ConfigServer Community Forum

Did you guys figure it out yet? Think I have same problem.

I think CXSwatch is the culprit as it checks every file on the server when modified etc and new files.
So note also if your server has tons of files changing and its not an SSD or CPU is too weak and cannot keep up then load will go up.

Look at that aswell = just a tip.

Maybe check if you have cxs blocks enabled as it adds ip lists to CSF. In otherwords check /etc/cxs/cxs.blocklists and comment all the lists. Restart CSF and retry Alternatively check for your server IPs in the list https://download.configserver.com/reputation/all.txt Note you can only download that...

I've had the same issue but we notice enabling the individual lists like LF_SMTP seem to block very nicely
So we enabled the following:

CXS_LF_SSHD
CXS_LF_FTPD
CXS_LF_SMTPAUTH
CXS_LF_CXS

Works quiet well for us atleast and load has gone down ALOT.

This is not a config server issue. It is an Apache APR Util issue as per:

https://www.purehacking.com/blog/josh-z ... ize-limits

I checked now and the regex is : #mod_security v2 (audit_log) if (($config{LF_MODSEC}) and ($lgfile eq $config{MODSEC_LOG}) and ($line =~ /^\[modsecurity\] \[client (\S+)\] (.*) Access denied with (code|connection)/)) { $ip = $1; $acc = ""; $ip =~ s/^::ffff://; if (&checkip($ip)) {retu...

I need assistance on a regex to block this via CSF say after 5 failed attempts : [Thu Jun 11 08:45:40.512566 2015] [:error] [pid 40857:tid 140173587228416] [client 168.63.216.42] ModSecurity: [file "/usr/local/apache/conf/modsec2.user.conf"] [line "37"] [id "5000135"] [...

I think I got it to lower load a bit but now I'm noticing something strange with CXS watch: This is CXS watch configuration: /usr/sbin/cxs --Wstart --allusers --www --smtp -I /etc/cxs/cxs.ignore --options M --qoptions Mv --quarantine /cxs/scan/ --Wmaxchild 3 --nofallback --Wloglevel 0 --Wsleep 15 --...

Thanks you are absolutely right.

Had to change modsec_log = /etc/httpd/logs/error_log

Now it's blocking them nicely.

Yippee

Hi all, Weird one I noticed today is that none of my mod security rules are being blocked anymore? I have LF_MODSEC set to 3. Is there something else I'm missing? For eg. [Mon Sep 29 16:14:09.069556 2014] [:error] [pid 982245:tid 140548245526272] [client 96.47.226.20] ModSecurity: Access denied with...