ConfigServer Community Forum

The Check php for register_globals for currently showing as a fail when I run the Check Server Security script.

I have confirmed it is off in the php.ini file, and with a call to phpinfo().

Bug somewhere in CSF? It had previously passed the test

cPanel 11.24.4-C33609 - WHM 11.24.2 - X 3.9
CENTOS 4.7 x86_64 on standard

PHP Version 5.2.8
Linux host.xxxxxx.com 2.6.9-67.0.20.ELsmp #1 SMP Thu Jun...

chirpy,

My system auto-updated from 4.36 to 4.38 this morning, and in the process sent me the integrityalert email as follows:

Time: Wed Jan 21 09:40:07 2009 -0600

The following list of files have FAILED the md5sum comparision test. This means
+that the file has been changed in some way. This could be a result of an OS
+update or application upgrade. If the change is unexpected it should be...

Heya Chirpy,

Thanks for your continued work on this fabulous piece of software!

We've received a number of reports today from clients whose CSF/LFD won't restart due to the following error:

Error: iptables command failed, you appear to be missing a required iptables module, at line 332

We fix this by disabling SMTP_BLOCK in the CSF configuration, and realize it is in regard to the CSF update...

With bogons enabled (LF_BOGON) it blocks interfaces even if they are in the interface skip list (using ETH_DEVICE_SKIP). So with it enabled it blocks connecting to internal IP's on eth1 even if eth1 shouldn't have rules applied to it.

Using csf version 4.36 on centos 5

Always 2 emails sent at the same time when I enable the load average checking.

In our /var/log/dmesg we have the following:

ip_conntrack version 2.1 (8127 buckets, 65016 max) - 304 bytes per conntrack
application bug: lfd(4124) has SIGCHLD set to SIG_IGN but calls wait().
(see the NOTES section of 'man 2 wait'). Workaround activated.
application bug: lfd(4709) has SIGCHLD set to SIG_IGN but calls wait().
(see the NOTES section of 'man 2 wait'). Workaround activated....

I've seen a lot of reports of clients being blocked by the firewall, yet there are no logs that LFD ever blocked that IP. Messenger service is being used. Synflood is off. Any reason why blocks would be occurring with no logs indicating so.

Hello,

First of all i would to thank all the CSF and LFD crew because they do their efforts to help us securing our servers.

Today i see a mis-spelling error in Check Server Security in SMTP_BLOCK.

See the picture in this link: http :// www .modserv. com/ CSF.jpg

Note: Delete the spaces in the link because i can't add URLs You are only allowed to post URLs to other sites after you have made...

Hi i'm using csf version 4.27 on debian lenny. Csf is installed using the generic script and i get the following error when i try to do anything regarding any csf commands :

csf -s
Can't locate Cpanel/Version.pm in @INC (@INC contains: /usr/local/cpanel /etc/csf /etc/perl /usr/local/lib/perl/5.10.0 /usr/local/share/perl/5.10.0 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10...

failed login attempts to account xx (system) -- Large number of attempts from this IP

Getting a ton of these emails from cphulk because the server might be under attack, however these login attempts aren't be detected by CSF and blocked. Sometimes a single IP, we need up with 8000+ emails.. and sometimes its multiple ips in the same block range.. however CSF isn't picking up anything. I believe...

Hello,

i get a lot of mails ( more than 200 this time ) with the same IP blocked like:

Time: Fri Nov 7 06:43:55 2008 +0100
IP: XXX.XXX.xXX.XXX
Failures: 5 (sshd)
Interval: 300 seconds
Blocked: Yes

The IP is already blocked in csf. But i won`t stop sending mails.

Any suggestion?

Regards Frank

Hi,

I am running csf 4.16 (since 26/10/2008) and for no apparent reason lfd stopped logging the time in lfd.log starting November 1st, 2008. This is an exemple of the lines I now get:

Nov 2 servername lfd : *Port Scan* detected from xx.xxx.xxx.xxx hits in the last 235 seconds - *Blocked in csf* for 86400 secs
Nov 2 servername lfd : 5 (mod_security) login failures from xx.xxx.xxx.xxx in the...

On any newer servers I get this message when trying to start csf:

Starting csf:iptables: Index of insertion too big

Running Centos 5.2
uname -a
Linux 2.6.18-92.1.13.el5 #1 SMP 8 i686 i686 i386 GNU/Linux

iptables-1.3.5-4.el5

Hello there!
I need your advice. csf ldf not blocking failed login triggers from same ip. Any suggestions?

I am getting many emails:
---------------------------------
Time: Sat Sep 20 19:03:21 2008 +0400
IP: 81.91.236.79 (BJ/Benin/ortb.ortb.bj)
Failures: 5 (sshd)
Interval: 10 seconds
Blocked: Yes

Log entries:

Sep 20 19:03:07 icarus sshd : Failed password for invalid user job from...

Looks like on line 327 in csf.pl in version 4.12 the line is:

if (-e /etc/csf/csfpost.sh\n ) {

and it should be:

if (-e /etc/csf/csfpost.sh ) {

The extra \n is causing the csfpost.sh script to not be found and not executed.

I compared this with version 4.11 and it looks like 4.11 has this correct.

Hi

I realized today, that SMTP_BLOCK is not working for IPs other than main server IP. I have exim running on main server IP (it is cPanel box), but all sites is working on other IP. SMTP_BLOCK is not working for additional IPs, it is only working for main server IP.

Tom

LFD is killing cpanel full backups.

Ex:

Time: Mon Sep 29 16:54:13 2008 -0500
Account: username
Process Count: 3 (Killed)

Process Information:

User:Username PID:4947 Run Time:24(secs) Memory:2760(kb) exe:/bin/tar cmd:tar czpf - .
User:Username PID:4948 Run Time:24(secs) Memory:2716(kb) exe:/bin/tar cmd:tar czpf - .
User:Username PID:4949 Run Time:24(secs) Memory:2736(kb) exe:/bin/gzip...

I am noticing an issue when performing a traceroute in that the outbound UDP packets are being filtered or blocked by iptables.

Here is a munged snippet from the syslog:
Oct 1 20:05:20 hostname kernel: Firewall: *UDP_OUT Blocked* IN= OUT=eth0 SRC=69.93.X.X DST=66.201.X.X LEN=38 TOS=0x00 PREC=0x00 TTL=1 ID=32059 PROTO=UDP SPT=58699 DPT=33435 LEN=18
Oct 1 20:05:26 hostname kernel: Firewall:...

Hi,

I was just installing config server and try to comply to all its setting suggestion.
All of checking are greens except for :

/tmp should be mounted as a separate filesystem. Consider using /scripts/securetmp

and

/var/tmp isn't mounted with the noexec,nosuid options (currently: none). You should consider adding a mountpoint into /etc/fstab for /var/tmp with those options.

I'm running a...