ConfigServer Community Forum

Sorry, thanks to SPaReK -- the problem was not restarting LFD. I did not realize you had to restart lfd before restarting csf for the cc_deny to load a new country deny list.

I see this was posted a year ago. Did you find a solution to this?

Under CC_Deny I have IN,IR,IQ to block india, iran, and iraq.

When I do csf -r
I get
...
csf: FASTSTART loading CC_DENY [in] (IPv4)
csf: FASTSTART loading CC_DENY [iq] (IPv4)
...

It skips and doesn't list IR

Is IR not the correct country code for Iran for CSF? I'm using maxmind for the CC_Deny

Does major release mean RHEL10 ? Or RHEL 9.6?

It looks like I do not need to specify custom_1 log with this. I wasn't sure if I needed to specify custom_1 log to get the regex.custom.pm to scan, but it seems that is not necessary for this to function. I must not have had the syntax correct from post 2 in my first attempt: [(?:client|remote) \S+...

OK, I searched the forum quite a bit, and found this older post https://forum.configserver.com/viewtopic.php?t=9951 I modified it changing [client \S+:\S+\] \[client (\S+)\] to [remote \S+:\S+\] \[client (\S+)\] if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+ \S+ ...

Thanks very, very much for sharing this. To implement this, do I simply: 1.) add this to /usr/local/csf/bin/regex.custom.pm 2.) set Custom1 log to /usr/local/apache/logs/error_log I noticed tonight that I had one mod_security tigger an LFD ip block where their ip appears as [client IP:42846] [client...

Did you find any solution to this? Finding tonight on cloudlinux 9 sever with http2 enabled, despite hits showing up in the mod security tools from my tests of loading ?this=/etc/passwd CSF/LFD is not blocking the ip. Is there a solution to allow LFD to block mod_security hits on Cloudlinux 9 with t...

Yes with Cloudlinux and cPanel supporting Cloudlinux 6 through June 2024 now, please continue to support Cloudlinux 6. With Cloudlinux 7 going EOL the same 2024 year as Cloudlinux 6 Extended support, I'd like to continue running Cloudlinux 6 extended support. I'm also a bit uncertain with Centos 8 g...

Is the intended behavior that csf /lfd will only email upon the first WHM root access from the same IP within so many hours? I'm trying to figure out why lfd only sent one email "WHM/Cpanel root access alert" when I logged in and out and then in again a few times to WHM. The cpanel login_l...