ConfigServer Community Forum

Hi,
I have ModSecurity 2.9 and OWASP Rule v3.3.0 running on my box Cloudlinux/nginx proxy/Apache 2.4 (+mod_remoteip)
Some rules ban IPs on CSF , other rules just block on moddesc and no CSF ban...
i have all triggers correctly in apache logs and correct setup in csf
MODSEC_LOG=/usr/local/apache/logs/error_log
LF_MODSEC = 5
LF_MODSEC_PERM = 1

is this a normal behavior? i need to edit some...

Hi,
I have a client with 5 sites on a server. She logs in to all 5 one after another in few minutes.
That behaviour cause csf to block her IP as a login attack even though she login once to each site.
Is there a way to let csf count the login of each site separately?
I white listed her IP but that is not a good solution since her IP is dynamic.
I tried to find an answer here but no success....

Hi,
I'm looking for a way to get the information pushed to an email address (if not directly to a webhook) as soon as a specific file size changes.

I found a way to do something similar - using the lfd Directory File Watching as mentioned here and also mentioned here .

I configured the relevant email address as described here - and I started getting the email alerts - The problem is that I get...

On a VPS running current WHM and CSF/LFD:

Time: Fri Feb 11 18:01:06 2022 -0500

The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:

/usr/bin/mysql_install_db: FAILED
/bin/mysql_install_db: FAILED

Time: Fri...

Hello,

Over the weekend my servers all failed to load/reload csf using the csf -r command.

It appears that the cc_us ip table has gotten massive all of the sudden?
It was failing with:

csf: IPSET loading set cc_us with 79025 entries
IPSET:

and then just hangs here.

So i went into csf.conf and tried changing:

# The following sets the hashsize for ipset sets, which must be a power of 2....

I have reported this issue in a different thread about 4 months ago but we still haven't solved the issue. We have two WHM/CPANEL servers that are running CentOS v7.9.2009. Both servers are running csf v14.12. Both servers were running fine for over 3 years until we migrated from Centos 6 to 7. Since then we have been experiencing and issue with CSF that blocks HTTP traffic to all accounts on the...

Hi,
I have some entries in apache log but csf do not want block it.

my csf setup is:
LF_MODSEC =1
LF_MODSEC_PERM=1

an example of hit:

ModSecurity: Warning.
Pattern match \\\\$+(?: *|\\\\s*{.+})(?:\\\\s|\\\\ |{.+}|/\\\\*.*\\\\*/|//.*|#.*)*\\\\(.*\\\\)
at ARGS:trend_format .
[data Matched Data: $s (%2$s) found within ARGS:trend_format : %1$s %3$s (%2$s) ]

, referer:

how can i fox it?

NEW Linux Accuwebhosting Cloud Server.

Accuweb now uses Zabbix in their server templates to monitor newer servers for UP/SOWN and who all knows.

I REQUIRE CSF to be on ALL my servers and that it be RUNNING and configured properly.

Accuweb Support says they cannot telnet into or get the Zabbix signal from zabbix-agent to their monitor server when my CSF is installed.

I UNINSTALLED and...

I have installed Shadowsocks client (for SOCKS5 proxy) and Privoxy (for convert socks5 to http proxy) on Centos 7 (I use cPanel).

SOCKS5 is running on 127.0.0.1:1080
Privoxy is running on 127.0.0.1:8118

When the CSF is enable, the socks5 and http proxy don't work:

# curl --socks5 127.0.0.1:1080
curl: (35) Encountered end of file

But when I disable CSF (csf -x), It works:

# curl --socks5...

Hi
Is it possible to disable login failure detection of IMAP in the CSF configuration for a particular user?

I would like to make sure login failure in a single account do not add the user IP to a deny list.

Some customers just don’t understand why they are blocked, but it might be an old ipod in their network trying to continually connect with an old password.

Hi team

I am using CSF and mod Security. I have implemented an automated reporting facility to AbuseIPDB.

It all works well - except occasionally, it sends a report to AbuseIPDB but does not block in CSF

When that happens, this is what is reported in AbuseIPDB

(CT) IP 12.345.6.789 (CA/Canada/-) found to have 190 connections;

This is what shows in Hits List for Modsec (there are many...

We are getting blocks from an unknown IP range which is not visible in any of our other logs besides lfd logs. It does not cause any harm as of now but it looks like a csf bug itself. Please suggest some solution if there is available or fix it in next update.

Blocks that we are getting is as below:

Time: Mon Nov 29 05:35:47 2021 -0800
IP: 0.172.31.183 (-)
Connections: 2160
Blocked: Temporary...

Hi,

Is there some way to ignore checks for a specific email address?

My situation is that one of our cPanel users had an email address for an employee. The employee is gone, the address was deleted but the ex-employee still checks the address a thousands of time a day and they keep banning some important IP addresses. We have whitelisted the respective ranges but now we are getting many...

i need to exclude single email login with same To header from distributed attack / permblock

this is sample exim log line
1nBXpM-000DFy-Nx for email@domain.com

if i add this code to csf.logignore should work ?

^.*dovecot_login:email@domain.com.*for email@domain.com

Ever since I try CSF on a new Debian 9.4 server, LFD fails to start.
I first migrated csf.conf and allow and ignore lists etc. from a debian 7 server,
Then also tried a clean install, To no avail. Searches don't bring help either.
Some hits on sendmail requirement? Who still uses sendmail? Seriously. I'm running postfix. Done so for 20 years. Up until now CSF LFD always worked fine....

Hello friends.

How can we block sites like hackertarget.com/reverse-ip-lookup and host and block all domains on one IP address?

Is there a way to block it through CSF/LiteSpeed?

hello

i use whm/cpanel , also last weeks i receive lot of amil notification like :
lfd on servers.site.com: Excessive resource usage: host (24147 (Parent PID:1817))

Time: Wed Feb 26 18:48:07 2020 +0100
Account: host
Resource: RSS Memory Size
Exceeded: 331 > 256 (MB)
Executable: /opt/cpanel/ea-php72/root/usr/sbin/php-fpm
Command Line: php-fpm: pool host_us
PID: 24147 (Parent PID:1817)
Killed:...

Hi,

I have set LF_PERMBLOCK_ALERT = 0 and restarted CSF through WHM but I am still receiving email alerts on Excessive resource usage. Are there any other configurations that I have missed out?

We are constantly receiving Excessive Resource Usage emails, example:

Time: Sun Jan 16 10:10:34 2022 -0700
Account:
Resource: Virtual Memory Size
Exceeded: 514 > 512 (MB)
Executable: /opt/cpanel/ea-php74/root/usr/sbin/php-fpm
Command Line: php-fpm: pool
PID: 1446 (Parent PID:3470)
Killed: No

We have tried setting PT_USERMEM to 1024, and to 0 and we still receive the notices (this setting...

Its not every day I find something this perplexing, so I thought I would toss this out there to the hive mind and see if anyone can guess what might be going on here.

Server is a Centos 7, fully updated server, high end specs, bare metal, latest Release version of cPanel. Running Litespeed.

This is so weird.

So, this url:

For any of you in the forum would load perfectly normally across all...