Hi all,
this thread is to add working REGEX that we can share with the community. To add them to this sticky, you should have the regex working in your server, this thread is not intended to solve any issues related with no working regex, the intention is to give users of CSF REGEXs that could make CSF with more security options.
If you want to collaborate, please add your rule to this thread...
If you have one particular IP address that is either dropped or accepted through the firewall that you think should not be, then you can use the new WATCH_MODE in csf.
Before enabling this option and using the CLI command to watch an IP address, check whether it is explicitly listed first using:
csf --grep 11.22.33.44
Where 11.22.33.44 is the IP address you're tracking. If that comes back...
If you get iptables errors when trying to start csf on a VPS then you most likely have missing iptables modules for your VPS.
If your hosting provider wants to know how to configure iptables correctly on a VPS server, then you should point them to this Parallels FAQ and have them follow it (plus to add ip_conntrack_ftp to the list of required modules):
I'm experiencing an issue where the custom firewall script csfpost.sh is no longer executed automatically, likely after the recent cPanel or CSF update on March 19, 2025.
Environment:
cPanel servers running CloudLinux 8 & 9
Imunify360 installed
ConfigServer Firewall (CSF) / LFD enabled
The script (/etc/csf/csfpost.sh) contains custom iptables rules, for example, to allow outgoing...
We have recently been having an issue with JetBackup restoration processes getting kill by CSF. If we disable CSF the restoration process goes off without a hitch. Troubleshooting with CPanel and Jetbackup we narrowed this down to CSF killing the mongod process for JetBackup.
So per JetBackup support we placed exe:/usr/local/jetapps/usr/bin/mongod in the pignore file. This worked for a while but...
I'd like to test a custom rule in regex.custom.pm, whats the best way to test this manually, so I can debug it?
I added a print statement in there, however it's not being shown if I run /etc/csf/lfd.pl -f .
To spot some hacked websites and some virus, I'd like to have a log of all outgoing traffic on a list of specific ports. Is this achievable on CSF or I have to manipulate directly iptables?
I have an AlmaLinux 8 server running CSF + LFD, using ipset for a larger corpus. Load looked very, very high, and I noted in the web server logs that IPs which were blocked in CSF were hammering some of my domains. So I did a systemctl status on iptables. It responded that iptables was dead . systemctl status csf showed that CSF was running.
I did a systemctl iptables start , and load plummeted...
I recently added Abuse IP DB to my CSF blocklists file as I've seen an increase in web scanning, and all of the source IPs were listed on AbuseIPDB, so I figured it may be a good source to add to CSF blocklists..
I noticed some unwanted traffic this morning, and the IP was on AbuseIPDB, so I started digging and found that the csf.block.abuseipdb file in /var/lib/csf only contains around...
I received the following notice from LFD and usually when I get these it just means that CSF/ LFD updated.
```
Time: Tue Feb 25 12:51:14 2025 -0500
The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:...
With latest version (14.23) cant login to CSF UI any more, username/password is corrrect, /var/log/lfd.log
Feb 27 17:25:51 mhxxxxxxx lfd : UI: Successful login from 188.129.xxx.xxx
but after login, there is loop got same login page with other slug... for example
etc...
have tried with all browsers, 4 diff VM have same error, cant login to admin panel :confused:
So we're running a Proxmox server with several LXC containers, Proxmox is Debian, and Containers are Centos 7. We install CSF on both the Host and the Containers.
We configured everything properly and running 'perl /usr/local/csf/bin/csftest.pl' under the container gives OK on all tests:
CSF or LFD do not detect failed logins via email and do not send report emails.
Hi, I've been using csf for a while now and I've noticed from the journal logs that there are several failed login attempts via pop and imap. It seems that these, unlike ssh login attempts, are simply ignored.
cat /etc/csf/csf.conf | grep mail.log
POP3D_LOG = “/var/log/mail.log”
IMAPD_LOG = ”/var/log/mail.log”
The...
we have written rule in csf allow to only allow connection to port 25 from server ip but we are being able to telnet to this port from another ip
rule is written in csf.allow
tcp|in|d=25|s=server ip
tcp|out|d=25|server ip
our intention is only the server should be able to send and receive mails that is we created mail and from cpanel we login into mail and from there only we should be able to...
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum