ConfigServer Community Forum

EXPECTED:
PT_SSHDHUNG is supposed to kill sshd: unknown and sshd: unknown processes.

PROBLEM:
It doesn t kill sshd: unknown

SOLUTION:
Change the following line in lfd and add a test with SPACE at the end just like this sshd: unknown <-- note the space at the end.

from
if ($cmdline eq sshd: unknown or $cmdline eq sshd: unknown ) {
to
if ($cmdline eq sshd: unknown or $cmdline eq sshd:...

While mailscanner does not provide protection for outgoing spam I guess it could send some alerts when the EXIM queue size reaches a size that could suggest spam is being sent

Your netblock function counts number of block episodes within a class.
I would like one that counts by number of unique IP addresses within a class.

So this didn't work as *I* had intended- by your mentioning ddos mitigation it is clear that you meant this to be use against rapid fire bombardment. I, on the other hand, thought it would be useful to block repeat offender bullet-proof type hosting...

I would like to exempt alerting for our own activity in SSH - we keep a window open all day for quick access.

This results in wasteful emails all day
Subject: lfd on XXXXXX: Excessive resource usage: XXXXX (19422 (Parent PID:19420))

Time: Mon Oct 2 07:00:11 2017 -0400
Account: XXXXX
Resource: Process Time
Exceeded: 407508 > 1800 (seconds)
Executable: /usr/bin/bash
Command Line: -bash
We don't...

I want to be able to include command separated port numbers in the csf.deny file

For example I have the following:

tcp|in|d=80|s=89.248.160.0/21 scannerbots googlemapsexploit QUASINETWORKS SEYCHELLES - do not delete - Tue Apr 11 14:49:02 2017

And I want to block port 443 too

tcp|in|d=80,443|s=89.248.160.0/21 scannerbots googlemapsexploit QUASINETWORKS SEYCHELLES - do not delete - Tue Apr 11...

Hello, we are using lot's of nat in 10.0.0.0/8 for our servers. is there a possibility to add bogon network blocking to only some interfaces?

like we have a public ip on eth0 but on eth1 and eth2 we have 10.0.0.0/8 addresses. on eth0 we want bogon network blocking.

greetings from holland and many thanks.

Dear developers,

Webmin is switching to SPA. We need to inject certain triggers for module to operate correctly.

At the moment we have in CSF the ability to inject stuff into head section and before the closing tag (footer).

We also need the ability to add `data-*` attributes to ` ` tag and most importantly ability to inject tags/containers into the body tag.

Is this possible that you could...

Im using ConfigServer MailScanner Front-End where client IPS can be blocked by adding an entry into csf.deny. Ive been blocking the IP's for the persistent low scoring spam emails.

It is my understanding that due to the upper limit of IP's in csf.deny, the IP's for blocked emails will eventually get rotated out of the file.

Would it be worthwhile to consider having a separate file that could...

If the messenger is never enabled then the file /var/log/lfd_messenger.log is never created and you get this cron.daily error emailed to you:

etc/cron.daily/logrotate:
error: stat of /var/log/lfd_messenger.log failed: No such file or directory

I believe that adding the option missingok to the logrotate lfd_messenger.log entry will allow logrotate to skip the log file if it doesn't exist.

Hello,
The 99% of my distributed smtpauth attack alerts are for 535 Incorrect authentication . It would be nice if the alert is sent only when successful access to the email account is detected.

CF has a 403 / 404 block can we consider a 401 block as well please.
too many 401 attempts is a sign of server attack

see

Hello,

In the csf.blocklists file, there's an entry:

OPENBL|86400|0|

I believe this entry should be considered for removal. The base_30days.txt file no longer exists, and by visiting and searching the internet (ie, openbl.org's twitter page), it appears the company has gone under, for financial reasons.

When the openbl.org blocklist is enabled, in the /var/log/lfd.log file, every 30...

Greetings, CSF Team.

In its current form, CSF (when configured to also block outgoing connections) will add IP blocks as a DROP rule for outgoing conncetions. Outgoing connections should never be dropped. This can lead to a myriad of issues in the right environment, and at least a few issues in most environments.

A DROP rule in iptables does not send an error/rejection packet back to the...

How about a feature to permanently block IP by putting them in something like csf.pdeny
Right now if the deny_ip_limit is set at 100 and then if all the 100 IPs are filled up and CSF starts removing from the oldest IP blocked order the ones at the top get removed. But there are certain IPs which I would like to keep permanently blocked even if the limit has been reached and csf removes the oldest...

Here is the snippet from /var/log/secure

Sep 16 10:57:47 s3 proftpd : 10.10.10.10 (119.18.153.66 ) - USER admin (Login failed): Incorrect password
Sep 16 10:57:54 s3 proftpd : 10.10.10.10 (119.18.153.66 ) - USER admin (Login failed): Incorrect password
Sep 16 10:57:58 s3 proftpd : 10.10.10.10 (119.18.153.66 ) - USER admin (Login failed): Incorrect password
Sep 16 10:58:01 s3 proftpd :...

Create a field in CSF UI where you can input custom ip rules.
Ideal would be to click some options as connection limit, rate limit, inbound, outbound, ports, etc.

I came to this idea after searching for a way to limit 1 ip address which is hammering my server. But I don't want to block this IP nor do I want to limit all ip addresses in general.

It would be nice if we could white list countries so that they don't get blocked by the failed logins, most of the times our customers setup Outlook or similar clients and after an email password changed IMAP / SMTP blocks them.

Since most of the time hackers use compromised servers or anonymous proxies on USA, China, Germany... it should be easy if we could avoid LFD to act on IPs based on...

Hi all,
I wondering if I have something forgotten in my configuration for my cluster set-up?
Cluster_Sendto has all 4 IPs, Cluster Recvfrom, all 4 IPs, Cluster block = on, Cluster config = off
Same config on all 4 servers.

4 servers are in the cluster, it works partly fine, but it is not blocking IPs from LFD. and Network Classes.

- cping command PONGS! happily back,
- lfd cluser members are...

Hi,

thanks a lot for this CSF 10 upgrade, really great new options and ability for the users to unblock themselves.

I've tested it and it works ok, but when the user successfully unblocked, shouldn't he seen a page about you're now unblocked and could proceed to : the requested url that blocked him at first ?

My question/suggestion is to know if we can have a way to propose a translation of...

I was trying to setup some of the new CSF MESSENGER_HTTPS features but LFD can't find the SSL certificates on a Plesk server for some reason. Any ideas?

Feb 28 09:57:33 web6 lfd : MESSENGER: Error starting HTTPS service: No SSL certs found in MESSENGER_HTTPS_CONF location
Feb 28 09:57:33 web6 lfd : MESSENGER: HTTPS service temporarily *DISABLED*

I tried setting MESSENGER_HTTPS_CONF to...