ConfigServer Community Forum

Hi there,

I have setup a modsec script to help protect my wp-login.php file. Essentially the script that I've found will block access for the offending IP address for 5 minutes upon 10 failed login attempts over a 3 minute duration.

I'd like to utilize the LF_MODSEC portion of CSF to add them to the iptables firewall so that they're blocked right at the front door.

In testing, modsec is...

Hi,

Dmesg is flooded by logs like:
OS=0x08 PREC=0x20 TTL=239 ID=54321 PROTO=TCP SPT=49541 DPT=8728 WINDOW=65535 RES=0x00 SYN URGP=0
Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=96:00:03:eb:25:ed:d2:74:7f:6e:37:e3:08:00 SRC=92.255.85.147 DST=138.199.144.66 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=64262 PROTO=TCP SPT=54582 DPT=3364 WINDOW=1024 RES=0x00 SYN URGP=0
Firewall: *TCP_IN Blocked* IN=eth0...

Support

I currently have the generic version and would like to migrate to cpanel version.

I initially installed the generic version but I am using cpanel.

I was able to install the cpanel version but it still says generic.

How do I change this?

csf -v
csf: v14.22 (generic)

I posted this on cpanels support and they told me to raise the issue here.

Thanks

John

Hi there,

We allow remote MySQL access for specific IP adress, by adding a rule to the csf.allow file as following;

d=3306|s= #

This has been working fine for a couple of years now.

However, since a few days we got multiple complaints that MySQL access is blocked. When checking the logs I see these entries; indicating that the port is blocked. I have seen multiple cases of this, on...

OK I know, CSF is an IP based firewall, but we are already working with domain name.
In csf.dyndns.
Could we get something like csf.blockeddomain that will work the other way?
Check every 10min what IP the domain has and add it to block list?

Or is already a way to block domains in CSF?

Hi, I'm looking at logs and finding that src ip's are looking for trouble, but they are spreading their attack times to a couple of tries over a spread of minutes. Cannot find a way in csf config to set a ban for this. Here is a sample of the syslog to show what I'm seeing (pruned the log down for viewing):

15: 17:26 xx krnl: Firewall: *TCP_IN Blocked* IN=eth0MAC=zz:zz SRC=m:m DST=x:x PROTO=TCP...

I have CSF configured to block SMTP Auth attacks, syntax errors, and POP3/IMAP access attempts. However, none of those appear to be being blocked at present and only SSH attacks appear to be blocked. I've double checked my configuration and it appears to be correct, but it's like CSF is ignoring it. I installed the software with CPanel but that shouldn't be the reason for that I wouldn't think....

Hello to all,
For the last few weeks, when I try to install a WordPress from a cPanel account, I receive this error:
WordPress was installed with errors:
Downloading and unpacking
Impossible to download pack 6.7.1 from

If I stop or restart CSF, it work for a few minutes, but then block again.

In TCP_IN and TCP_OUT, ports 80 and 443 are listed.

What can possibly do this?

Thank you.

Hello ,

This is my first time here , i had joined today to discuss about many email alerts i am receiving since a week or so .

There is 3 types of emails :

1- It is titled by : lfd on *server name* : Suspicious File Alert‏
and contains :

File: /tmp/systemd-private-be537481d81d48b4b230533e9c529e32-ea-php81-php-fpm.service-teQo08/tmp/python3.61
Reason: Linux Binary
Owner: *website-username*...

hi,
i've a cpanel server with regex.custom.pm, but getting ignored and no block

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^(\S+).* HTTP\/.* 403/)) {
return ( 403 bruteforce ,$1, block , 2 , 80,443 , 604800 );
}

CUSTOM1_LOG is
CUSTOM1_LOG = /var/log/apache2/domlogs/*/*
Access log with 403

1.1.1.1 - - HEAD /?play=ulti700?page=1&mqwsaWOeAy&cLLFTOZk59 HTTP/2 403 0 - Mozilla/4.0...

Hi, bit new to using ConfigServer and wondered how I can change the sensitivity of the IMAP filters to allow for more failed IMAP login attempts or change the time period.

We are getting quite a few genuine logs attempts but they are failing after 10 attempts.

Is there some setting that after a certain time period can automatically Unblock the failed IP address trying to login to IMAP.
So the...

Hi All,

Been scratching my head with this one, hopefully someone can shed some light.

We have a Centos 7 (cPanel) bare metal Dedicated server running CSF without issue.

A restore of this box was done to an alternative server from an Acronis backup. IP changed etc.

Now on the new server there is issues with port 80 and 443 being blocked and eventually figured out that disabling LF_SPI allows...

hello I receive always ldf email alerts tons of.... 500 alerts and mor at day
i've tried many solutions PT_user =0 , disabling email alerts on csf.conf
put some process in csf.pignore
tried all solutions founded on the web but nothing works
always tons of email with alerts from lfd
i have plesk and linux so not a gui not cpanel but all commands via ssh
I cannot filter email to not send via plesk...

Hello,

We have installed CSF on several of our servers, but one of our Plesk servers keeps spamming lfd Suspicious process running under user.

I have disabled all email_alert but we getting hundreds of emails per hour.

Version: csf: v14.22 (generic)
OS: VERSION= 20.04.6 LTS (Focal Fossa)

config:

LF_EMAIL_ALERT = 0
LF_TEMP_EMAIL_ALERT = 0
LF_SSH_EMAIL_ALERT = 0
LF_SU_EMAIL_ALERT = 0...

csf install on Webmin OS

| SYSTEM INFORMATION||
|------------------------------|-------------------------------|
|OS type and version|AlmaLinux 9.5|
|---|---|
|Webmin version|2.202|

I will likely post this also at the Webmin forums, but just in case it's relevant here, I saw a number of errors and if CSF supply the Webmin install template, a small layout issue after following the...

Hi,

Does anyone know how is fully disable LFD email alert from CSF ?

we already use any documentation from the cPanel, community, but still wont work, alert email still delivered and many got frozen :

-

-

here is want example of email header :

Return-path:
Received: from root by XXXXXX with local (Exim 4.98)
(envelope-from )
id 1tAjEL-00000009Pya-1n98
for root@XXXXXXX;
Tue, 12 Nov 2024...

Hi,

I have been trying to configure CSF and Docker under a Plesk server. There are many posts in forums reporting that when Docker creates a NAT redirect to certain port, that port is exposed to the entire world.

I tried to use this csfpost tool but apparently It hasn´t worked.

In some way, installing netfilters tool for saving iptables rules I have managed to store a set of iptables rules...

In searching here I was unable to see whether CSF is compatible with nftables. I only found info on iptables-nft.

My application is cPanel servers running Almalinux, on which firewalld is installed and running on nftables. My question is simply will CSF drop in to that system and run fine? (I would assume yes, that nftables is fully supported, and that no tweaks are needed. But I didn't find the...

Can someone provide a regex that handles this line in /var/log/secure? I tried a couple of things, and don't seem to get it, even trying to copy and adapt one that's already there. Here's the line:

Nov 11 13:00:01 boston systemd : pam_unix(systemd-user:session): session opened for user root(uid=0) by root(uid=0)

I'm getting these in LFD Log Scanner reports

WHM 118.0.25
Almalinux 8.10.0 kvm
CSF 14.22, mailscanner 5.4.4 w/ MSFE 9.26

I have blocked the IP address 128.245.64.22 in CSF:
Table Chain num pkts bytes target prot opt in out source destination
No matches found for 128.245.64.22 in iptables
IPSET: Set:chain_DENY Match: 128.245.64.22 Setting: File:/etc/csf/csf.deny
Permanent Blocks (csf.deny): 128.245.0.0/16 # do not delete

And yet spammers...