Search found 10 matches

by cloudseeder
28 Sep 2023, 15:13
Forum: General Discussion (csf)
Topic: Update script freezes Hash is full
Replies: 3
Views: 3357

Re: Update script freezes Hash is full

Increasing the LF_IPSET_MAXELEM setting resolved the problem for me. You can figure out how hight to go by watching the output from css as it starts. CC_ALLOWPORTS all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 match-set cc_us src csf: IPSET loading set cc_us with 98413 entries IPSET: [ipset v6.38: Er...
by cloudseeder
10 Aug 2018, 16:47
Forum: Report Bugs (csf)
Topic: 12.05 update causing exim syntax errors
Replies: 3
Views: 5515

Re: 12.05 update causing exim syntax errors

Found it. This must be a new rule: if (($config{LF_EXIMSYNTAX}) and ($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\[\d+\] )?no host name found for IP address (\S+)/)) { My ingress mail servers are running on AWS and connect to the servers running CSF/LFD using private IP addresses ...
by cloudseeder
10 Aug 2018, 16:18
Forum: Report Bugs (csf)
Topic: 12.05 update causing exim syntax errors
Replies: 3
Views: 5515

12.05 update causing exim syntax errors

After the 12.05 update my lfd log is full of exim syntax errors: Aug 10 08:17:20 vpc5 lfd[2111376]: Exim syntax errors from resulting in my ingress mail servers to be blocked. I see this in the changelog: Added new regex for LF_EXIMSYNTAX I whitelisted my ingress servers to get mail flowing again bu...
by cloudseeder
22 Dec 2016, 15:40
Forum: General Discussion (csf)
Topic: ftp attacks on the rise
Replies: 4
Views: 4693

Re: ftp attacks on the rise

Given the recent wave (yet another) of Wordpress brute force login attacks I've seen I wanted to resurrect this thread. I have CSF configured to detect and block these attacks using custom mod_sec rules. I use a temp ban rule followed by a perm ban rule. The issue I'm having is that this botnet, and...
by cloudseeder
31 Mar 2016, 06:11
Forum: General Discussion (csf)
Topic: ftp attacks on the rise
Replies: 4
Views: 4693

Re: ftp attacks on the rise

Given ipset functionality is there any reason we can't build a huge global deny list? Who's pushed the limits of ipset? If we can't use our collective superior intelligence to defeat the bad guys I'm ready to go back to building walls to protect the kingdom. I've already walled off some services, fi...
by cloudseeder
31 Mar 2016, 06:03
Forum: Report Bugs (csf)
Topic: Temp to perm ban works until you remove the IP
Replies: 4
Views: 6237

Re: Temp to perm ban works until you remove the IP

Thank you. This one has been causing me pain for some months.
by cloudseeder
24 Mar 2016, 13:21
Forum: Report Bugs (csf)
Topic: Temp to perm ban works until you remove the IP
Replies: 4
Views: 6237

Re: Temp to perm ban works until you remove the IP

Sorry. In my head it's perfectly clear :-) But, I've been looking at the code paths for hours. Here's what happens. 1. The IP address is moved from temp ban to perm ban status via some rule 2. The IP address is removed from the temp ban list (csf -tr) but not from /var/lib/csf/csf.tempip 3. LFD issu...
by cloudseeder
23 Mar 2016, 23:21
Forum: General Discussion (csf)
Topic: ftp attacks on the rise
Replies: 4
Views: 4693

Re: ftp attacks on the rise

No. It's not just you. The attacks are brutal at times. I, like you have ended up creating a much smaller Internet :-) for most services.
by cloudseeder
23 Mar 2016, 23:16
Forum: Report Bugs (csf)
Topic: Temp to perm ban works until you remove the IP
Replies: 4
Views: 6237

Temp to perm ban works until you remove the IP

This bug is back in version 8.16. The current problem is that if you have a DENY_IP_LIMIT set when an IP address is pushed out of the list it is not being removed from /var/csf/csf/tempip. Since the record has the PERM flag set the bad IP address will never be banned again. Here's the code from CSF ...
by cloudseeder
04 Feb 2014, 01:29
Forum: Report Bugs (csf)
Topic: Temp to perm ban works until you remove the IP
Replies: 7
Views: 5937

Temp to perm ban works until you remove the IP

Once an IP address has been through the temp to perm ban cycle the status is changed to PERM in /var/lib/csf/csf.tempip. If you then remove the ban on the IP using "csf -dr IP" the IP will never be subject to being banned again because the entry in /var/lib/csf/csf.tempip is not removed an...