ConfigServer Community Forum

I've installed on non cpanel running exim but LF_SCRIPT_ALERT isn't able to be used, am I missing something?

Ok, we have now: Lfd Ignore,
The following IP addresses will be ignored by all lfd checks.

Would it be possible to ignore an IP, with a specific service,

ex.: we have an IP, wich wants to connect more than 75times/hour to POP3, it is not an ultima solution to ignore the IP at all lfd checks,

like: pop3:IP

or there is an alternative solution for this?

The new cPanel WebDisk facility occasionally throws up suspicious process emails when people use it. It may be worth adding its process to the ignore processes list if you let customers use it.

This is whats needed inside the process ignore list:

exe:/usr/local/cpanel/cpdavd

David

It would be nice if I could move certain logon failures to a timed list so that they would clear in a specified time.

We never remove SSH failures but FTP, SMTP are often legit users that for whatever reason get themselves locked out.

If we could set this list to clear at certain intervals, it would make life a bit easier and at the same time, anyone trying hack in is going to be long gone...

Any plans to port any of your scripts to ISPConfig by chance?

CSF already does a nice job watching the exim_mainlog file. Many of us have also setup WHM to not allow any domain to send over x amount of emails per hour. When a spammer gets on the server and attempts to do so it is logged in exim_mainlog. It would be a great help if CSF could also check for multiple failures of this limit by checking for excessive sending attempts as well. I think that this...

Hello,
I believe a very handy thing would be a command line option in csf for removing a certain ip from the csf.deny file.

I noticed that filtering based on UID or GID of source packet in csf.allow works only if d=port is specified.
I think it would be nice to make s/d=port setting optional (unless you had a good reason to design it like that)

Relevant code in csf.pl:line 852:

if (($uid or $gid) and $dport) {

should be

if ($uid or $gid) {

Cheers

You can set PT_USERPROC to send an email when X number of processes have been exceeded but there is no option to kill those excessive processes.

Suggest this option be included, similiar to the way PT_USERMEM and PT_USERTIME are setup.

Also it would be ideal if you could specify specific processes or exclude specific processes for PT_USERPROC by using the path to the executable.

For example if...

Hi Chirpy

Love your CSF and LFD

Is there any way to have an email sent to either the server administrator or maybe even a field setup within CSF admin page, so that when your upgrade button appears in WHM it would email telling you an update is available.

Not sure if others would benifit from this but hey worth asking.

Thanks in advance.

Wayne

Hi,

I tried to blocked any incoming packet with destination port 22, with source IP is not 202.0.0.0/8. i've tried to insert:
tcp:in:d=22:s=!202.0.0.0/8

but it doesnt work :D or i just missconfigured it ?

If it's not been supported yet, could you add this kind of notation (negating an address) ?

TIA

great work!

Is it possible to add a new feature to CSF so that if an IP address is blocked due to exceeding the CT_LIMIT (Connection Tracking Limit) the email produced actually contains details of the connections in progress.

For example, instead of just:
From: root
To: root
Subject: lfd: 12.34.56.78 blocked with too many connections

Time: 04/Jan/2007 13:24
IP: 12.34.56.78
Connections: 400
Blocked: 3800...

Apparently, Security-Enhanced Linux (selinux) isn't as secure as the title implies... :eek: - see post by katmai:

Would it be worth adding another check in the csf Server Security Check to warn if selinux is enabled?

(also, could this be another item addressed by the CS Server Service Package?)

I love the fact that I get an email when the load goes high and it includes the process list from TOP

What would make it even better is if the list that was emailed could be sorted by CPU usage - since thats the priority of the email ...

Keep up the great work

It would be nice if you could set which BLOCKS you would like to be PERM and which TEMP. The items requested with this option would be:

LF_SSHD; LF_FTPD; LF_POP3D; LF_IMAPD; LF_HTACCESS; LF_MODSEC; LF_CPANEL; LT_POP3D; and LT_IMAPD.

Currently you please a postive number in the option for these. What if CSF looks at the number and if it is positive then it is a PERM BLOCK and if negitive it is...

Hello,

Firstly, thank you so much for this script! It is excellent!

Personally I have shut off the cPanel mod_security plugin and installed mod_security myself. This way I don't get cPanel scrubbing the audit_log every hour. Your script does a far better job of displaying more information about each potential attack!

I wonder though for someone that has little to no idea about these things,...

Hello,
i have dedicated server and install csf and lfd

will time i upload one shell c99 on server and run them,and in part :: Command execute :: and enter cat /var/cpanel/accounting.log, i can see all user and all site in my server

and if i enter command ls /home/ /public_html i can enter to any user that want

Do you have away ?
i close them,until hacker can`t see all site and see all files...

Maybe adding a feature on setup to enable/disable CSF frontend on WHM be helpfull for those dummies that get managed Dedicated or VPS, so we can disable frontend for those that do not know how to deal with it.

Hi Chirpy :)

I changed your regex.pm a little to not block all mod_security related entries as some IPs were getting blocked for Access Allowed , for example :p

My rule is now :
if (($config{LF_MODSEC}) and ($line =~ /\ mod_security: Access denied/)) {
return ( mod_security triggered by ,$1, mod_security );

But I guess it will be overwritten with the next csf update... maybe you could...

Has anyone tested CSF on Debian?