Usually LFD detects modified binaries that have been updated by yum / apt on the integrity check.
It would be quite useful if you send the last lines of the yum / apt log (last 24 hs) attached or appended to these e-mails to quickly check if those changes correlate with the modified files or not.
Search found 10 matches
- 19 Jul 2018, 16:42
- Forum: Suggestions (csf)
- Topic: Sending update logs next to integrity check
- Replies: 1
- Views: 3471
- 30 Jan 2018, 08:13
- Forum: Suggestions (csf)
- Topic: Block probers
- Replies: 3
- Views: 4415
Re: Block probers
I believe you are looking for Mod Security and/or ConfigServer eXploit Scanner, which both have URL / uploaded file scanning patterns and LFD can block multiple matches by these two (LF_MODSEC, LF_CXS)
- 30 Jan 2018, 08:09
- Forum: Suggestions (csf)
- Topic: auto ignore/whitelist option
- Replies: 1
- Views: 3000
Re: auto ignore/whitelist option
Why not just add the remote IP of the router as a whitelisted / ignored IP?
Do you have a dynamic IP?
Do you have a dynamic IP?
- 14 Oct 2017, 17:40
- Forum: General Discussion (csf)
- Topic: mod_cloudflare not detected
- Replies: 1
- Views: 2236
mod_cloudflare not detected
This is somewhat minor but on EA4 the security check says that I don't have mod_cloudflare installed but I do have it. Perhaps it's due to the name change on the module: #$ httpd -M | grep cloudflare [Sat Oct 14 13:38:55.345007 2017] [so:warn] [pid 28750:tid 140564230232192] AH01574: module cloudfla...
- 15 Jun 2017, 20:40
- Forum: General Discussion (cxs)
- Topic: cxsftp warns for any php script
- Replies: 2
- Views: 3635
Re: cxsftp warns for any php script
Crap, just noticed that I've created this on the wrong forum, could someone move it to "General Discussion (cxs)" ?
- 15 Jun 2017, 18:22
- Forum: General Discussion (cxs)
- Topic: cxsftp warns for any php script
- Replies: 2
- Views: 3635
cxsftp warns for any php script
I've recently added quarantine form cxsftp and enabled the service, but it seems that any PHP script that gets uploaded I'm notified. Scanning FTP file... Time : Thu, 15 Jun 2017 14:10:32 -0300 FTP user : webmaster@*******.*** FTP file : /home/*******/public_html/*******/page.php FTP owner : *******...
- 04 Mar 2017, 15:47
- Forum: Suggestions (csf)
- Topic: Country whitelist on LFD
- Replies: 1
- Views: 6537
Country whitelist on LFD
It would be nice if we could white list countries so that they don't get blocked by the failed logins, most of the times our customers setup Outlook or similar clients and after an email password changed IMAP / SMTP blocks them. Since most of the time hackers use compromised servers or anonymous pro...
- 21 Feb 2017, 19:34
- Forum: General Discussion (csf)
- Topic: Can't locate object method "new" via package "Crypt::CBC"
- Replies: 1
- Views: 2639
Re: Can't locate object method "new" via package "Crypt::CBC"
I had the same issue and it got fixed by adding use Crypt::CBC; (after the other uses), on the file /usr/sbin/csf
Perhaps it's best to wait for an official answer, but it should work just fine.
Perhaps it's best to wait for an official answer, but it should work just fine.
- 03 Jan 2017, 14:55
- Forum: General Discussion (csf)
- Topic: Block a hostname forever
- Replies: 1
- Views: 2194
Block a hostname forever
One of our customers is having issues with a remote MX, so my plan was to block it on CSF, but every once in a while it gets cleared out due to the IP limit of the deny table.
How can I block that IP forever?
Also, is there a way to block domains using dyndns instead of just allowing them thru?
How can I block that IP forever?
Also, is there a way to block domains using dyndns instead of just allowing them thru?
- 13 Jun 2008, 22:02
- Forum: Suggestions (csf)
- Topic: Show how many Temporary IPs banned in a glance.
- Replies: 2
- Views: 3956
Also, besides this, the tempban file doesn't show the reason from the block. csf.deny shows {sshd} {imapd} or something like that, but i hadn't seen them on the tempban file, so I don't know why this IP's whas blocked. Some workaround has been to add one second to each block (eg. pop3 1800, imapd 18...