ConfigServer Community Forum

HI there

I am trying to block

202.46.0.0. - 202.46.255.255

with

csf -d 202.46.0.0/16

However, my client is still complaining that these IP are trawling the site and I can still see them attached to the server

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
1 122.225.109.220
1 202.46.49.101
1 202.46.50.128

any ideas what I am doing wrong?

I currently run my own blocklist using fail2ban and a few parameters to catch Wordpress brute force.

fail2ban adds the entry to csf, and also populates a file that I keep as my own block list. This file is entered into csf.deny so it's reloaded upon csf restarts.

I'm looking to expand this list to mysql. Is it possible to have an ip block list using mysql?

Looking at your ip blocklist...

Is there any way currently to include additional ip blocklists into csf.deny via external files?

I know csf.blocklists can download lists, but I am talking about local files that csf would not touch other than to import them when csf.deny is loaded

Such lists would be treated as do not delete by default.

Wondering if I missed a feature somewhere or have to request it.

Is it recommended to run csf/lfd and cphulk at the same time or is that just redundant?

Thanks,
Eric

Is there any way of getting high load alerts cced to a separate email address?

Basiccally I need to be alerted when the server becomes unresponsive to a separate email address that opens a support ticket with the datacentre so needa;erts for high loads only.

In theory if LF_BLOCKINONLY is set to 1, shouldn't the server be able to make outgoing http requests to another ip listed in csf.deny?

Because it cannot.

If 1.2.3.4 is listed in csf.deny and LF_BLOCKINONLY is set to 1, a wget to 1.2.3.4 will fail (where 1.2.3.4 is just an example obviously)

Or does the iptables rules created only allow the connection to function in one direction, so the http...

So I'm sure that's exactly what's happening. My question is can the users see the impact of this. I have a fair sized server but with one major website that probably should be on it's own server. They are selling videos - not streaming - just video downloads.

I get these messages all the time:

Time: Wed Nov 26 08:56:47 2014 -0500
Account: llpubco
Resource: Process Time
Exceeded: 5423 > 1800...

I have explicitly allowed an IP in /etc/csf/csf.{allow,ignore}. I understand allowing in /etc/csf/csf.allow will allow the IP to reach all ports on the server, while /etc/csf/csf.ignore should prevent LFD from blocking the IP. Upon client's request due to a lot of attempted accesses on server we have Country Code blocking enabling only a few local countries and an exception or so for developers....

Hi Folks,

I have a WHM server running CSF that has an intermittent DNS problem.

Here are the symptoms.

..............
ping dns1.xxxxxx.com -t

Request timed out.
Request timed out.
Request timed out.
Reply from xxx.xxx.xxx.xxx: bytes=32 time=15ms TTL=57
Reply from xxx.xxx.xxx.xxx: bytes=32 time=16ms TTL=57
Request timed out.
Request timed out.
Request timed out.
Reply from xxx.xxx.xxx.xxx:...

Hello,
I run CSF/LFD on several cPanel servers. I'm very happy with it and LFD always emails me whenever an IP tries too many logins and triggers a temporary block.

I was asking myself (and now asking you guys :) ) if there's a way to make CSF/LFD also run a script when it blocks an IP, so I can collect blocked IPs in a database for further analysis.

I read the docs but I can't find a clue...

Has anybody started to recently get Excessive processes and Suspicious process message from LFD regarding the prelinking of /lib64/libfreebl3.so?

These appear to be running under normal user accounts, i.e.:

lfd on host: Excessive processes running under user user1

User:user1 PID:10116 PPID:10099 Run Time:7(secs) Memory:1832(kb) exe:/usr/sbin/prelink cmd:/usr/sbin/prelink -u -o -...

I want know about CSF messenger service. what it is and how it works ?

I have CSF installed on all server and since last month I am receiving attacks with 15~30Mbps traffic and with CSF enabled the server crash, I need to access with KVM and disable the CSF than the server back to respond.

I am already enable SYN flood protection but not resolved.

Changed the size of tables of conntrack and not resolved(echo 65535 > /proc/sys/net/nf_conntrack_max). The server have...

Hello,

on an Linux CentOS 2CPU core OpenVZ VPS

one of the top processes returned by linux top command are:

lfd - scanning log files
lfd - (child) closing
lfd - (child) Statistics..
lfd - (child) Process tracking

even couple of same processes at same time

Please why it takes too much CPU? Which commands to do?

Hi,

I have 3 servers at different locations and i have different csf.deny on all of them. i want to implement a kind of central database server for all of these servers for blocked ips. also for the csf.allow.
what will be the easiest way to do that?

thanks

hello,

since I added country CA & US to CC_allow_ports , when CSF restarts, I receive that error:

csf: FASTSTART loading CC_ALLOW_PORTS (IPv4)
csf: FASTSTART loading CC_ALLOW_PORTS (IPv4)
CC_ALLOWP all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
Error: Connection timeout! at /usr/sbin/lfd line 7422, line 61....

Hello,

With LF_FTPD does csf/lfd check number of connects/disconnects on FTP port ?

I have 722 lines of connects disconnects inside a 10 min period that happened today (13-Nov-2014). csf/lfd was running when this attack took place. I might have left something out in csf/lfd config for this to be dealt with.

What settings do I need to tweak to deal with this ?...

Hey there,

I'm getting TONS of RELAY Alert emails for one of my servers and can't for the life of me figure out where they're coming from. The emails state:
=======================================================================
Time: Thu Nov 6 18:22:06 2014 -0800
Type: RELAY, Remote IP - (US/United States/ )
Count: 101 emails relayed
Blocked: No

Sample of the first 10 emails:

2014-11-06...

I had an account that got sent a load of emails all of once (about 100) and lfd picked this up as relayed mail.

This has happened a few times.

Is this expected behaviour?

I need a rules to direct port 80 to port 8080 on the loopback interface, but the rule CSF generated excludes loopback (!lo). Is there a way I can have
iptables -t nat -I OUTPUT -p tcp -o lo --dport 80 -j REDIRECT --to-ports 8080