ConfigServer Community Forum

I have LF_MODSEC set to 10, so I am expecting to have CSF block an IP after there have been 10 Mod Security Failures.

When I get email notifications from CSF regarding an IP block that has taken place due to Mod_Security, it looks like this:

Time: Mon Jul 14 21:08:24 2014 -0500
IP: 1.2.3.4 (FR/France/some.reverse.dns.fr)
Failures: 5 (mod_security)
Interval: 300 seconds
Blocked: Permanent...

when i run the iptables test i get this:

esting ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...FAILED - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing...

Hi,

Is it possible to unlock an IP address (mine) via SSH?

I am testing CSF in WHM and I need my IP address to get blocked, but I can access the server via SSH using a device with a different IP address.

Thanks,

Hello,

Have been trying to find a command to block an ip in the cluster but cannot seem to find it.
I use csf -d ip but how can I get that out to the cluster?
Are there any commands for that?

Hello everybody!!

I've installed CSF but I got some problem. I've a django application that write on my database if I make a POST on this url
If I make the request without the firewall it's all ok, but with the firewall active I receive a 502. I've look in the syslog and it say:

Jul 1 09:58:53 localjobserver-dev2 kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=188.226.199.19...

Hello !

We all know CSF has interface button View lfd blocking statistics
One of the parameters shows pie picture Block triggers in the last 12 months

Just interested to understand - from what log file it takes the statistics for 12 (!) months ?

Thanks in advance for answer !
Regards,
Serge

Ok I have posted this before and still no luck. Any help would be great. Anyway I only deal with about 7 countries and like to block all others. So when I use either CC_Allow or CC_ALLOW_FILTER with these settings CA,CH,CN,DE,GB,TW,UM,US, the issue begins to arise in my main log. I'm getting some errors now and would like some help to get them resolved or a place to look and see how to get them...

I've been reading up on RHEL7 and July's release of CentOS 7 and I am very concerned by the change to systemd

It affects syslog and init.d and cron which seems like a pretty big change.

Does CSF work on systemd based nix?

Or do we need to stick with CentOS 6 and wait awhile.

The readme.txt file states:
To take advantage of kernel logging of iptables dropped connections you should
ensure that kernel logging daemon (klogd) is enabled. Typically, VPS servers
have this disabled and you should check /etc/init.d/syslog and make sure that
any klogd lines are not commented out. If you change the file, remember to
restart syslog.

This is confusing since I could not find...

I just installed a brand new DA server w/CentOS 6.5. There are no domains on this account yet the mainlog file is flooding with errors. I'm not sure why. I have no experience with CSF as previously I used APF & BFD.

pastebin com/Q4BYUSMr

Can someone please help me with this?

Exactly where do you set the temporary ban duration? My temporary blocks are lasting only 60 seconds and I can't seem to find the place in the configuration to make it longer. I'm getting hit with excessive SMPTAUTH failures, and although my LF_SMTPAUTH setting is 5, the bans only last a minute and then the game continues...

Hi

I'm having a bit of an issue. I have setup a KVM VPS on my CentOS 6.5 which has routed networking.

I have a DNAT rule in csfpre file which as traffic comes in (PREROUTING), the external IP is changed to the local IP. As the traffic traverses the iptables chain, it seems to be dropped (not rejected) somewhere in the FILTER FORWARD table. This is not being logged in /var/log/messages.

If I...

Hello CSF community,

Background:
I like the way that CSF warns (via email) about Excessive resource usage
I have learned to use the csf.pignore file to ingnore a process that I know is resource intensive.
For example, in csf.pignore I added cmd:spamd child and no longer get warnings about spam assasin running.

Problem:
Every night when my daily backups run I get many email alerts about...

Hello to everyone !
Is it possible to use CSF to allow access to a port only from a certain IPs ?
It seems to be a simple question - but I did not find an answer yet.

Let's say I have SMTP on 110 port.
I want to allow access only from external IP 68.192.172.14 and 85.5.39.156 (what means only these 2 IPs are allowed to send emails)
All other Ips must be blocked by default.

Thank you in advance...

Hi,

I keep seeing this message in my logs:

Unable to retrieve blocklist MAXMIND - Unable to download: 599 - Net::SSLeay 1.49 must be installed for https support

Any idea how I rectify this?

Thanks
M

Dear All:

We use CSF since three years and never had any problems. Great script!

Since about 48 hours, though, there is a problem with CSF running on Linux VPS servers (both, with node running 5.x and 6.5 of CentOS, and the VPS themselves running 6.5). This seems independent of the control panel installed in the VPS -- I see it in case of DirectAdmin as well as cPanel.

Before posting here I...

I've got a server with multiple public-facing IPs, and I'd like certain services to only be bound on certain IPs. Services like SSH and FTP can simply be configured to only bind to a single interface, but I've got a couple stubborn ones that insist on binding to them all.

What I'm basically looking for is something like the TCP_IN option, but address-specific. For example, connections to...

I'm using a subset of the OWASP ruleset, and I'm still getting lots of false positives. Almost every time that happens, the IP responsible gets a permanent block in iptables, which I think is a little strict even if they were trying to attack the server.

I've tried Googling around a bit, and I can't find a way to make bans temporary. I think a block of 5~30 minutes would be reasonable.

If the server has a high load level, I get a nice little email that contains a snapshot of the running processes, vmstat and a dump of the server-status page.

The problem here is that our server-status page is behind a http password protection so all I ever see in the report is:

Unable to retrieve Apache Server Status - Unable to download: 401 - Authorization Required

Is there any way that I...

Hi Jonathan and Sarah,
I have installed CloudLinux, as you suggest in CSF, in my servers and it is a really nice OS.

I have installed CageFS and wondering if CONNLIMIT is still needed due that CloudLinux does the same.

Regards,

Sergio