ConfigServer Community Forum

I have several websites made in WordPress. WordPress try to update itself regularly. When it happens, I received an email from the server for every website of this type:

Time: Tue Sep 22 08:30:35 2015 +0200
PID: 5733 (Parent PID:3407)
Account: userxxx
Time active: 76 seconds
Executable:
/usr/bin/php
Command line (often misrepresented exploits):
/usr/bin/php /home/userxxx/public_html/wp-cron.php...

Hi,

Im using CC_DENY=RU,CN

but still I just got hammered with GET requests from a RU ip.

How come it is possible? :confused:

TY

Hi,

I'm seeing the following in my logs

Apr 20 14:08:43 squirrel lfd : Messenger HTML Service died, restarted
Apr 20 14:08:43 squirrel lfd : Messenger TEXT Service died, restarted
Apr 20 14:08:43 squirrel lfd : *Error* cannot open server on port 8888: Address already in use, at line 213
Apr 20 14:08:43 squirrel lfd : *Error* cannot open server on port 8889: Address already in use, at line 213...

can anyone help me, i want block it for max 24h not perm.. but it even block it perm

# test for relay
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /reject(.*)\ (.*)\ (.*)\>/)) {
return ( Failed Relay_check from IP: $2 to: $4 ,$2, LF_SMTPAUTH , 2 , 25,143,110,465,993,995 , 3600 );
}

big thx to all my head smokes xd

Hi again.

I also wonder if it's possible NOT to block permanent (could block temporary) when the country of an IP is mine (Canada) and a rule is triggered? This way, it would have way less impact on my customer that keeps forgetting their password.

Hi to all. Good product, saved my life a few time !!
I'm now in fine tuning mode, trying to filter real alerts from all alerts.

I want to know if it's possible to NOT receive this alert when and only when it's from my IP (69.66.66.66):

Time: Sun Apr 16 10:52:57 2017 -0400
IP: 69.66.66.66 (CA/Canada/fakeptr.ca)
User: root

Hi,

I´m trying to ignore the following type of alert:

Time: Mon Apr 17 03:43:59 2017 +0200
File: /tmp/.xcloner-b80c1
Reason: Suspicious directory
Owner: myuser:myuser (563:575)
Action: No action taken

All alerts start with /tmp/.xcloner-

I have added this to csf.fignore but no go:

/tmp/\.^xcloner

any help?

Hello,

I realize this is 100% out of CSF's hands but because of some lack of support for ipt_owner in virtuozzo7 CSF now errors on all installs.

Error: iptables command failed, at line 2665

There is a bug report opened for this:

so for now, I need to know how to disable/remove this line from CSF

I have SMTP_BLOCK = 0

but am not sure what to disable in csf.conf to remove that one line from...

Hello,

I have MESSENGER html template working perfectly on 80, but can't make it work via HTTPS.
Tried this settings:
MESSENGER_HTTPS = 8887
MESSENGER_HTTPS_IN = 443,2083,2096 (also doesn't work when this is left empty)

Going to shows the block template, while timeouts.
I use latest CSF and latest cPanel 62.

Any ideas?

Thank you! :)

Greetings,

Why I don't get a notification for root accessing WHM ?
I have confirmed also via exim mail log , there is no alert for WHM root access.

Also I have contacted cPanel support team just to confirm if they can detect the issue, they replied:

---

This is indeed very strange. I'm seeing that no login alerts are even trying to be sent now. However, LFD is sending other alerts to root...

Hi
Me Install CSF in DirectAdmin.
But check site (ctrl+f5) try 4-6 next block my ip
me add ip in allow list but not show site and DirectAdmin.

sorry bad lange.

Hello!

I am trying to setup CSF on my VPS and love how powerful and versatile it is. I have been able to customize it a bit for my applications (Auto-bans, Wordpress logins, etc.), and it has been stopping a lot of naughty traffic thus far.

Although it is stopping all of these break in attempts, i am curious which users (or domains) generate the most hacking attempts. Would it be possible to...

Unable to connect to retry in 94 seconds. An Upgrade button will appearacne here if new version is detected

The current version is currently working on DirectAdmin is Config Server & Firewall Security - csf v9.10

It may be possible that that button only appears when a software update is available ???

The first set of lfd blocking statistics Blocks by lfd in last 24 hours and Block triggers in last 24 hours show stats from 11 days ago and not latest 24 hours. Yesterday showed same stats from March 2 (etc).. Other graphs are correct. Error confirmed by comparing with csf.deny file. Not critical but it is annoying.

:( Specs:

- DDos from facebook

- User-agent
173.252.124.57 - - GET / HTTP/1.1 444 13710 - facebookexternalhit/1.1 (+

OS: Cloudlinux 6
Panel: Directadmin Custombuild 2.0

Csf Config:
LF_CXS = 1
LF_CXS_PERM = 1
LF_MODSEC = 5
MODSEC_LOG = /var/log/httpd/modsec_audit.log
LDF On

Log in audit log security
--64513437-H--
Message: Access denied with code 444 (phase 1). Pattern match...

Hi guys

I'm using csf v10.05 to block brute force attempts and it's working well but with one minor issue:

It's also blocking genuine access to the websites.

I'm using the CC_DENY = country codes here and I was mistakenly under the impression it would ONLY block WHM or root level access through SSH.

Is there a better solution to what I am doing...? Could I for example whitelist my country and...

Hi,
I been running my server without any issues for over a year now.
Starting a couple days ago I started receiving this: Excessive resource usage: rpcuser every hour out of no where.
I understand I can add this to the ignore list but I just wanted to see if anybody knows if this is some kind of hacking attempt or if the server may be compromised in any way.

Thanks for any help.

Hello

Im using OpenLitespeed (last version) with CentOS7.
I'd like to block offending IPs but sound like that, following this im unable to do that.

I've configured OpenLitespeed to put logs in the form of vhost1.access.log vshost2.access.log in /usr/local/lsws/logs/vhosts/

Here's an example

444.444.444.155 - - GET /xmlrpc.php HTTP/1.1 404 655 - Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)...

Hello all.

I have a fully dedicated VPS with GoDaddy. The only thing they manage is the physical server the VPS resides on and ensure that my VPS is up...I am 100% responsible for all configurations, maintenance etc. I downloaded CSF and installed it and then ran the ./csftest.pl script to see what its doing, I get the following:

# ./csftest.pl
Testing ip_tables/iptable_filter...OK
Testing...

In my log file I have seen someone to brute a lot of vulns, there are over 256 entries, but they only try twice for each attack, then try another vuln.

However the string of
x=upload&mode=upload&upload=&ssp=RfVbHu&u=&action=upload&chdir=./&do=upload&pass=wcwc2016&login=go%21&H=
is always present.

GET...