ConfigServer Community Forum

Under Server Services Check section, the checks for nfslock and rpcidmapd are both showing false positives. They were both already stopped:

root@biscuit # service nfslock stop
Stopping NFS statd:
root@biscuit # service nfslock status
rpc.statd is stopped

root@biscuit # service rpcidmapd stop
Shutting down RPC idmapd:
root@biscuit # service rpcidmapd status
rpc.idmapd is stopped

I have mod_security failure detection off, but sites are still being blocked.

It is set currently as:

LF_MODSEC_PERM = 0

Issue is occurring on 10+ servers.

upgraded to v3.01 and now the server doesn't mails the login alert,
happening on 2 of my servers

csf log shows:-
Sun Jan 5 07:45:49 2008 lfd: *SSH login* from xx.xx.119.245 into the root account using password authentication - ignored

nothing else has been changed on the server.

on other boxes running older versions still send alerts properly.

any solutions ?

We have found that IP addresses that you place in the csf.allow file are being overriden by SpamHaus and DShield banned IP addresses. We thought that the csf.allow would override anything in the csf.deny, SpamHaus, and DShield lists.

What is happening... is that with all the off-shore support stuff going on, that DShield/SpamHaus has some .PK IPs banned, yet one of our vendors use Pakistan for...

On two cPanel11 boxes with CSF we have identified a problem while receiving mail using POP3/IMAP.

During the send/receive process the client (Outlook, Thunderbird) shows the time remaining as 30+ mins for 50K e-mails, it happens randomly (not every send/receive) to random clients (but during some time all of them have experienced the problem at least once). We've tried and tested all possible...

Hey

I wanted to know if this would be a possible bug.

When I click on lfd Log I get this output on the next screen

ConfigServer Security & Firewall - csf v2.94
Displaying the last 30 lines of /var/log/lfd.log...

Fri Dec 7 12:27:34 2007 lfd: Error: Log line flooding/looping in /usr/local/apache/logs/error_log. Reopening log file
Fri Dec 7 12:27:34 2007 lfd: Watching...

Hi chirpy, upgraded to CSF 2.95 today on my webmin/home server and it appeared to upgrade fine. I wanted to remove some ports from the configuration and on restart it wouldn't come back up.

Restarting csf...

Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Error: Setting POP3D_LOG is repeated in /etc/csf/csf.conf - you must remove the duplicates and then restart csf and...

Does csf look at csf.tempban before it blocks an IP? I sometimes get a dozes emails about an IP that is blocked with too many connections. And it is then also listed a dozen times in csf.tempban.

I have configured for some time now to only block the specific service, but has been many clients that contacted me saying they are blocked in the entire server, no matter if they only attempted to login many times through ftp looks like they are being blocked in the entire server. Any idea?

i have:

LF_TRIGGER =0
LF_TRIGGER_PERM =1
LF_SELECT =1

and for service for example
LF_FTPD =8...

I have the following problem:
i have some websites using directories like /etc .

anytime the csf finds a reference to an /etc directory logs it, warns me and also denies IP access.

i've noticed also that joomla/mambo and other pre-made scripts or cms's, are using /etc directories....

here is an example of warning i receive 20 times a day:

Time: Thu Dec 6 21:19:56 2007
IP: xx.xx.xx.xx...

Hi,

Just noticed that scripts on myserver can send e-mail without obeying the LF_Script_Alert.
It has worked before although.

This is my csf.conf
LF_SCRIPT_ALERT = 1
LF_SCRIPT_LIMIT = 25
LF_SCRIPT_PERM = 1

Any idea how I can solve this issue:confused:

Thanks in advance for your time and help.

Frans

Error:

Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
iptables: No chain/target/match by that name
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `acctboth'
Error: iptables command failed, at line 118

Since 2.6.15 they changed the name of them kernel modules and I think csf does not recognize them:

ipt_state -> xt_state...

The connection tracking still temporary bans IP's listed in the csf.allow file. (using v2.89)

Update: Sorry my bad .. I guess there is a separate ignore file for LFD checks (csf.ignore). This should be added to the readme.txt Thanks guys !

The challange is to block all scanalert.com scans as they are apparently used by hackers to probe our servers.

Okay, so for the past two months we have collected all the scanalert IPs that we can and we have inserted these in an world accessible (via URL) list, and then inserted the URL in the GLOBAL_DENY = slot with an LF_GLOBAL = value of 1800

At first this seemed to work fine, but for the...

Hello,

Since a few days, I'm getting this for each file of a php script:

Time: Mon Oct 29 14:40:36 2007
File: /tmp/b0692f57_TemplatePatch.class.php
Reason: Script, file extension
Owner: nobody:nobody
Action: Moved into /etc/csf/suspicious.tar

I suppose it's coming from Fantastico, how can I allow it ?

Thanks,
Francois

Hi,

csf 2.90 shows the PHP settings to be changed to:

enable_dl = Off
register_globals = Off

while they are already set that way. Is this a bug or any other php.ini file overriding
the main one? Is there a way to figure this out?

thank you,
tuxg

It seems in csf 2.90 check cpanel version for x86_64 does not work correct.

Your current version of cPanel is 11.11.0-RELEASE_17033. According to the cPanel site, the latest available is 11.11.0-RELEASE_16983, you should consider upgrading to ensure bugs and security patches are up to date

While at the RELEASE version for x86_64 is 17033

sorry to post this here, but your forums did not preview any space for Exim Dictionary Attack ACL for cPanel

I bought your full cpanel service for my RedHat9 VPS with ServInt, but as RH9 is not any more supported, I am moving to a new server with CentOS.

I am trying to help myself.

here
it says

You now need to add the ACL to the exim configuration file. This is best done through the WHM...

For some odd reason the new CSF 2.87 is not blocking the previously blocked IPs/ranges from the deny file

While it looks like it generates a lot of iptable rules, does do not have an effect

Furthermore it must be noted that a quick deny for an IP, doing an iptable statement still works... but that block is gone after CSF restart

a normal IPTABLES statement for blocking IP/ranges also works...