HI, I'd like to suggest that while using a single LF_INTERVAL is ok for most login failure checking, it might be neccesary for the distributed SMTP checking to have a shorter interval.
In order to tighten things up recently we've had to increase LF_INTERVAL to block IP's over a longer period of time, as the trend from spammers seems to be to re-use the same IP's less frequently, to avoid these...
I also have some IPs listed in csf.allow and lfd.ignore. It seems that everytime someone sends ONE email from any of the ignored IP, an entry is added to the lfd.log file (below).
Not sure if this has been posted, but are you thinking about doing some graphics/statistics on temp/perm blocks taking place? like time of day, day of month, protocals, countries, etc?
Not sure if this is the best way to solve this but it's impossible to see changes in slow queries on the graphs when the scale for the regular queries is so high.
Slow queries appears as a flat red line next to zero on all our graphs because it's an average per minute, which is almost always 1 per minute when calculated that way.
Instead I'd like to be able to have slow queries as cumulative...
Would it be possible to add a disk latency/response graph to the statistics pages? A metric and history of latency would be useful for people running cPanel on VPS where disk contention is more of a performance issue than many other things.
Average and perhaps peak disk latency would be most useful.
When I run the security check, it gives a warning that I need to disable LOAD DATA LOCAL. I have local-infile=0 in my.cnf under the msyqld section, and Virtualmin's MySQL webmin module reports under system variables that local-infile is off. I've restarted the server a number of times but CSF still reports that I need to disable it.
I love the script actions for various alerts, ie load alert for example. Would it be possible to add these in for script alerts and relay alerts as well ? I could add it easily myself, but it would be overwritten on updates. We would like to do a little bit of automation after these alerts occur and that would be a great feature to have.
I use CSF Firewall on multiple generic boxes/networks (without cPanel) and I think it's great! It saves so much time and hassle. I even use it on the router for my home LAN. Many thanks to the Dev's.
Unfortunately some of the networks I'm on do not yet have native IPv6, so instead I use a tunnel service like Hurricane Electric tunnelbroker. Using a tunnel adds an additional interface to the...
In the check security page it warns you about the lack of register_globals = Off line but in php 5.4 there is no such setting anymore. So the warning is not right in php 5.4
Our server has been grinding to a halt because of brute force login attempts on POP3 and CSF isn't detecting it.
Example of mail log:
May 1 03:49:17 vendsmart dovecot: auth(default): pam(alex,::ffff:205.217.244.10): PAM child process 7194 timed out, killing it
May 1 03:49:17 vendsmart dovecot: auth(default): pam(customer,::ffff:205.217.244.10): PAM child process 7205 timed out, killing it
May 1...
We use csf+lfd and the Directadmin Bruteforce detector. when the da bruteforce detector detects it runs this command
c s f -d $ip Added by DA BruteForce monitor
we noticed that with this method the c s f . p l does not check the csf.ignore but only the csf.allow as the bruteforce detector is a bit like lfd, then i would assume in this case it should also check the csf.allow and the csf.ignore...
On June 12, 2012, Spamhaus added an extended DROP (EDROP) list to be used along with the DROP list. The EDROP list is located here - . Information about the list is here - .
If Cpanel's webmail and cpanel proxy subdomains are enabled, an attacker is able to try unlimited attempts through those subdomains, since CSF does not block port 80 (it only blocks 208X, 209X ports).
Hi to everyone,
First I come to thank the developers of the CSF by the efficiency of this system and I'm here to provide an improvements in their codes.
Well.. On my webhost company I created the modification for my csf to send a netstat table report when load average is too high.
I believe that this information is useful, especially in case of DDoS attack if you can know which IPs are...
There appears to be a new style of hack against POP, mostly coming from Romania, that is playing a long game.
Usually a script/bot will try random username/password combinations in rapid succession to try and break in to an account. This can be stopped easily by LFD.
I've been noticing the same IP failing for a large block of logins and it appears that instead of trying to break into one...
I had a problem with 535 incorrect authentication in exim mainlog not being picked up. I did some research using a regex tester and the Exim SMTP AUTH line from regex.pm (5.54 version) which is: ^\S+\s+\S+\s+(\S+) authenticator failed for \S+ (\S+ )?\ :(\S*:)? 535 Incorrect authentication data( \(set_id=(\S+)\))?
The choice of log selectors enabled in Exim will definitely impact whether...
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum