ConfigServer Community Forum

I read in another thread that the IP Allow overrides the IP Deny. I had a range of IP addresses in the IP DENY and a single IP address in the ALLOW. The single IP was still denied.

Example

DENY FILE

26.132.12.0/24 # Deny
ALLOW FILE

d=1111:s=26.132.12.200 # Allow

The IP 26.132.12.200 was still not able to log in until I removed the deny entry.

hi,
I've few IP's of customer which are in the allowed IP List still i get the Lfd blocked notification mail for those failed logins as :-

Failures: 8 (ftpd)
Interval: 135 seconds
Blocked: Yes

Blocked: Yes confuses and needs to re-check it from csf menu.

shouldn't this have something like which reminds that you've already allowed the IP in question and is not blocked

see ya,
prabudh

there is one problem

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 OWNER GID match 12
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 OWNER GID match 32001
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 OWNER UID match 0
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 reject-with...

Minor bug: I am running CSF v2.69 on a non-cPanel server, and am getting duplicate SSH login alerts. Other alerts, e.g. IPs blocked, are not duplicated. All alerts are sent to the same email address, so it not a case of forwarders that are creating duplicates somewhere.

I do not have SSH alerts enabled on any of our cPanel servers, and hence cannot say if the same problem exists there too, or...

Hey,

I've managed to remove CSF... well for the most part although its left in a cron job entry which i don't know how to remove, ive tried crontab -e and the csf entry is not listed there.

Error Message:
Can't open perl script /etc/csf/csf.pl : No such file or directory :eek:

I'm getting this sent to me via email daily -_- Is there anyway i can remove the entry? (its sent from the Cron...

hello, why was my mailscanner thread deleted? that was an issue i reported, and it pretty much has impact. it's a paid service, and i think that reporting bugs ... is a good thing?

mhm . i have been experiencing this thing since a few days with cpanel.

i run mailscanner installation from configserver, and suddenly the nobody tweak from the whm is not active anymore. so user nobody can send mails out.

this is the feedback i got from the cpanel team.

Few problems we found.

1) MailScanner is bypassing some Exim configurations such as checkspam which
controls the nobody...

The segfault error I was seeing went away, and then it came back - I'm alerted after temp fills up with massive core dumps.

Apr 12 19:00:29 squirtle kernel: lfd : segfault at 0000000000000038 rip 000000000042433d rsp 0000007fbffff300 error 4
Apr 12 19:08:23 squirtle kernel: lfd : segfault at 0000000000000038 rip 000000000042433d rsp 0000007fbffff300 error 4
Apr 12 19:11:33 squirtle kernel: lfd...

hi
I just installed csf on my fedora box but I saw 98.2%% cpu usage ...

13988 root 25 0 111m 59m 1648 R 98.2 2.9 160:53.35 lfd

what s wrong whit this?

thanks for your help

2.6.11-1.1369_FC4smp #1 SMP Thu Jun 2 23:08:39 EDT 2005 i686 i686 i386 GNU/Linux

running WHM release update/cpanel
WHM 10.8.0 cPanel 10.9.0-R7965
Fedora i686 - WHM X v3.1.0

then I restarted it and now I get:

root...

I get Process Status reports at least once a day about exim
- Event Summary:
USER: mailnull
PID : 23706
CMD : /usr/sbin/exim
CPU%: 0 (limit: 85)
MEM%: 0 (limit: 15)
PROCS: 16 (limit: 10)
Which is correct HOWEVER I placed the following in csf.pignore via the interface and restarted
exe:/usr/sbin/exim
cmd:/usr/sbin/exim
user:mailnull
But lfd is STILL killing exim. Is there something I'm missing?

I've allowed an IP of a client who often generates pop3 login failures due to there being many users at a single location.

If they do something that would result in them getting blocked, such as repeat pop3 login failures, lfd still picks this behaviour up and sends me an email as would be received when an IP gets blocked.

It doesn't really matter since the IP doesn't get blocked, however I...

Running latest csf, RHEL 4.4, latest kernel, generic linux

We have an application that ssh's into a server every hour. We'll see this being logged in lfd.log and ignored as it should, then suddenly the logging stops in lfd.log, even though the logins continue. During these times, actual brute force attacks go unblocked as well. A service lfd restart seems to jumpstart things again.

After...

After upgrading to 2.63 I get this error, and an email every 5 minutes.
Before upgrading everything was working.

Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Error: (iptables binary location) does not exist!, at line 22

I'd like to thank you, Chirpy, for csf.

I've installed csf to my VPS, then all hosted sites can't not be displayed and are getting Gateway Timeout.
And always getting SSH Error, The current connection has timeout when trying to login to SSH.

I'd be so appreciative if I get any recommendations.

I have a PHP script that uses mail() to send out shipping confirmations to customers whose order shipped. Typically there are anywhere from 250 - 350 emails sent each day. After each mailing I receive an lfd: Script Alert email and in the email the line that says

Count: 101 emails sent

always has 101 as the number of emails sent no matter how many emails were actually sent out.

Not sure if...

Check Server Security does not detect disable_functions in double quote , and report it with WARNING status.

In /etc/csf/csf.ignore I have, for example:
127.0.0.1
123.456.789.0/24
234.567.890.0/24

But if I ssh in from 123.456.789.32, it still triggers an SSH email alert. I restarted both csf and lfd, but it still triggers the alert. Thoughts?

Seems upgrading from 2.59 >> 2.60 when you restart CSF & LFD, you get the following:

Restarting lfd...

Stopping lfd: Done
Starting lfd: Done

...Done.

Now I go to check the LFD Daemon is running and it shows it's stopped:

ConfigServer Security & Firewall - csf v2.60

Show lfd status...

Status of lfd: Stopped

...Done.

Then to see if restarting you get this:

ConfigServer...

Hi,
just want to report somenthing that I am having in my CSF.

I have set LF_TRIGGER = 0, in order for me to set the cumulative failures in each of the following commands. So, I set the LF_POP3D = 20, but for some reazon it is not working.

Look at this print screen:

Wed Dec 20 11:06:18 2006 lfd: Failed POP3 login from 189.165.74.10 - 1 failure(s) in the last 105 secs
Wed Dec 20 11:07:40 2006...

hi configserver,

My mailbox is getting flooded with warnings about suspicious proccesses running on my server.However this is false that process is not malicious and normal ......

Time: Thu Jan 11 12:14:43 2007
PID: 27948
Account: ************
Uptime: 67 seconds

Executable:

/usr/bin/php

Command Line (often faked in exploits):

/usr/bin/php cron.php

Network connections by the process...