ConfigServer Community Forum

We are trying to block access to a web server when there is no user agent and not referrer. Example log lines look like this;

40.##.##.## - - GET /wp-admin/css/colors/Admin-Author.php HTTP/1.1 500 17551 - -

The code we put in regex.custom.pm is like this:

if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ / - - $/)) {
return ( No User Agent ,$1, UserAgent , 20 , 80,443 , 3600 );
}...

Hello,

We'd like to use the LF_APACHE_404 option to block IP's getting multiple 404 errors. The issue is it appears to be based on HTACCESS_LOG and that is set to /usr/local/apache/logs/error_log. Even if that was pointing at the access log, it's the main Apache log, not the hosted site logs. What would the side effects be if we change that to be /var/log/apache2/domlogs/*/* ?

Thanks in advance

Hello,

I'm experiencing an issue where the custom firewall script csfpost.sh is no longer executed automatically, likely after the recent cPanel or CSF update on March 19, 2025.

Environment:

cPanel servers running CloudLinux 8 & 9
Imunify360 installed
ConfigServer Firewall (CSF) / LFD enabled
The script (/etc/csf/csfpost.sh) contains custom iptables rules, for example, to allow outgoing...

We have recently been having an issue with JetBackup restoration processes getting kill by CSF. If we disable CSF the restoration process goes off without a hitch. Troubleshooting with CPanel and Jetbackup we narrowed this down to CSF killing the mongod process for JetBackup.

So per JetBackup support we placed exe:/usr/local/jetapps/usr/bin/mongod in the pignore file. This worked for a while but...

Hello,

I'd like to test a custom rule in regex.custom.pm, whats the best way to test this manually, so I can debug it?
I added a print statement in there, however it's not being shown if I run /etc/csf/lfd.pl -f .

Thanks

Hello,

To spot some hacked websites and some virus, I'd like to have a log of all outgoing traffic on a list of specific ports. Is this achievable on CSF or I have to manipulate directly iptables?

Thanks in advance.

I have an AlmaLinux 8 server running CSF + LFD, using ipset for a larger corpus. Load looked very, very high, and I noted in the web server logs that IPs which were blocked in CSF were hammering some of my domains. So I did a systemctl status on iptables. It responded that iptables was dead . systemctl status csf showed that CSF was running.

I did a systemctl iptables start , and load plummeted...

OS type and version Debian Linux 12
Virtualmin version 7.30.4 Pro

I’ve installed CSF (Firewall version 14.24) following:

I’ve configured it, checked and followed the information from a previous discussion.

Firewall status : Enable and running

perl /usr/local/csf/bin/csftest.pl
Say everything is ok.

Check security : Server Score: 39/39

Watch System Log has output (all 4)

Mar 8 21:27:59...

At I see 2 buttons View lfd statistics and view system statistics.

These are not displayed on my CSF. (Installed on Debian12)
Is there something to be done at csf.conf ?

PS : I have a log issue (

Hi,

I recently added Abuse IP DB to my CSF blocklists file as I've seen an increase in web scanning, and all of the source IPs were listed on AbuseIPDB, so I figured it may be a good source to add to CSF blocklists..

I noticed some unwanted traffic this morning, and the IP was on AbuseIPDB, so I started digging and found that the csf.block.abuseipdb file in /var/lib/csf only contains around...

Hi all,

Used the CC_DENY option to block AS16276 since some bots hosted there are hammering my site.

Noticed email to some users can no longer be delivered, seems that their mail server is hosted on AS16276 (mail.ovh.net).

Is there any solution to fix both problems? Continue to block AS16276 but allow mail to be delivered?

R=lookuphost T=remote_smtp defer (110): Connection timed out...

I just downloadded csf.tgz from but the checksum doesn't match with

Should be 58c6a89ed533e56a76da6fac7ae07556754f37a609e0cccbeaf5239c390085d8 csf.tgz

This is what I get:
# sha256sum csf.tgz
2ed60f1ef0a49d9b6812e181703ed04b48aa509b9480d643e561dbc35ce10658 csf.tgz

Thoughts?

I received the following notice from LFD and usually when I get these it just means that CSF/ LFD updated.
```
Time: Tue Feb 25 12:51:14 2025 -0500

The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:...

With latest version (14.23) cant login to CSF UI any more, username/password is corrrect, /var/log/lfd.log
Feb 27 17:25:51 mhxxxxxxx lfd : UI: Successful login from 188.129.xxx.xxx

but after login, there is loop got same login page with other slug... for example

etc...

have tried with all browsers, 4 diff VM have same error, cant login to admin panel :confused:

So we're running a Proxmox server with several LXC containers, Proxmox is Debian, and Containers are Centos 7. We install CSF on both the Host and the Containers.

We configured everything properly and running 'perl /usr/local/csf/bin/csftest.pl' under the container gives OK on all tests:

# perl /usr/local/csf/bin/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing...

CSF or LFD do not detect failed logins via email and do not send report emails.
Hi, I've been using csf for a while now and I've noticed from the journal logs that there are several failed login attempts via pop and imap. It seems that these, unlike ssh login attempts, are simply ignored.
cat /etc/csf/csf.conf | grep mail.log
POP3D_LOG = “/var/log/mail.log”
IMAPD_LOG = ”/var/log/mail.log”
The...

we have written rule in csf allow to only allow connection to port 25 from server ip but we are being able to telnet to this port from another ip

rule is written in csf.allow

tcp|in|d=25|s=server ip

tcp|out|d=25|server ip

our intention is only the server should be able to send and receive mails that is we created mail and from cpanel we login into mail and from there only we should be able to...

Hoping someone can help me with this urgent issue.

All of the sudden, our ecommerce site stopped making connections to PayPal.

I think the issue may be with CSF for some reason (happened overnight) but I cannot figure out how to troubleshoot it.

1. Port 443 is listed in the TCP_IN and TCP_OUT configuration.

2. The nslookup for paypal is fine:

nslookup paypal.com
Server: 10.0.80.11
Address:...

I have a web site that I do not want to be accessed from outside of our local network.

It resides on it's own IP address, so I used the Deny Server Ips feature to block all traffic on it's public IP.

But I can still access it from anywhere.

I notice that the purpose of this feature is to allow blocking of all traffic on server configured IP’s if they’re not in use .

Does that mean that if an...

Hi!
Suddenly today I get this error in the log and it is all 4 blocklists that it cant find. It have worked for 2 month without a problem. What can be wrong

This is the lines in blocklist

csf01|86400|0|
csf02|86400|0|
csf03|86400|0|
csf04|86400|0|

Regards
Anders Yuran