it will be really nice if we could detect massive pure-ftpd non TLS connection, yesterday i had log file of about 25k login attempts trying to login using non TLS connection which i disallow, is there any chance that you may make a an option to track those messages and block the ips if they exceed certain number of error messages such as 20.
Have you consider to implement in CSF Firewall an option to remove IP entry from temporary/permanent block using captcha ?
For e.g. environment like hosting server with CPanel such cases like webmail block or control panel block could be easily been maintained by this type of solution.
There is already messenger service which is giving now information about IP block so it could be done...
Hi,
is not a big issue, but when an IP is written into the search box, if the IP comes with spaces before or after (when copy and paste), csf shows an error.
It will be great if that spaces could be trimmed off.
I've been using CSF for a while now, it's been very useful and it's great at doing its job, but my server also has IPv6 addressing that it needs to have a firewall for. I have CSF's IPv6 firewall enabled and configured, that's working, but I'm having trouble adding IPv6 addresses into its config files.
It's possible to see port reference by all IPs in View iptables log but ti would be much quicker to have it right in Temporary IP Entries , sometjong like this:
Instead of:
DENY 222.189.238.144 * in 23h 55m 58s lfd - *Port Scan* detected from 222.189.238.144 (CN/China/Jiangsu/Nanjing/-). 3 hits in the last 135 seconds
Add the port number for easy understanding which port was accessed:
DENY...
I think it would be very very good if CSF could be configured to let to block some manually defined IPs, that are found on the local interface.
Imagine you have 10 IPs in your eth0-range0. You use all of them as intended but one. Imaging that you initialize Proxy Server on one of that IPs. It means if you (or anybody else) will try to do something against the server, like port scan or...
I periodically get hammered by distributed attacks, usually against FTP and SMTP, where the bulk of the attempts are using accounts that don't exist on my server. It would be helpful, primarily to control resource consumption, to have an option to block these attempts on the first try while these distributed attacks are happening, without affecting the default settings for valid accounts.
It would be absolutely great to be able to set ASC or DESC order of the IP that are at Temporary IP entries.
For me, it makes more sence, when I go to Temporary IP entries to see newly blocked IPs not the old ones. Now in order to see new IP address you would have to scroll to the very bottom.
I think the IPs should be sorted DESC based on TTL, so when you go to Temporary IP entries, you see...
We use your product on a large number of machines (cPanel, Plesk, no-cp, etc). I'm very happy with the 'Check Server Security' option from the CSF menu in cPanel. As a suggestion for the (distant) future, it would be cool to be able to pass the csf binary a flag and have it output the security dialog (in plain-text) that cPanel users enjoy. As an addition, it could possibly strip out the...
It would be great if CSF supported wildcards for LFD log file locations:
Eg. /var/www/vhosts/system/*/logs/error_log
Some platforms like Plesk have separate log file locations per virtual host. I know that fail2ban supports wildcard log file locations when creating jails.
I believe that Perl supports glob functions so it shouldn't be that hard to add:
The current modsec Regex is in this file /usr/local/csf/bin/regex.pm:
$line =~ /^\ \ (\ )?\ ModSecurity:(( \[ ]+\])*)? Access denied with (code|connection)/)
This regexp fails to trigger on logged ModSec events when MPM_EVENT is installed, because the block changes to include the tid.
From:
To:
As a result, its necessary to manually update the regex in the indicated file for...
Currently it appears that RT_AUTHRELAY_ALERT is tracking relayed emails by IP address.
However, most of the time when large amounts of email are coming through, it is due to spammers compromising a user account and sending from many different IP addresses. Because of the multiple IP addresses, RT_AUTHRELAY_LIMIT rarely ever gets exceeded and lots of spam gets through unnoticed.
Principle of operations is the same as detecting mailer scripts or change in binary files. The script would notify you when files with base64 are uploaded and needed for inspection or when symlinks are created within the /home directory. It is meant to help administrators administrators quickly find websites that are vulnerable because of the changes that need a closer look.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum