ConfigServer Community Forum

Hi Guys, when we receive massive attack, we receive a lot of emails, when say:

Interval: 300 seconds
Blocked: Permanent Block (IP match in csf.allow, block may not work)

When try block this from GUI CSF say this ip is on csf.allow. Next to view this file... ip is not present.

But when we edit csf.block & putting ip manually, CSF block attacks from this ip.

I have other server with CSF, same...

The server admin address gets the following alerts about once a minute:

Time: Mon Mar 27 13:19:19 2017 -0400
PID: 3696 (Parent PID:1399)
Account: grais40
Uptime: 88 seconds

Executable:

/usr/local/cpanel/3rdparty/perl/524/bin/perl

Command Line (often faked in exploits):

cpdavd (CalDAV/CardDAV) - authenticated as user@example.com

Network connections by the process (if any):

tcp:...

There's a lot out there about various methods to secure SSH access better.

But on a Cpanel server, in my opinion, access to WHM gives the user a degree of privileges near that of logging into SSH via root. So I have a few questions for discussion.

First, let me setup the context for the application of these methods. It's a server that does not have to be HIIPA or FICA compliant. It just has one...

Hi,

I am trying to configure the HTTPS messenger service to give an HTML error message when an IP address is blocked. It's working, but very slow. When I usee httpie, I get the following error:
http: error: SSLError: certificate verify failed (_ssl.c:579) while doing GET request to URL:
With Firefox, it works, but takes well over a minute before the page loads. I have no idea where the holdup...

Hi,
CSF stops almost every night. I receive the following error message:

/var/log/lfd.log

Jun 19 03:20:16 server lfd : iptables appears to have been flushed - running *csf startup*...
Jun 19 03:20:18 server lfd : csf startup completed
Jun 19 03:20:18 server lfd : *Error* csf reported an error (see /etc/csf/csf.error). *lfd stopped*, at line 7146
Jun 19 03:20:18 server lfd : daemon stopped
Jun...

Csf Enabled but stopped. Can not restart.
I test the installation with perl /usr/local/csf/bin/csftest.pl and it tells me the following error.

 Testing ip_tables / iptable_filter ... FAILED - Required for csf to function
Testing ipt_LOG ... FAILED - Required for csf to function

Testing ipt_multiport / xt_multiport ... FAILED - Required
For csf to function
Testing ipt_REJECT ... FAILED -...

i have csf setup and its working very good (blocking everything i configured) but its not blocking 404 after 60 404s

my 404 logs look like this

GET /site/cfg000b HTTP/1.1 404 12095 - Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

do i need to have any custom settings or why is this not working?

Hello,

I use scanmyserver.com to do an audit of my server. I was looking through the ModSec logs and saw an IP address that was there more than five times, performing a scan. I was curious as to why csf hadn't blocked them. So I went into the GUI and searched for the IP and then realized the IP belonged to scanmyserver, however, the IP address is also listed in the GreenSnow blocklist.

How does...

Hello,

If I wanted to whitelist my server's IPv6 local loopback address, do I need to whitelist:

::1/128
fe80::/10

Or would
::1/128

be enough? Essentially, is it a good idea to whitelist the link-local address (fe80)? Also, should it be fe80::/10 or fe80::/64? I'm still struggling a little with the IPv6 stuff.

Thanks!!!

So it didn't take me long to realize that IP's are not actually being banned when using Cloudflare because iptables isn't looking for X-Forwarded-For in the header (is this even possible?) So the attack comes from Cloudflare IP, which of course is whitelisted, so the server is completely unprotected.

So after reading the documentation, I found BLOCK_REPORT which I can use to fire off an API call...

Anyone knows how can I fix this?

When I restart I also get this message:

open3: exec of /usr/sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 4947.

Hi friends..

I want setup allow for some country. In my case I want allow 80 port for France. I setup this and all is work perfect.
But problem is next.

I have two servers, First is in DC1 and second is in DC2. This servers have same system OS Ubuntu 14.04.

on DC1 all work perfect but on DC2 this don't want work.

On DC2 work only allow over IP or over DynDNS but allow country don't want...

First question:

How are the rules applied? Is the csf.deny applied first and then csf.allow - or is csf.allow applied first?

Here is my issue.

In the csf.allow file, I have IP ranges allowed for port 80 and port 443 - idea is to prevent them from being blocked:

tcp|in|d=80|s=1.1.1.0/24
tcp|in|d=443|s=1.1.1.0/24

However, computers within that range seem to have mis-configured mail clients....

Hello
I have a mail user witch IP is continuously TCP_IN blocked for portscan.
When I look at the log it uses an MAC-destination:MAC-source:Mac-type combination that is always the same but with different IP all over the world.
But my mailuser says he has a fixed IP !
Does anyone know what is happening ?
Thanks for your help.
Marc

Hi, i'm getting tens of thousands emails per month from cxs and the subject for most of them is in the form of :
cxs on server.server.com (Hits:1)(Viruses:0)(Fingerprints:0)
Is there a way to get this reports only when a virus is detected ?

The command that is shown in the email body is :
(/usr/sbin/cxs --allusers --nobayes --clamdsock /var/clamd --defapache nobody --doptions Mv --exploitscan...

Hello, I am in latest version 10.11 , deactivated LF_CSF and activated WAITLOCK but still have this warning message that LF is down from the cPanel

Hi,

I originally posted on to but realised it was marked as

We have the reCaptcha working on all servers except one. The one server shows Failed to pass human test. Please try again.

I can see that on all the other servers there is an unblock.txt file in eacg /home/csf/ directories. This non-working server does not have this file. I've checked that the csf user has permission to write to...

Hi

lfd/csf block PageSpeed Insights website speed test

if i have enabled csf/lfd i can check website using PageSpeed Insights

if firewall disabled PageSpeed Insights works fine

any sugestions ?

regards

We have a CentOS 7 server where we are running CSF v10.04.

On this server we have Qmail as the MTA (part of Plesk 12.5) and it logs to rsyslog via the 'root' user.

I checked /etc/csf/csf.syslogusers and root is already included in the file by default. However, root does not get added to the mysyslog group as confirmed by the following command:

# groups root
root : root

We have restarted...