ConfigServer Community Forum

Tried testing the CSF 4.06 for the temp and perm blocking giving the block message. In the TEMP port 21 will direct to the message, but for PERM it will not. Here are my files

CSF.DENY
tcp:in:d=21:s=61.37.32.130

CSF.CONF
MESSENGER = 1
MESSENGER.TEMP = 1
MESSENGER.PERM = 1
MESSENGER_HTML_IN = 80,443,2082,2083,2095,2087
MESSENGER_TEXT = 21,25,110,995,465

A TEMP block will cause the FTP on port...

I first noticed these two issues after an auto-upgrade to 4.02, and they persist in 4.04.

1. Global allow rules not being updated
I have a GLOBAL_ALLOW url specified in my configuration file. Upon CSF/LFD initialization (or manual restart), these rules are applied correctly:

Chain GALLOW (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- eth+ *...

Hello!
My csf ran an update today, after the new files where in, i get this:
Error: iptables command failed, at line 739

Can anybody help? thx alot

Hi,

Seems like Bogon is active on eth1 even though I excluded it from firewall rules in:

ETH_DEVICE_SKIP = eth1

I run internal network using 192.168.0.x to connect to internal NAS server.

Looks like the newest csf update causes this to break. It was fine in earlier versions. I had the server set to autoupdate csf and found out this morning that it had issues connecting to NAS (it wouldn't...

Hello,

I am experiencing an issue with v4.02 after an intended automatic upgrade early this morning; it seems that our custom port range specified for TeamSpeak voice service over UDP is being blocked for inbound and outbound traffic.

Here are two of many syslog entries indicating the blocks (munged): Sep 9 12:38:30 servername kernel: Firewall: *UDP_IN Blocked* IN=eth1 OUT=...

Hello,

With v3.43 of CSF I have been seeing that an IP address may not always be removed from iptables/csf after the temporary time span has elapsed. The IP address is blocked for triggering LFD from failed logins; here is a more descriptive log report from LFD:
(I''ve replaced the last octet with an X.)
# grep -i 72.226.154.X /var/log/lfd.log
Tue Sep 2 21:42:18 2008 lfd: Failed cPanel login...

ConfigServer Security & Firewall - csf v3.41

WHM 11.23.2 cPanel 11.23.4-R26138
CENTOS Enterprise 5 x86_64 on standard - WHM X v3.1.0

lfd is blocking after 1 login failure!

An example - per the email alert I got is

Time: Sun Aug 17 00:28:13 2008 -0400
IP: xxxxx - removed
Failures: 1 (pop3d)
Interval: 5 seconds
Blocked: Yes

Log entries:

Aug 17 00:28:09 s6 pop3d: LOGIN FAILED, user=xxx@xxx...

latest version v3.39

# grep 24.166.55.38 /var/log/lfd.log|grep htpass
Tue Jul 29 20:16:20 2008 lfd: 5 (htpasswd) login failures from 24.166.55.38 - *Blocked in csf* port=80
Tue Jul 29 20:16:21 2008 lfd: 5 (htpasswd) login failures from 24.166.55.38 - *Blocked in csf* port=443
Tue Jul 29 21:08:07 2008 lfd: 5 (htpasswd) login failures from 24.166.55.38 - *Blocked in csf* port=80
Tue Jul 29...

I noticed that 67.210.XXX.XXX has been constantly getting blocked because of port scans so I made a permanent block with 67.210.0.0/16

The problem is that even though it's permanently blocked, csf will still detect port scans and block any IP within the permanently blocked range. It will also then permanently block the IP after after X number attempts even though the c-block is already...

Hello,

I have a wierd bug with CSF , it started 2 days ago.

first my server and cpanel info :

WHM 11.23.2 cPanel 11.23.4-R26118
CENTOS Enterprise 5.2 i686 on standard - WHM X v3.1.0

What happens is if cpanel backups starts to run is that in the middle of the process it makes the server unreachable. (not reachable so needs reboot)

No high cpu or load and mem use is ok

Didn't find any errors...

Hi Chirpy,

I have just upgraded to 3.39 and i do not see teh queuealert.txt in the drop down, wondering if you forgot it?

Thanx!

I have noticed that when a cdir address (eg.67.210.3.1/24) is blocked in the csf deny list, continued hammering by ips within that subnet still trigger the csf temp ban emails. (eg. 67.210.3.66, and 67.210.3.69 will trigger temp bans if hammering even after subnet is denied.)

this could give an attacker a way to flush out the temp ban list even if the flushing subnet has benn permanentely...

i recently received this alert by email, but the domain is not hosted on my server, the emails were not on the queue. what does this mean?

i received a lot of such alerts...

any idea?

thanks.

==========================
Time: Tue Jul 22 14:20:21 2008
Type: RELAY, Remote IP - 69.73.181.157 (delphi.nocdirect.com)
Count: 101 emails relayed
Blocked: No

Sample of the first 10 emails:

2008-07-22...

Upgraded 3 servers to latest CSF and all of them report Suspicious process when users are accessing email using squirrelmail .

Time: Fri Jun 27 00:25:46 2008
PID: 20395
Account: dxxxnd
Uptime: 161 seconds
Executable:
/usr/local/cpanel/3rdparty/bin/php-cgi
Command Line (often faked in exploits):
/usr/local/cpanel/3rdparty/bin/php-cgi...

I dont know if this was fixed in the very last release but I know the one before it had this problem. Basicaly if you had connection tracking on tmp ban it would ban whitelisted ips. For example I had a few server setups that use remote sql and such and everyone I had set on tmp ban was banning the mysql server. I am positive the ips were whitelisted in all instances.

My solution was to just...

hello
when i update the cpane and apatche the csf page he not open its white page
please see the screen shot

We have started getting the error:

Internal Server Error

Premature end of script headers: /usr/local/cpanel/whostmgr/docroot/cgi/addon_csf.cgi: Please check /usr/local/cpanel/logs/error_log for the exact error.

this is occuring in all our servers running WHM C25133

whats causing this?

Hi,

A couple of versions ago, something changed with the way that CSF treats hostnames listed in the lfd Dynamic DNS .

I am now receiving email alerts of the form lfd: SSH login alert for user XXXXX from AAA.BBB.CCC.DDD (Unknown)
each time I login to the server from this IP addresss, which one of the hostnames listed in the lfd Dynamic DNS list resolves to.

I've double-checked the IP...

Working with cPanel, they seem to locate an issue with CSF/LFD that is causing the packaging of a full backup to end prematurely from cpanel, but yet the the file is sent to the remote destination.

The package restores fine, but again, not everything is restored.

After much testing, I have been able to replicate
the issue with the test1 account and a test account, using 2 different ftp
hosts....