Search found 56 matches

by sneader
14 Mar 2013, 11:39
Forum: General Discussion (csf)
Topic: Excessive GET HTTP requests -- any way to block?
Replies: 4
Views: 5295

Re: Excessive GET HTTP requests -- any way to block?

Darn, I was hoping that either PORTFLOOD or CONNLIMIT would be useful here, and that I was just doing it wrong.

- Scott
by sneader
14 Mar 2013, 11:05
Forum: General Discussion (csf)
Topic: Excessive GET HTTP requests -- any way to block?
Replies: 4
Views: 5295

Re: Excessive GET HTTP requests -- any way to block?

Hi Jonathan. Unfortunately, it's not a real robot, they are faking it. The reverse DNS for this IP maps to a Lunar Pages hosting server, not Microsoft. I highly doubt they will respect the robots.txt. Any other ideas appreciated.

- Scott
by sneader
14 Mar 2013, 10:40
Forum: General Discussion (csf)
Topic: Excessive GET HTTP requests -- any way to block?
Replies: 4
Views: 5295

Excessive GET HTTP requests -- any way to block?

Seems that certain WordPress sites on our server are under some type of attack. Even password protecting the /wp-admin directory has no effect in their efforts. Here is a log snippet for just 3 seconds of activity: 74.50.26.15 - - [14/Mar/2013:05:37:13 -0500] "GET /wp-admin/ HTTP/1.1" 302 ...
by sneader
08 Mar 2013, 03:54
Forum: General Discussion (csf)
Topic: DNS DoS attacks
Replies: 7
Views: 11238

Re: DNS DoS attacks

I would like to learn how to fix this from within CSF.

- Scott
by sneader
23 Feb 2013, 04:13
Forum: General Discussion (csf)
Topic: How to stop console alerts?
Replies: 2
Views: 6193

Re: How to stop console alerts?

I came here looking for the same answer. What I'm seeing is that while any user is SSH'd in, even a normal user, they see random console messages like: Message from syslogd@host at Feb 22 18:34:05 ... kernel:nf_ct_ftp: dropping packetIN= OUT=eth0 SRC=1.2.3.4 DST=5.6.7.8 LEN=65 TOS=0x10 PREC=0x00 TTL...
by sneader
20 Feb 2013, 19:40
Forum: General Discussion (csf)
Topic: csf.dirwatch - what does it watch by default?
Replies: 1
Views: 4508

csf.dirwatch - what does it watch by default?

Currently my csf.dirwatch file is empty (which is the default). I would like to add some things to it, but I noticed that I already get alerts like this: ============ lfd on example.com: System Integrity checking detected a modified system file The following list of files have FAILED the md5sum comp...
by sneader
14 Jan 2013, 20:17
Forum: General Discussion (cxs)
Topic: plupload.silverlight.xap <- is it safe?
Replies: 14
Views: 21621

Re: plupload.silverlight.xap <- is it safe?

Thanks, I'll give it a shot -- very helpful!

Also, I see in the docs, it looks like I should be using --ignore instead of -I. Maybe they are the same, but I'm going to switch to --ignore, to match the docs.

- Scott
by sneader
14 Jan 2013, 17:37
Forum: General Discussion (cxs)
Topic: plupload.silverlight.xap <- is it safe?
Replies: 14
Views: 21621

Re: plupload.silverlight.xap <- is it safe?

I am starting up cxswatch with -I /etc/cxs/cxs.ignore In my ignore file, I have: hfile:plupload.silverlight.xap I have restarted cxswatch Despite all this, I still receive emails like this: cxswatch Scanning /home/redacted/public_html/wp-includes/js/plupload/plupload.silverlight.xap: # (compressed f...
by sneader
04 Jan 2013, 23:21
Forum: General Discussion (csf)
Topic: Email on successful root ssh login
Replies: 2
Views: 4758

Re: Email on successful root ssh login

I came here to find the answer to the same question. We have a number of power users on our server that log in regularly via SSH, and I don't need to know. However, I would really like to be alerted right away for any root login via SSH. Maybe this is a feature that could be considered for the futur...
by sneader
08 Oct 2012, 19:20
Forum: General Discussion (csf)
Topic: DNS DoS attacks
Replies: 7
Views: 11238

Re: DNS DoS attacks

Hi Chirpy. I'm wondering if you could provide an example configuration? I am having a similar issue, where I am being hit with hundreds of connections on port 53 from certain IP addresses, all doing IN ANY DNS queries for the same couple of domain names. When I have talked to the admins of the sourc...