ConfigServer Community Forum

AlmaLinux: v8.9.0 Standard KVM
cPanel: 120.0.8
CSF: 14.20
Perl: 5 v26

Hi, this may not be anything to do with csf/lfd per se; just checking.

Just elevated from CentOS, and am getting lfd notification emails every 10 minutes:
Error: Failed to detect code in SYSLOG_LOG

And cron messages being sent every hour:
logger: socket /dev/log: Connection refused

Manually sending messages via logger...

Hi,

We are getting lots of Process Tracking notifications for an executable and would like to add it to csf.pignore

/usr/local/cpanel/3rdparty/perl/536/bin/perl

What is the correct syntax to add this to /etc/csf/csf.pignore please?

Thanks very much

Michael

As indicated:

Is there any guidance or roadmap from CSF on --gulp-- firewalld, or other, as RHEL seems to indicate these may be dropped in the next version.

Thank you.

Hi, forgive me if this has already been asked and adequately answered, but I haven't found it so far:

I'm new to DirectAdmin and ConfigServer and trying to configure everything properly. I'm confused because the server security check keeps returning:

You should consider disabling commonly abused php functions, e.g.:
disable_functions = show_source, system, shell_exec, passthru, exec, popen,...

I have a VPS with Almalinux8, Cpanel and CSF installed and with a 600Mpbs port. I started experiencing speed issues with FTP uploads (because it limited data upload) and so to check the speeds from the server, I installed speedtest cli.

The results with CSF/LFD activated are:

Idle Latency: 9.79 ms (jitter: 6.93ms, low: 2.03ms, high: 24.56ms)
Download: 50.82 Mbps (data used: 60.1 MB)
363.07...

I've seen some posts about using BLOCK_REPORT to customize when an IP is blocked. I'm looking for something that will allow me to execute a custom script whenever CSF identifies accounts exceeding processes, mem, time limits. I want to be able to kill certain accounts (based on their web hosting plan) via a custom script that will allow me to do further reporting/stats at the same time.

Is there...

Hello people,

There are a lot of questions on this forum regarding this, and I have read most of them. As is usually the case, I am receiving a huge amount of notifications from CSF, from a cron.php that the user of this server has placed and wants to run every 5 minutes. This process is legit, and we want to keep it running. The output is this:

Executable:

/home/virtfs/...

OS: CloudLinux release 9.4 (Vladimir Vasyutin)
CSF version: csf: v14.21 (cPanel)

Hi,

I'm facing a strange issue where CSF is not blocking nor allowing IPs in Almalinux/CL 9.
If I add a temporarly allow like this, it creates an IPTABLES entry and it doesn't work (port 22 is not in TCP_OUT):

# csf -ta 12.34.12.34
ACCEPT all opt -- in !lo out * 12.34.12.34 -> 0.0.0.0/0
ACCEPT all opt -- in * out...

Hello,
After upgrading from Ubuntu 22.04 to 24.04, and while CSF+ProFTP server was working fine, now it doesn't allow to retrieve directory listing.
Any suggestions ?

Once an hour the load on one of our servers spikes big time. Normal load is barely above zero, but it spikes to loads over 100.0 for a minute or two then comes back down to normal.

When it spikes I always see these: processes, with the first one causing the load:

lfd - retrieving global lists
lfd - retrieving blocklists (waiting for list lock)
lfd - retrieving countrycode lists (waiting for...

Hello ,
I created a custom modsec rule that returns a 403 status code if there is a sql injection attempt, i want csf to block the ip that is triggering this rule by monitoring the log that modsec is logging in it , but it isnt blocking it at all
the log came up as either
/usr/local/apache/error_log or
/var/log/apache2/error_log

so in csf.conf i specified the MODSEC_LOG to be...

I'm using this rule I pulled from the forum:

# BLOCKING LiteSpeed attacks by Sergio

if (($lgfile eq $config{CUSTOM4_LOG}) and ($line =~ /^\S+\s+\S+\s\ .*Failed Login Attempt \- username: (\S+) ip: (\S+)/i)) {
return ( $1 ,$2, SECMAS_LiteSpeed , 1 , 1 );
}

on my cPanel/Linux box. In CSF.conf, I have

CUSTOM4_LOG = /usr/local/lsws/admin/logs/error.log

and a sample log line is

2024-09-09...

It seems LFD outputs its blocked messages (eg. Firewall: *UDP_IN Blocked* IN=eth0... ) to the system journal with priority 4 (warning), even when it's just blocking incoming traffic based on port number. This makes them gold-coloured in my TTY, but more annoyingly it gets spammed out to my VPS's emergency console standard output, putting out lines every few seconds. Is there a way to get LFD to...

Hello,

I am getting weird block mails everyday from ldf.

The title of the email is:

lfd on : :: (Unknown) blocked permanently

And the content is:

Time: Wed Sep 11 06:44:40 2024 +0300
IP: :: (Unknown)
Temporary Blocks: 48

Temporary blocks that triggered the permanent block:
Tue Sep 10 07:14:01 2024 (CT) IP :: (Unknown) found to have 32 connections
Tue Sep 10 07:44:01 2024 (CT) IP ::...

Hi there,
After the latest cpanel update to version 122.0.5 we have all of sudden been getting lfd email every hour as such:
Time: Mon Aug 26 16:07:26 2024 +0100
File: /tmp/.spamassassin3950SumxCatmp
Reason: Suspicious directory
Owner: nobody:nobody (99:99)
Action: No action taken

File: /tmp/.spamassassin3950SumxCatmp/.spamassassin
Reason: Suspicious directory
Owner: nobody:nobody (99:99)...

hi

CSF having an IP detection error. It is actually from Colombia, but it detects it as Romania

Query:

A) What database does CSF work with to query IP and country of origin?
B) How can you update the CSF IP database?
C) Is there a way to report this type of IP location errors?

Thank

Hello,

I get this email from my server:
Subject: Cron /usr/sbin/csf -u
Message: csf and lfd have been disabled, use 'csf -e' to enable

I logged in to WHM to enable again all connection become blocked, if I disable via SSH everything works fine.
I can't image what I have to do to work again, should I reinstall csf or how can I find the problem?
I did not changed anything for weeks, csf updated 5...

When CSF blocks an IP, it shows all the information of where and why including the country code. I'm not sure where CSF gets the country code information but why can't you simply block by the country code instead of huge lists of CIDR's? I am able to do this in Modesecurity but I would rather block for the entire server instead of just http.

Example block list:
218.155.106.83 # lfd:...

We are trying to block all incoming IPs and only allow cloudflare IPs. We've whitelisted this in csf.allow we still wanted to check if from CSF side if we can block all other traffic.

Hello Everyone :)

I hope you are well. I now manage numerous servers running WHM; and I have lately begun integrating config server security and firewall and login failure daemon to improve the security of these systems. While I have some familiarity with server management; I am new to the more advanced configurations and optimizations that CSF and LFD provide. I am seeking out this informed...