ConfigServer Community Forum

Hi i have a dedicated server CentOS 5,9 with WHM 11.36.0.11 and in the last update CSF v6.00 at 2 weeks agoo become a problem to me.

This server only have one site vbulletin forum , and after this upgrade my users say the site is extrem slow.

After a quick tests with a browser cleaned with no cache i can duplicate the problem, and the page sometimes takes 20 secounds to open and other times...

For the last 24 hours I have been getting pummeled from 1000's of ips all targeting the same uri attempting a sql injection exploit. I have atomic mod_ security rules in place which are working fine and successfully blocking all the attempts. Of course I want these ips blocked, but obviously useless. I have CSF installed and as a result of the number of max ips allowed in iptables, my table is...

Hi Everyone,

First of all thanks a lot for this wonderful product.

I am having issue on a server where I have memcached running for a VBulletin forum. I have put an entry for memcached process in csf.pignore file but I think it has nothing to do with the alerts I am getting relating to memcahced TCP connections

Executable:
/usr/bin/php

Command Line (often faked in exploits):
/usr/bin/php...

Hmmm

How do i add a photo ?

The log shows the standard logs and then some of the characters sown a ? in a black diamond

Like a char set problem ?

Hi

I am having a hard time figuring out what ports are being scanned. The below block is in fact from a hosting client and the temp blocks stop him from downloading mail.

Can someone please let me know what blocks are being scanned below so I can help the client to resolve this.

Thanks :)

Time: Thu Mar 7 04:20:06 2013 +0200
IP: 41.132.199.40 (ZA/South Africa/41-132-199-40.dsl.xxxx)
Hits: 11...

I think that csf/lfd should have stopped this brute force attempt at root access ... but it did not.

Today at 10:04:19, perpetrator at 59.108.92.24 started attempting ssh root logins. Log lines from /var/log/secure read:

Mar 7 10:04:19 osprey sshd : pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.108.92.25 user=root
Mar 7 10:04:21 osprey sshd :...

I would like to prevent DNS attacks by limiting number of connections to DNS servers:

IPTABLES -I INPUT -p udp --dport 53 -m recent --set --name DNSQF --rsource
IPTABLES -I INPUT -p udp --dport 53 -m recent --update --seconds 1 --hitcount 9 --name DNSQF --rsource -j DROP
IPTABLES -I INPUT -p udp --dport 53 -m recent --set --name DNSHF --rsource
IPTABLES -I INPUT -p udp --dport 53 -m recent...

Hi there,

I have just recently set up a linode VPS with cpanel and I installed CSF.

Ever since I installed it I am getting emails once every hour or so and its really annoying me.

Here are some of the alerts I have been getting:

Time: Wed Dec 19 04:19:22 2012 +0000
IP: 68.171.218.104 (US/United States/removeduetoforumrestriction)
Failures: 5 (sshd)
Interval: 300 seconds
Blocked: Permanent...

Hi

thanks for this good how-to

my box is centOS5+Apache2+directadmin

I did a manual install , no errors overall and start CSF from SSH

However, I could not see a CSF link on DA interface

I saw some people said manual install fixed, but not working here

how to fix this please?

thanks

I have a sugarcrm installation which uses the server tmp dir for a file.

/tmp/I16t0H/manifest.php

The sub dir changes, but the filename stays the same. I place a rule in signore:

/tmp/.*\.tpl\.php

But this does not work. Maybe the syntax is wrong?

Is there anything I need to change/modify in CSF when changing SSH from port 22 to another port (ex. 55000)?

Hello All,

We have a server that blocks all connection at midnight everyday. We have the same configuration on about 50 severs without any issue. I tried to reinstall CSF, update kernel, iptables -F, etc. I did not find the answer.

Here the logs :

====================================================

Feb 27 00:00:02 lfd : TERM
Feb 27 00:00:02 lfd : daemon stopped
Feb 27 00:00:02 lfd : daemon...

Greetings.

As far as I understand, there are no plans to make csf version that tries to use ipset module if one available.

Aas far as I understand csf license, it doesn't allow deriving any other softwar eproducts.

If there are no plans to generate ipset-aware version of csf, is it possible to receive a permit to make derived work?

Thanks.

Actually the connectiontracking.txt file reports this information:

From: root
To: root
Subject: lfd on : blocked with too many connections

Time:
IP:
Connections:
Blocked:

Connections:

--------------

I like receive in this SAME email this other variables:

Time:
1 Min Load Avg:
5 Min Load Avg:
15 Min Load Avg:
Running/Total Processes:
--------------

--------------

How can i...

Hello,
I have in my csf.conf

LF_MODSEC = 0
LF_MODSEC_PERM = 0

LF_CXS = 0
LF_CXS_PERM = 0

But csf still banning by mod_security trigger:

103.31.186.82 # lfd: (mod_security) mod_security triggered by 103.31.186.82 (HK/Hong Kong/lh21178_voxility_net): 20 in the last 300 secs - Mon Feb 25 19:57:56 2013

root@ghost # csf -v
csf: v5.79 (cPanel)
root@ghost # cat /etc/*release*
CentOS...

For the past 3 years, we have had a setting in our csf.allow that has functioned just fine.
It's a connection to a specific IP and port for license validation.

On any server that has to connect to the license server, we have this:

tcp|out|d=15xx0|d=NNN.NN.NNN.NN # wcm license validation server out to port 15xx0 only

On the license validation server, we have this line:...

I turned on the built-in GUI. Left the port at 6666, which is the default. Restarted. Now when I try to acess
it says page isn't there. Is this the correct procedure?

Thanks

I have installed csf on my Xen virtual server that I manage with WHM/cPanel & am now trying to configure it to tighten up security. I tried enabling SMTP_BLOCK but when I do this CSF fails with the rather unhelpful error messages below. Any ideas how to fix this?

DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:25
iptables: Unknown error 4294967295
ACCEPT tcp opt -- in * out *...

how can I stop LFD sending me alerts from mailman ONLY about numbers of emails relayed
I don't want to allow all local host, just in case something happenss or a spammer gets in
I run a fairly active mailing list on the server where we often get over 1000 posts a day & when they are sent to the 50 or so members, it can soon fill my inbox

All I want is a way to stop the alerts from mailman not...

Added new options CC_DENY_PORTS, CC_DENY_PORTS_TCP,
CC_DENY_PORTS_UDP. This feature denies access from the countries
listed in CC_DENY_PORTS to listed TCP/UDP ports. For example, using
this FTP access port 21 could be blocked to only the specified
countries

I just want to make sure I'm understanding this correctly?

If I wanted to block access to say port 22 to all countries apart from...