ConfigServer Community Forum

Our new CloudLinux 7.1 VPS has an extra warning when running Check Server Security...

Check for dhclient: dhclient appears to be running which suggests that the server is obtaining an IP address via DHCP. This can pose a security risk. You should configure static IP addresses for all ethernet controllers

Here is our /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE= Ethernet # same as previous...

Hello,

(csf v7.69, ec2-ubuntu 14.04 86_x64)

I use ipset on my CSF. (when LF_IPSET = 0, iptables work perfect!)
I've been trying a simple disaster scenario. According to my scenario, I should block all countries except one to reduce effects of a DDOS attack.

After I set CC_DENY and CC_ALLOW parameters for an example, I checked whether it works or not. Unfortunately it didn't work.

I...

Hi,
I can't figure out why these proftpd login attempts are not blocked.

Snippet from /var/log/proftpd/proftpd.log

2015-05-18 11:56:02,688 server.xxx.xxx proftpd server.xxx.xxx (2002:706f:bfed::706f:bfed ): USER valid_user (Login failed): Incorrect password

2015-05-18 11:56:21,583 server.xxx.xxx proftpd server.xxx.xxx (112.111.191.237 ): USER oneuser: no such user found from 112.111.191.237 to...

How do you increase this?

We have thousands of email in queue from csf about this being exceeded.

I searched the php.ini options in the WHM and nothing is there for virtual and the memory is set to 1024 already so it's not that.

Hello,

I have used CSF on quite a few VPS machines. However, I am seeing this error in the lfd.log every few minutes:

*Lock Error* still active - section skipped

The error occurs for LF_DIRWATCH as well.

I have tried to increase the intervals, but the error still occurs (I did do a restart). Oddly, I use almost the same configuration on every server and I have not seen this error before. Any...

Hello,

I run CSF on Ubuntu 14. I have a crontab (root) running a script which creates a backup and then encrypts it using gpg.

The thing is, the tar file is created but gpg does not encrypt it. The error log shows :

cron : (*system*csf-cron) WRONG FILE OWNER (/etc/cron.d/csf-cron)

BUT the tar file owner is ROOT which is correct.

if i run the command directly in shell it works. Via crontb...

Hi,

Bit of an odd one. It seems that CSF is creating an ACCEPT rule at the bottom of the OUTPUT chain.

# csf -X
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -F
# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain...

When SMTP_BLOCK = 0, but SMTP_ALLOWLOCAL = 1, attempts to connect to a port on the SMTP_PORTS list by a user not in SMTP_ALLOWUSER are actually redirected to loopback device.

I'd suggest that either SMTP_ALLOWLOCAL = 1 be ignored when SMTP_BLOCK = 0, or that the description of SMTP_ALLOWLOCAL be clarified. The description presently reads enable this option to allow outgoing SMTP connections to...

Hi,

Is someone can explain me does it mean and what should i do?
This IP from RU did this several times on the server on a website with a WP install.
i am relatively new with csf and server administration
Any help will be much appreciate !
thx
JC

Executable:

/usr/bin/php

Command Line (often faked in exploits):

/usr/bin/php /home/clientname/public_html/index.php

Network connections by the...

After upgrade today from 6.X to 7.01 on 3 servers – all servers are virtual root servers running under Debian Wheezy – I'm getting those errors:

csf: FASTSTART loading csf.allow (IPv4)
csf: FASTSTART loading Blocklist OPENBL (IPv4)
Error: FASTTART: iptables-restore: line 6217 failed, at line 3759

csf: FASTSTART loading csf.allow (IPv4)
csf: FASTSTART loading Blocklist SPAMEDROP (IPv4)...

Recently I have been receiving hundreds of e-mails per day for failed SMTP authentications.

These are from many countries including Serbia, Russia, Taiwan, Vietnam, Libya and many more.

The site is running cPanel and the sites on the server send out e-mail, but any mail clients are set to send out e-mails via our own ISP (rather than via the server).

Is there a way to block access to any...

I have a question about the operation of the system CSF firewall vs.cPanel's IP Deny Manager.

Say we host 30 domains, and say that two of the domains we host are getting hammered by a single IP - 221.231.103.199
That IP is part of a /24 originating in China.

Now the owners of the domains can go into cPanel IP Deny Manager and add 221.231.103.0/24 in order to block all ip addresses in the /24...

We are using a CSF Global_Deny list with IPs that are blocked. This works great at filtering BOTs and other HTTP pests.

However the Global_Deny list appears to be blocking incoming SMTP traffic as well. :(

Is it possible to override the Global_Deny setting on a per user basis and/or for SMTP traffic?

Thanks in advance...

Hello,

We have CSF and Cpanel and have been using it with good results for years now.

We have a new issue our datacenter is giving us a hard time about (and we understand it). We have a CMS installation that is attempting to exploit remote wordpress installs by brute forcing. The offended servers are complaining to our datacenter (understandably so) and of course our datacenter wants this to...

I have configured the following setting in CSF/LFD:

# Enable login failure detection of DirectAdmin connections
# This option also detects login failures on DA for Roundcube, SquirrelMail and
# phpMyAdmin if installed and logging enabled via CustomBuild v2+
#
# If you do not want to scan for one or more of DIRECTADMIN_LOG_*, simply set
# the respective option to
LF_DIRECTADMIN = 5...

Just a quick note here; I noticed that while LFD was blocking some pure-ftpd bruteforce attempts, there were still times when my server was getting hammered repeatedly. Pure-ftpd logs in /var/log/messages, and the bruteforce attempts that were not being blocked looked like:

Apr 13 23:41:32 brightstar pure-ftpd: (?@84-241-32-107.shatel.ir) New connection from 84-241-32-107.shatel.ir

Of course...

Hello,

Bit of a noob question, each time i log into vps, i get a root login notification email, it gets quite annoying and fills my inbox, i would like to basically allow my IP so that it will not cause this root login notification if its from my IP address, of course any other IP address will give a notification.

Any help would be appreciated.

is it possible to create custom rules.

eg, if someone was to try and access a folder on a domain that you didn't want accessed, they would be blocked.

Hi, I was just wondering if when I ban an IP, does it just get banned from being able to log into our WHM or does it ban them globally from the server, including all domains and WHM.

Regards, Rob.

Hello,

I am using some blocklists from several weeks ago, and now I wanted to test OpenBL. I have uncommented the line in order to use it: Here you have my csf.blocklists lines:

# OpenBL.org 30 day List
# Details:
OPENBL|86400|0|

First of all, I don't see any new file at /var/lib/csf location, such as csf.block.OPENBL or something similar. So I suppose it is not blocking based in that list....