ConfigServer Community Forum

Dear Support,

i have multiple Servers, all with CSF/LFD + CXS working on Cpanel.
After Updating the Mod_security LF_MODSEC Trigger no longer working (no IP ban on configured Trigger)

I have CPANEL/WHM, 56.0 Build 24 on CENTOS 6.8 x86_64 running on Servers.
I use classic Apache/2.4.18 compiled with EasyApache3 under CP.
I run common Atomicorp Modsec Rules Subscriptions on Servers.

In classic...

We have a few resellers setup as follows:

XXXXXX:1:USE,UNBLOCK,GREP

After the upgrade to 9.x they try to unblock but it does not actually work. On the web page they get the CSF manpage. In the email we get the search for the IP, it not getting unblocked and then the CSF manpage.

Thanks for looking into this

In the server I have set:
RESTRICT_SYSLOG = 3
LF_TRIGGER = 0
LF_TRIGGER_PERM = 1
LF_SELECT = OFF

LF_EXIMSYNTAX = 10
LF_EXIMSYNTAX_PERM = 3600

LF_IMAPD = 10
LF_IMAPD_PERM = 1

But even with that set, /var/log/messages shows, please note that I don't have those IP white listed:

EXIM SYNTAX, ignored:
Jun 13 12:23:07 serverX lfd : Exim syntax errors from 123.123.123.123 - ignored
Jun 13 12:25:18...

Hello,

There is a problem in removing IPV6 with double colon at the start or end of IPV6 from csf.deny or csf.allow

Line 1339 and 1424 of csf.pl, it seems \b is not compatible with some IPV6 in the perl regular expression.

Regards

#### Tested on CentOS 7 - Perl v5.16.3

$ csf -c
csf is already at the latest version: v8.26

$ csf -d 2001:41d0:1000:f6a1::
Adding 2001:41d0:1000:f6a1:: to...

Hello,

current version (8.25) does not install /etc/init.d/lfd in systemd systems so the following command is incorrect:
/etc/init.d/lfd restart
You should make some change in the installer to install a compatible cron job like:
systemctl restart lfd.service

Regards

Recently I enabled LF_Netblock for Class C and NetBLock Count=2 after seeing many scrapers/bots coming from the same networks. I also enabled notifications.

After restarting CSF/LFD I got my first notification (as expected) in minutes.. Then, it went silent, not blocking any other Class C's even though in the logs I could see many hits that should have triggered a NetBlock.

I disabled the...

Using csf v8.21 (cPanel) on CloudLinux 6.7 I am given a warning when trying to deny (-d) an ip address if I use an address raised on a local interface however I am not given a similar warning when trying to tempdeny (-td) the same address. Is this behavior to be expected or should there be similar checks done by the tempdeny (-td) option?

So this has started hitting us after the latest update (v8.20).

What is happening is that our LFD is stuck in a restart loop. This is due to a misconfiguration in the csf.conf value GENERIC on our side combined with a logic error in lfd.pl. We had this value set to 1 (probably due to our use of clustering and it copying from a server that didn't have cPanel installed).

What occurs is that when...

Hello,

( Its resolved after the new update :) )
After today latest auto upgrade to 8.17, CSF dosent load on WHM/cPanel it keeps loading

UPDATE Temporary Solution :

After I SSH and execute csf -r, the process didnt completed, andI watched the logs:

Apr 4 20:08:59 xxx lfd : *Error* Excessive number of children (201), restarting lfd...
Apr 4 20:08:59 xxx lfd : daemon restart requested
## .......

This bug is back in version 8.16. The current problem is that if you have a DENY_IP_LIMIT set when an IP address is pushed out of the list it is not being removed from /var/csf/csf/tempip. Since the record has the PERM flag set the bad IP address will never be banned again. Here's the code from CSF that removed the IP address from /etc/csf/csf.deny:

print csf: DENY_IP_LIMIT...

Hello!

Following a few spam episodes gone undetected by the Relay Tracking in CSF/LFD, we have determined that mails sent from cPanel Webmail are not tracked at all by CSF/LFD.

Relay Tracking is working for mails sent from email clients (we have tested this). But mails sent from Webmail are not tracked. We have tested this with all the email software in cPanel (Horde, RoundCube and Squirrel)...

The Last 12 Months pie chart in lfd blocking statistics is showing the last 30 days data instead.

I think this might just be a copy/paste error in ServerStats.pm

$year_pie_graph->plot(\@hpiedata);

I think that should be:

$year_pie_graph->plot(\@ypiedata);

I've tested the fix on my own servers and it looks good to me.

Hi ConfigServer,

We've recently noticed that the function 'LF_SCRIPT_ALERT' stopped working across all of our servers (operate approximately 100 servers in total).

Stopped working on Thursday 3rd March 2015 (date in Australia at the time).

There's only a single thing on that date that I can see has changed with exim - see:

Please note the log_selector function is set to default by cPanel:...

Hi,

I'm using CentOS WebPanel and after I upgraded CSF to 8.15, I receive this error when accessing the CSF GUI from CWP:

The requested URL /csf/cwp_csf.php was not found on this server

Is there a way to fix this?

Though regexes for port-scan detection at the start of pslinecheck are OK, a couple lower down do not allow for the square brackets which can follow the kernel: prefix. I can't remember now whether I was experiencing too many or too few blocks, but something wasn't working for sure! The patch below fixes it. I hope you're able to include this or a similar change in CSF/LFD.

---...

Hoping someone can help point me in the right direction...

I've developed a solution to generate a global list for both allowing IP's & denying IP's. Populating the csf.gdeny works perfectly, every seven (7) minutes the server calls for the file reads it and blacklists the IP's.

Unfortunately, the server does not seem to be releasing IP's that have been removed from the list. csf.gdeny no...

Hi,

we're mounting a backup drive over NFS on a private network. This network is connected through a separate VLAN on a failover bond with two interfaces. When I add bond0.821 to csf.conf:ETH_DEVICE_SKIP I get this error message on csf -r :

*WARNING* ETH_DEVICE_SKIP device not listed in ifconfig

*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.
root@host03 #...

None of these files exist

my @files = ( /var/named/chroot/etc/named.conf , /etc/named.conf , /etc/bind/named.conf , /var/named/chroot/etc/bind/named.conf );

we use dnsmasq

but still get Check for DNS recursion restrictions

(dnsmasq is set to only lo / 127.0.0.1)

It appears firewall removals are not flushing iptables with v8.02. Even after removing, flushing stopping CSF the blocks are still there.

/etc/init.d/iptables stop
csf -r

is working as a work-around in the interim.

Do not check double of the added IP address (-p port).

csf -td 89.222.186.1 -p 80
DROP tcp opt -- in !lo out * 89.222.186.1 -> 0.0.0.0/0 tcp dpt:80
csf: IPSET adding to set
csf: 89.222.186.1 blocked on port 80 for 3600 seconds inbound

csf -td 89.222.186.1 -p 80
DROP tcp opt -- in !lo out * 89.222.186.1 -> 0.0.0.0/0 tcp dpt:80
csf: IPSET adding to set
csf: 89.222.186.1 blocked on port 80 for...