ConfigServer Community Forum

We've noticed that some Apache-related LF_* rules (LF_APACHE_404 and LF_MODSEC specifically) no longer seem to get triggered. I've simulated multiple 404 errors and triggered random ModSecurity rules, but CSF didn't pick up any of the events, and my non-whitelisted IP address didn't get blocked at all.

In the /usr/local/csf/lib/ConfigServer/RegexMain.pm file, I see that all Apache-related regex...

Hello!

Since las Tuesday, CSF can't geolocate Spanish IP addresses when executing this:

csf -i 81.202.228.230

This commando retusn this:

# csf -i 81.202.228.230
81.202.228.230 (81.202.228.230.dyn.user.ono.com)

while in other countries it works welll, for example...:

## csf -i 8.8.8.8
8.8.8.8 (US/United States/dns.google)

We noticed that if we modify the database file like this:

echo...

It seems there is a bug with IPv6 support. I installed CSF on an AWS Lightsail instance and in order to automatically obtain a public IPv6 address, AWS requires support for RA/SLAAC. With CSF turned on, the instance receives an IPv6 address on boot but then once valid_lft reaches 0, it falls off the interface and can't be renewed.

I have set:
IPV6 = 1
IPV6_ICMP_STRICT = 0
IPV6_SPI = 1

Operating...

OS AlmaLinux v9.3.0 STANDARD
cPanel Version 118.0.4
CSF: 14.20

Notable modules:
mod_remoteip (cloudflare)
mod_http2-2.4.59-1.1.1.cpanel.x86_6

First, I appreciate all the hard work the team puts into this software.

Recently setup a fresh cPanel server and I noticed that the firewall wasn't blocking repeated mod security hits, despite configuring LF_MODSEC with a low threshold (2). The CSF...

Bug in /usr/sbin/lfd sub connectiontracking

The hex2ip function strips leading zeros.
However for the string passed to inet_ntoa it simply strips the double colons, forgetting about the leading zeros.

This e.g. results in wrong ipv4 address for ipv4 connections on tcp6 sockets.

Example that goes wrong:
0000000000000000FFFF0000CE0ACB74 -> 0:0:0:0:0:ffff:74cb:ace -> 7.76.186.206
correct would...

Hello,

Not sure if this is a bug or issue:

I saw the notice posted below indicating Cloudflare Firewall Rules (API) being deprecated.

Will the deprecation of the Cloudflare Firewall Rules API impact the integration of CSF’s Cloudflare IP blocking feature? ( I am not sure if that deprecation affects the IP access_rules portion of the API )

The Cloudflare blocking feature has been immensely...

In the description for PT_LOAD_ACTION:

If a PT_LOAD event is triggered, then if the following contains the path to
a script, it will be run in a child process. For example, the script could
contain commands to terminate and restart httpd, php, exim, etc incase of
looping processes. The action script must have the execute bit an
interpreter (shebang) set

I'm pretty sure the last sentence means...

Login page can't login with reverse proxy.
After that, I modify source code to add remote ip address as a ip address instead of localhost ip address, it work but only in firefox, and after login it still in login screen although i press F5 button. Only when i press Ctrl+Shift+R it will redirect to admin page but when i click a function it redirect to login page, only when i press Ctrl+Shift+R it...

For CSF messenger, the index.php file that handles unblocking, uses curly braces for array indexes/offsets and throws:

Array and string offset access syntax with curly braces is deprecated.

For example:

$lang{ warning };

Should be

$lang ;

-PHP: PHP 7.4.12
-OS: CentOS Linux release 7.9.2009 (Core)
-CSF: csf: v14.08 (cPanel)

Hi

We just installed CloudLinux 9.3 and WHM/cPanel v116
we then installed CSF

edited config and turned OFF testing and changed no other feature.
Save

it then asks to restart
we click restart csf+ldf and it just gets stuck reloading page

Confirmed on 2 different CloudLinux 9.3 servers

CL9.3 with cPanel support is brand new (2 days ago it was released) so i'm guessing this needs fixing by you...

On my DirectAdmin/CentOS server I am using ConfigServer Security & Firewall - csf v14.20

The 'Check php version' mentioned that PHP version 7.4.33 is lower then 7.2 ??
7.4.33 is the only PHP version installed on this server.

Any version of PHP older than v7.2.* is now obsolete and should be considered a security threat. You should upgrade exclusively to PHP v7.3+:
Affected PHP versions:
7.4.33...

Hi,

There has been an update to the GeoLite2-Country-Locations-en.csv file that comes from maxmind.

Prior to around 31st October 2023, the GeoLite2-Country-Locations-en.csv file had this entry:

2750405,en,EU,Europe,NL,Netherlands,1

After the 1st November 2023, this line has been updated to:

2750405,en,EU,Europe,NL, The Netherlands ,1

For some reason, csf is having an issue with parsing...

Hi,

csf version: v14.20 (cPanel)
LFD Messenger has stopped responding on IPv4. It only listens on IPv6:

# netstat -punta | grep lfd
tcp6 0 0 :::28887 :::* LISTEN 173311/lfd HTTPS me
tcp6 0 0 :::28888 :::* LISTEN 173312/lfd HTML mes
tcp6 0 0 :::28889 :::* LISTEN 173313/lfd TEXT mes

I don't know if this is happening after upgrading to v14.20 but I think so.

Thanks,

Ignacio

Hi there,

when trying to access to UI from an nginx proxy, I have these weird error lines:

2023/09/20 15:43:20 2333492#2333492: *687017 upstream sent invalid header: \n ;
print Content-type: text/html\r\n ;
print \r\n ;
print \n ConfigServer Security & Firewall \n \n ;

That 'print \n ;' line should be added just before 'print '...

You are adding that line between HTTP headers, and this...

After enabling CT_LIMIT on a Centos 8 server I started getting these alerts:

Time: Tue Aug 25 20:00:54 2020 -0600
IP: ::ffff:d88a:c0e6 (Unknown)
Connections: 504
Blocked: Temporary Block for 1800 seconds
 
Connections:
tcp6: 0:0:0:0:0:ffff:d88a:c0e6:51064 -> 0:0:0:0:0:ffff:d88a:c0e6:7081 (TIME_WAIT)
tcp6: 0:0:0:0:0:ffff:d88a:c0e6:49206 -> 0:0:0:0:0:ffff:d88a:c0e6:7081 (TIME_WAIT)
tcp6:...

Something changed in the latest on AlmaLinux 8.8 and 9.2 so the messenger v3 service wasn't working when you accessed it:

AH01630: client denied by server configuration: /home/csf/public_html/

`
I was able to fix it by adding Require all granted to the .htaccess at /home/csf/public_html/.htaccess

Require all granted
DirectoryIndex index.php index.cgi index.html index.htm
#Options...

Since the upgrade to 14.19, repeated failed imapd logins in maillog are no longer getting blocked.
For example, the following (obfuscated) maillog entries did not result in a block, which they would have in earlier versions:

Jul 30 23:09:04 vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 8 secs): user= , method=PLAIN, rip=1.2.3.4, lip=5.6.7.8,...

Hi,

Following investigation there is a change in Perl 5.38 which breaks LFD (see Debian 12 LFD issues by me in General Discussions).

As soon as one of the log files causes an error (e.g. is simply not present), all future log file reads on any file will fail until the error is cleared.

I solved this by adding a clearerr call before each log read, which is in the LFD file and the function...

Hi

Repeated maillog entries of the following form were not detected when they should have been (obfuscated):

Jun 6 13:28:17 vps dovecot: pop3-login: Disconnected: Connection closed: read(size=984) failed: Connection reset by peer (auth failed, 1 attempts in 2 secs): user= , method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, session=

Log entries like this are rare.

CentOS Linux release 7.9.2009
cPanel...

Adding the following rules to /etc/csf/csf.allow:

tcp|out|u=0
udp|out|u=0

Adds the following rules to iptables:

# iptables-save | grep 'ALLOWOUT .*uid-owner'
-A ALLOWOUT ! -o lo -p udp -m owner --uid-owner 0 -j ACCEPT
-A ALLOWOUT ! -o lo -p tcp -m owner --uid-owner 0 -j ACCEPT

But does not add the same rules to ip6tables:

# ip6tables-save | grep 'ALLOWOUT .*uid-owner'

There is no...