ConfigServer Community Forum

In searching here I was unable to see whether CSF is compatible with nftables. I only found info on iptables-nft.

My application is cPanel servers running Almalinux, on which firewalld is installed and running on nftables. My question is simply will CSF drop in to that system and run fine? (I would assume yes, that nftables is fully supported, and that no tweaks are needed. But I didn't find the...

Can someone provide a regex that handles this line in /var/log/secure? I tried a couple of things, and don't seem to get it, even trying to copy and adapt one that's already there. Here's the line:

Nov 11 13:00:01 boston systemd : pam_unix(systemd-user:session): session opened for user root(uid=0) by root(uid=0)

I'm getting these in LFD Log Scanner reports

WHM 118.0.25
Almalinux 8.10.0 kvm
CSF 14.22, mailscanner 5.4.4 w/ MSFE 9.26

I have blocked the IP address 128.245.64.22 in CSF:
Table Chain num pkts bytes target prot opt in out source destination
No matches found for 128.245.64.22 in iptables
IPSET: Set:chain_DENY Match: 128.245.64.22 Setting: File:/etc/csf/csf.deny
Permanent Blocks (csf.deny): 128.245.0.0/16 # do not delete

And yet spammers...

Hi,
LF_APACHE_404 not working on cPanel with litespeed.
HTACCESS_LOG is setup with /var/log/apache2/error_log but not working
I've inserted custom regex but no work.

Can you help me to build custom 404 regex on cPanel litespeed?

I have an issue because every day I receive from lfd information about overload my server and logs shows me many connections from Microsoft adress IP. Manual block IP isn’t good because every day is another IP. In Csf I have set two parameters: CONNLIMIT 80;50,443;50 i PORTFLOOD 80;tcp;100;60,443;tcp;100;6 but it doesn’t work. Could you give me any suggest how to resolve this an issue?

I apologize if this is in the wrong area.

On ModSecurity I switched the ruleset from Comodo to OWASP, and now LFD isn't sending the Mod Security notifications to email.

LFD is sending out emails for other notifications.
Have restarted CSF & LFD, and ran csf -ra

Any suggestions are welcome on what to look at.

Thanks

Hi,

I've recently setup the emails for csf/lfd and I started getting tons of emails coming through, but most of them appear to be false positives.

I've added the following rules to csf.pignore but they don't appear to be working as the emails for the very same reasons are still coming through even after restarting both CSF and even the entire server....

Hi,

I hope you can help.

We are running new cPanel install on AlmaLinux via Lightsail Instance.

Configuration:
Access to WHM and cPanel is limited to single static IP
SSH port remains as 22
SSH root login disabled
The following services are enabled and working:
MySQL is bound to 127.0.0.1
2-factor authentication for WHM
Security Advisor: all in ‘green’
ImunifyAV: No malware found in scans...

Hello,

Due to some requirements, I can't use PT_USERKILL to kill process over PT_USERTIME / PT_USERMEM, I need to use custom script in PT_USER_ACTION to perform advanced checks.

However, I've seen that since I switched PT_USERKILL to 0, I keep receiving Excessive resource usage emails, no matter if PT_USERKILL_ALERT is set to 0 or 1.

How can I disable the Excessive resource usage email without...

Hello to CSF Community,

After migration to AlmaLinux 9 from CentOS 7 I suddenly met the problem with loading files by ftp (example from shell)
curl -u user:password ' -o /var/www/html/df/file1.zip
Result
curl: (7) Failed to connect to example.com port 21: Connection refused

When I stop only CSF service (lfd and iptables leave running as i s) - everything is OK, file will be downloaded by...

Hello,

I have a server that will be used for development tasks. So i want this server only accessible from Finland (for some ports only, all other ports will be blocked for anywhere). I tried lots of settings and couldn't make it working.

My configuration is below:

TCP_IN =
UDP_IN =

FASTSTART = 0

LF_IPSET = 1

MM_LICENSE_KEY = ABCDEFG12312

CC_DENY =
CC_ALLOW =
CC_ALLOW_FILTER =...

I have hourly Log Scanner Report enabled, however they are flooded with messages like this snippet:

Sep 28 11:52:53 REDACTED named : client @0x7f2130057918 45.148.10.248#6967 (ccb.gov): query (cache) 'ccb.gov/ANY/IN' denied
Sep 28 11:52:53 REDACTED named : client @0x7f2128012e68 45.148.10.248#11681 (ccb.gov): query (cache) 'ccb.gov/ANY/IN' denied
Sep 28 11:52:53 REDACTED named : client...

Hello

I have a few rules under regex.custom.pm.

Some are very important and I want to receive mail notification and other not so much so no need of notification.

Is there any way I can disable mail notifications for specific rules and keep temp/perm block working as expected?

It would also be cool if we can filter notifications by country.

Thank you

Hi - we're needing some assistance to get these type of attacks blocked automatically with a custom regex- say 10 login attempts in 12 hours to mitigate slow logins and permanently banned and added to block list where we can remove them if needed in case of customer false attempts. We've tried a few things including fail2ban although it would be great if LFD can scan the logs and ban them...

AlmaLinux: v8.9.0 Standard KVM
cPanel: 120.0.8
CSF: 14.20
Perl: 5 v26

Hi, this may not be anything to do with csf/lfd per se; just checking.

Just elevated from CentOS, and am getting lfd notification emails every 10 minutes:
Error: Failed to detect code in SYSLOG_LOG

And cron messages being sent every hour:
logger: socket /dev/log: Connection refused

Manually sending messages via logger...

Hi,

We are getting lots of Process Tracking notifications for an executable and would like to add it to csf.pignore

/usr/local/cpanel/3rdparty/perl/536/bin/perl

What is the correct syntax to add this to /etc/csf/csf.pignore please?

Thanks very much

Michael

Hi, forgive me if this has already been asked and adequately answered, but I haven't found it so far:

I'm new to DirectAdmin and ConfigServer and trying to configure everything properly. I'm confused because the server security check keeps returning:

You should consider disabling commonly abused php functions, e.g.:
disable_functions = show_source, system, shell_exec, passthru, exec, popen,...

I've seen some posts about using BLOCK_REPORT to customize when an IP is blocked. I'm looking for something that will allow me to execute a custom script whenever CSF identifies accounts exceeding processes, mem, time limits. I want to be able to kill certain accounts (based on their web hosting plan) via a custom script that will allow me to do further reporting/stats at the same time.

Is there...

Hello people,

There are a lot of questions on this forum regarding this, and I have read most of them. As is usually the case, I am receiving a huge amount of notifications from CSF, from a cron.php that the user of this server has placed and wants to run every 5 minutes. This process is legit, and we want to keep it running. The output is this:

Executable:

/home/virtfs/...

OS: CloudLinux release 9.4 (Vladimir Vasyutin)
CSF version: csf: v14.21 (cPanel)

Hi,

I'm facing a strange issue where CSF is not blocking nor allowing IPs in Almalinux/CL 9.
If I add a temporarly allow like this, it creates an IPTABLES entry and it doesn't work (port 22 is not in TCP_OUT):

# csf -ta 12.34.12.34
ACCEPT all opt -- in !lo out * 12.34.12.34 -> 0.0.0.0/0
ACCEPT all opt -- in * out...