ConfigServer Community Forum

When the deny_ip_limit limit is exceeded, and an additional csf -d command is run, the IPs are removed from csf.deny, but they still seem to be active in iptables. Is this the expected behavior? I would have thought they would be removed from iptables with csf -dr automatically so csf.deny is in sync with iptables.

Running csf version 5.14

Rob

Using csf v4.58. On restarting LFD, I would get an error Can't locate IP/Countries.pm in @INC (@INC contains: blah blah . Looking at /etc/csf, I can see a collection of Perl modules that are used by CSF and LFD, but not IP/Countries.pm . On line 124 of /usr/sbin/lfd, the module IP:Countries.pm is called, and it does not exist in /etc/csf. I believe the correct include should be...

Hi,

I've noticed something while playing with CSF that I guess could be considered as a bug. First, let me put you in situation.

- Standard CSF v5.13 installation through sh ./install.sh no Web interfaces just pure text.
- OpenSSH server on ports 22 and 6022. This is configured with following lines on sshd_config:
Port 22
Port 6022
- csf.allow with following content...

Hi

I'm using csf 5.10 generic on ubuntu 9.10.

At one point I had the following output from csf -t

DENY 65.41.109.0/24 * in 29d 18h 30m 18s Manually added
DENY 89.35.51.15 * in 15m 8s lfd - *Port Scan* detected from 89.35.51.15 (RO/Romania/-). 6 hits in the last 155 seconds

Then after the port scan was removed they scanned again, the lfd log reported

(PERMBLOCK) 89.35.51.15 has had more than...

I understand the need to move away from colons (:) as a separator for denying and allowing rules due to upcoming IPv6. Just wondering why pipe (|) was chosen as the alternative? I believe this was introduced in version 5.04.

Reason being, to add a rule to the csf.deny file via the command line you can use the:

csf -d tcp|in|d=80|s=xx.xx.xx.xx Some Comments

But to remove this rule you have to...

I'm not sure why, but CSF now reports that Neither syslog nor rsyslog appear to be running ... We are running rsyslog which is running:

# service rsyslog status
rsyslogd (pid 13035) is running...
#

Is CSF looking for something else when checking?

I'm getting the following warning:
IPv6 appears to be enabled . If ip6tables is installed, you should enable the csf IPv6 firewall (IPV6 in csf.conf). To disable IPv6 on RHEL/CentOS you should follow this link

Yet if I set IPv6_SPI to 1 I get a cron Warning email:
*WARNING* Kernel 2.6.18-164.15.1.el5PAE may not support an ip6tables SPI firewall. You should set IPV6_SPI to 1 in /etc/csf/csf.conf...

Hello,

Just to mention that with latest version csf v5.04, when uprading from v5.03 on a
CentOS release 4.8 (Final) 32-bit system, I got these error (?) messages :

open3: exec of /sbin/ip6tables -v -A OUTPUT -o ! lo -p udp -m state --state NEW --dport 53 -j ACCEPT failed at /etc/csf/csf.pl line 2881
open3: exec of /sbin/ip6tables -v -A OUTPUT -o ! lo -p udp -m state --state NEW --dport 113 -j...

Hi, I have found a unique problem within Webmin version 1.480 and CSF 4.75 on Firefox 3.0.11. I had a staff member block themselves and their IP address was entered into the Firewall IP Deny list on Webmin. When I removed the entry and restarted CSF/LFD I found that it did not save my changes. It required me to manually edit the csf.deny file and remove the IP address.

I believe I may have fixed a minor bug in the Check Server Security script. On my server at least, the Check proftpd weak SSL/TLS Ciphers test was giving a false positive. I managed to track down the issue to the regexp on line 645 of servercheck.pm.

/TLSCipherSuite\s+(.*)$/

on my server, works better as:

/TLSCipherSuite:\s+(.*)$/

Note the added colon. Without it the $ciphers var never...

Hello,

When we install csf in RHEL/CentOS servers, it always ends with these two messages:

./install.directadmin.sh: line 205: update-rc.d: command not found
./install.directadmin.sh: line 206: update-rc.d: command not found

It seems that update-rc.d is not available in RHEL/CentOS. Maybe you should use chkconfig instead.

Thank you and regards,

Ken

I'm seeing the same behaviour on all servers running csf 4.80 :

An IPs triggers csf, it gets added to /etc/csf.deny, but it is not blocked :

root@hetz81 # grep 67.218.xxx.xxx /etc/csf/csf.deny
TCP:IN:D=80:S=67.218.xxx.xxx # lfd: 5 (mod_security) login failures from 67.218.xxx.xxx in the last 300 secs - Tue Oct 20 04:37:45 2009
TCP:IN:D=443:S=67.218.xxx.xxx # lfd: 5 (mod_security) login...

Hi,

Minutes ago, i received a false positive.

root@X # cat /usr/local/cpanel/logs/access_log |grep XXX.XXX.XXX.XXX
XXX.XXX.XXX.XXX - - GET / HTTP/1.0 401 0 Mozilla/5.0 (Windows; U; Windows NT 6.0; ar; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729) FirePHP/0.3
XXX.XXX.XXX.XXX - root GET / HTTP/1.0 401 0 Mozilla/5.0 (Windows; U; Windows NT 6.0; ar; rv:1.9.1.3) Gecko/20090824...

I'm having an issue with:

LF_SU_EMAIL_ALERT = 1

I usually login as a normal user via ssh on a non-standard port then su to root sometimes, but I only get the alert for the initial normal user login and not the switch to root. Is that normal behavoir?

I have this in csf.conf:
LF_SU_EMAIL_ALERT = 1

SSHD_LOG = /var/log/auth.log
SU_LOG = /var/log/auth.log

ssh logins are reported but not...

Hello

I have a problem CSF using the latest version installed on cpanel. And on this server are 2 network card, eth0, eth1.
This server is used as rounter linux and such is necessary to allow traffic on eth1.
Unfortunately if chear
ETH_DEVICE = eth0
ETH_DEVICE_SKIP = eth1
Still not allow traffic on eth1, so all sv behind eth1 not running on the internet.
What can be done?

Hello,

first of all, thank you for this great software.

I am running csf+lfd in production environment and I am overall very happy with it. It is easy to manage while powerful enough to supposedly do what I need.

I installed it to prevent SYN_RECV floooding at first, and it does the job.

But with the public release of slowloris, I see an increase in attempts to DoS my sites.

I decided to add...

Hi

after upgrade to v 4.72

I set
RT_LOCALRELAY_ALERT = 0

But still receive email for localrelay alert for 127.0.0.1

On all server the same issue :(

Hi Chirpy,

csf v 4.69

not a big issue but when I try to read the Server Check email using Horde, it doesn't render the HTML, it just displays it raw .

I'm guessing it's an email header issue, but I haven't been able to pin it down exactly.

It may be as simple as adding the disposition header after the content-type:-

Content-Type: text/html;
Content-Disposition: inline

or maybe removing the...

On the servers we have upgraded to versions greater than 4.60, lfd has stopped sending email alerts (including latest version). Servers with versions less than 4.61 continue to send email alerts. All servers are RHEL5/cetnOS5 32 bit servers. csf.conf settings all appear correct.

As another test, we took a csf 4.23 server, triggered a block that sent an email, removed the IP from the block list,...