Attempting to start LFD while in TESTING mode does not report the correct error *Error* lfd will not run with TESTING enabled in /etc/csf/csf.conf . Instead, /usr/sbin/lfd attempts to close and unlink the $pidfile /var/run/lfd.pid using an undefined file handle $PIDFILE at line 7186. This causes the error: Can't use an undefined value as a symbol reference at /usr/sbin/lfd line.7186 .
Now I have a server under my hand with csf with DENY_TEMP_IP_LIMIT=250.
250 entry is enough for about 4 minute denys, and there are rotated out.
But it's should deny IPs for 120/60/30/5 minutes...
Is there a way to support ipset for longer denies?
Problem: Unable to get updates automatically using csf -u, although manually downloading and reinstalling works. Both mode 1 and mode 2 updates fail. LWP and Tiny are installed, and all other software (wget, cpan, apt) use the proxy successfully.
The csf code is not reading or using the environment set proxy information. Calls to get the updated package occur in URLGet.pm - funtion urlgetLWP...
It seems that csf runs csfpost.sh with sh instead of just using the shebang that was specified. This causes some unexpected behaviour if you need more logic in these files.
I can only reproduce this on Ubuntu, CentOS has no problems. I've added the following code to csfpost.sh:
#!/bin/bash
if ; then
echo Please do not use sh to run this script ($0)
fi
Hi,
I had an issue with the firewall blocking a client who's password was changed and her phone kept trying to login triggering the bad login attempts. Since the firewall on the server changed, it took me a while to figure out that is what was happening.
I think the firewall should not have blocked her IP over the cell phone issue. If making a brute force attack, one would not use the same...
Just wanted to give you a heads up in case you haven't seen this yet:
Previously when I last looked at the new databases they didn't support ASN lookups but it looks like they have added GeoLite2 ASN support now (in a separate database):
Hello,
The option for block distributed SMTP Logins is very usefull, but is necessary some advanced option to permit the automatic block of one email account involved in more than X continous distributed smtp logins.
For example, I have configured the distributed smtp logins detection to 3 diferent IP. Recently i recived from my server over 15 continuous mails alerting for distributed smtp...
I know that this has been bounced around in the forums for a while so I thought it should go in the suggestions area. We are seeing more and more servers with docker installed and it would be nice if CSF played nice with it out of the box. Basically all that needs to be done is detect if docker0 interface is present then add rules like the ones below. These are the rules that we normally add to...
Now with the recent added cluster actions the only action that we are missing is cluster ignore . Would it be possible to add? (I'm thinking the reason that it wasn't added was because the login failure daemon would have to be restarted after )
We're using CSF + LFD on many servers, with great effect ;)
One thing that could be improved in my opinion, is the detection and blocking of slow brute-force attackers, i.e. logins with long intermittent pauses, but continuing over long periods of time.
We know the effectiveness of detection of burst attacks, when more than LF_ login failures occur within LF_INTERVAL....
One class of malicious user/uncooperative person is the prober. This is the source of most traffic on my websites, and consists of trying to find weaknesses to exploit.
Typical accesss are to files and directories with names like these:
I'm not sure exactly how to call it.
I have the same problem on multiple server, we are giving email services to a company which has 10+ person working in an office . The office connects to the internet via a NATing router, so everybody is seen coming from a single IP.
Now if a single person fails his password a couple time from , that IP will be banned, and everybody will loose access .
So...
A few weeks ago I upgraded my system from Debian Jessie 8 to Debian Stretch 9 but till yesterday I didn't notice this issue. I tried to connect to an external ftp and I connect but it is not possible to list the directory contents, strange because before the upgrade with the same CSF conf I was able to connect to this ftp. I double check CSF conf and the port 21 is in TCP_OUT, SPI...
Starting yesterday, all of our cPanel servers are getting hit with a massive amount of SMTP Authentication failures, from distributed IP addresses. Yesterday alone, we are seeing over 8000 different unique IPs involved in these distributed attacks.
The flood of LFD emails caused us some email issues. I tried to disable SMTP AUTH failure emails, or at least route them to a different email...
Nearly all of my servers that run Exim are constantly being attacked by remote nodes trying to brute through an AUTH command before advertised. Every day I get a big list of AUTH command used when not advertised in logwatch.
On a daily basis I'm blacklisting these remote nodes, because I know for certain they are scanning for open relays. Quite a big giveaway is also the HELO being...
it's possible to do this from a simple bash command but it might be useful to less skilled users to have an option where LFD can also add an ip ban to cloudflare when the user provides an api key
might be too much to maintain for permanent rules, maybe make it part of the tempban feature?
when the feature is enabled, csf -td or csf -tr could also do the api call to cloudflare
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum