ConfigServer Community Forum

I may have found the issue on my server...sharing in case it helps. My modsec2.conf includes user.conf, (which includes whitelist.conf) and cpanel.conf. So whitelist.conf was being parsed before cpanel.conf. I've added a line to modsec2.conf to include whitelist.conf after user.conf and cpanel.conf ...

I'm seeing this behavior recently as well, lots of IPs getting blocked in CSF for rules that are whitelisted in CMC.

I'm in the same boat, I'm only interested in failures from US/CA.

Yeah I shouldn't post when I've been drinking. Thanks for the new regex, this should help with a lot of attacks.

I was recently looking for a way to do this as well, but I couldn't find a way to do it. I ended up disabling alerts altogether.

I had some conversations with Sergio about this stuff because I was actually looking for a way to block IPs that were attempting to authenticate as IDs that don't actually exist. I didn't want to have to maintain a list. Unfortunately because CSF is just watching the log for the errors, it has no id...

Yes but you have to actually specify the IDs you consider bad, so if you just specify ylmf-pc it should block these for you. if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /\S+\s+\S+\s+dovecot_login authenticator failed for \(\[?\S+\]?\) \[(\S+)\]:\d+: \d+ Incorrect authentication data \(set_id...

Check out the second post in this thread, I think if you cut the list of IDs down to just ylmf-pc and any others you're having trouble with, it will do what you need. viewtopic.php?f=6&t=7517

The only things in csf.ignore are the ranges for my host's monitoring systems and 127.0.0.1.

Also, I'm still getting all of the other email alerts from CSF/LFD, just not these specific alerts.