ConfigServer Community Forum

Increasing the LF_IPSET_MAXELEM setting resolved the problem for me. You can figure out how hight to go by watching the output from css as it starts. CC_ALLOWPORTS all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 match-set cc_us src csf: IPSET loading set cc_us with 98413 entries IPSET: [ipset v6.38: Er...

Found it. This must be a new rule: if (($config{LF_EXIMSYNTAX}) and ($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\[\d+\] )?no host name found for IP address (\S+)/)) { My ingress mail servers are running on AWS and connect to the servers running CSF/LFD using private IP addresses ...

After the 12.05 update my lfd log is full of exim syntax errors: Aug 10 08:17:20 vpc5 lfd[2111376]: Exim syntax errors from resulting in my ingress mail servers to be blocked. I see this in the changelog: Added new regex for LF_EXIMSYNTAX I whitelisted my ingress servers to get mail flowing again bu...

Given the recent wave (yet another) of Wordpress brute force login attacks I've seen I wanted to resurrect this thread. I have CSF configured to detect and block these attacks using custom mod_sec rules. I use a temp ban rule followed by a perm ban rule. The issue I'm having is that this botnet, and...

Given ipset functionality is there any reason we can't build a huge global deny list? Who's pushed the limits of ipset? If we can't use our collective superior intelligence to defeat the bad guys I'm ready to go back to building walls to protect the kingdom. I've already walled off some services, fi...

Thank you. This one has been causing me pain for some months.

Sorry. In my head it's perfectly clear :-) But, I've been looking at the code paths for hours. Here's what happens. 1. The IP address is moved from temp ban to perm ban status via some rule 2. The IP address is removed from the temp ban list (csf -tr) but not from /var/lib/csf/csf.tempip 3. LFD issu...

No. It's not just you. The attacks are brutal at times. I, like you have ended up creating a much smaller Internet :-) for most services.

This bug is back in version 8.16. The current problem is that if you have a DENY_IP_LIMIT set when an IP address is pushed out of the list it is not being removed from /var/csf/csf/tempip. Since the record has the PERM flag set the bad IP address will never be banned again. Here's the code from CSF ...

Once an IP address has been through the temp to perm ban cycle the status is changed to PERM in /var/lib/csf/csf.tempip. If you then remove the ban on the IP using "csf -dr IP" the IP will never be subject to being banned again because the entry in /var/lib/csf/csf.tempip is not removed an...