opt in out source destination
No matches found for 128.245.64.22 in iptables
IPSET: Set:chain_DENY Match: 128.245.64.22 Setting: File:/etc/csf/csf.deny
Permanent Blocks (csf.deny): 128.245.0.0/16 # do not delete

And yet spammers...

Hi,
LF_APACHE_404 not working on cPanel with litespeed.
HTACCESS_LOG is setup with /var/log/apache2/error_log but not working
I've inserted custom regex but no work.

Can you help me to build custom 404 regex on cPanel litespeed?

I have an issue because every day I receive from lfd information about overload my server and logs shows me many connections from Microsoft adress IP. Manual block IP isn’t good because every day is another IP. In Csf I have set two parameters: CONNLIMIT 80;50,443;50 i PORTFLOOD 80;tcp;100;60,443;tcp;100;6 but it doesn’t work. Could you give me any suggest how to resolve this an issue?

I apologize if this is in the wrong area.

On ModSecurity I switched the ruleset from Comodo to OWASP, and now LFD isn't sending the Mod Security notifications to email.

LFD is sending out emails for other notifications.
Have restarted CSF & LFD, and ran csf -ra

Any suggestions are welcome on what to look at.

Thanks

Hi,

I've recently setup the emails for csf/lfd and I started getting tons of emails coming through, but most of them appear to be false positives.

I've added the following rules to csf.pignore but they don't appear to be working as the emails for the very same reasons are still coming through even after restarting both CSF and even the entire server....

Hi,

I hope you can help.

We are running new cPanel install on AlmaLinux via Lightsail Instance.

Configuration:
Access to WHM and cPanel is limited to single static IP
SSH port remains as 22
SSH root login disabled
The following services are enabled and working:
MySQL is bound to 127.0.0.1
2-factor authentication for WHM
Security Advisor: all in ‘green’
ImunifyAV: No malware found in scans...

Hello,

Due to some requirements, I can't use PT_USERKILL to kill process over PT_USERTIME / PT_USERMEM, I need to use custom script in PT_USER_ACTION to perform advanced checks.

However, I've seen that since I switched PT_USERKILL to 0, I keep receiving Excessive resource usage emails, no matter if PT_USERKILL_ALERT is set to 0 or 1.

How can I disable the Excessive resource usage email without...