ConfigServer Community Forum

I think CXSwatch is the culprit as it checks every file on the server when modified etc and new files.
So note also if your server has tons of files changing and its not an SSD or CPU is too weak and cannot keep up then load will go up.

Look at that aswell = just a tip.

Maybe check if you have cxs blocks enabled as it adds ip lists to CSF. In otherwords check /etc/cxs/cxs.blocklists and comment all the lists. Restart CSF and retry Alternatively check for your server IPs in the list https://download.configserver.com/reputation/all.txt Note you can only download that...

I've had the same issue but we notice enabling the individual lists like LF_SMTP seem to block very nicely
So we enabled the following:

CXS_LF_SSHD
CXS_LF_FTPD
CXS_LF_SMTPAUTH
CXS_LF_CXS

Works quiet well for us atleast and load has gone down ALOT.

Hi guys

I'd like to know if I should configure CXS with ClamAV "Unofficial Signatures Option" if i'm using the following on clamav:

https://malware.expert/signatures/

Thoughts?

This is not a config server issue. It is an Apache APR Util issue as per:

https://www.purehacking.com/blog/josh-z ... ize-limits

With exim you usually just get one queue called the delivery queue. With Mailscanner we get a pending queue aswell.

Kind of messing up monitoring.

Anyway to have just one queue rather than monitoring both?

Hi This got blocked by CSF due to CXS block upload on ftp: Oct 15 16:15:18 lin05 cxs[876014]: IP:1.2.3.4 User:hcjvregm FTP upload:['/home/hcjvregm/public_html/cloner.php'] - Regular expression match = [symlink\s*\(] Trying to figure out why it did when the cxsftp.sh has the following: /usr/sbin/cxs ...

Customers are saying that randsomeware got through mailscanner. Customer sent to gmail where it got blocked but through mailscanner its getting through.

Now I have read that SaneSecurity can pick these types of viruses up. How does one install it?

I checked now and the regex is : #mod_security v2 (audit_log) if (($config{LF_MODSEC}) and ($lgfile eq $config{MODSEC_LOG}) and ($line =~ /^\[modsecurity\] \[client (\S+)\] (.*) Access denied with (code|connection)/)) { $ip = $1; $acc = ""; $ip =~ s/^::ffff://; if (&checkip($ip)) {return ("mod_secur...

I need assistance on a regex to block this via CSF say after 5 failed attempts : [Thu Jun 11 08:45:40.512566 2015] [:error] [pid 40857:tid 140173587228416] [client 168.63.216.42] ModSecurity: [file "/usr/local/apache/conf/modsec2.user.conf"] [line "37"] [id "5000135"] [msg "ip address blocked for 5 ...