Darn, I was hoping that either PORTFLOOD or CONNLIMIT would be useful here, and that I was just doing it wrong.
- Scott
Search found 56 matches
- 14 Mar 2013, 11:39
- Forum: General Discussion (csf)
- Topic: Excessive GET HTTP requests -- any way to block?
- Replies: 4
- Views: 5338
- 14 Mar 2013, 11:05
- Forum: General Discussion (csf)
- Topic: Excessive GET HTTP requests -- any way to block?
- Replies: 4
- Views: 5338
Re: Excessive GET HTTP requests -- any way to block?
Hi Jonathan. Unfortunately, it's not a real robot, they are faking it. The reverse DNS for this IP maps to a Lunar Pages hosting server, not Microsoft. I highly doubt they will respect the robots.txt. Any other ideas appreciated.
- Scott
- Scott
- 14 Mar 2013, 10:40
- Forum: General Discussion (csf)
- Topic: Excessive GET HTTP requests -- any way to block?
- Replies: 4
- Views: 5338
Excessive GET HTTP requests -- any way to block?
Seems that certain WordPress sites on our server are under some type of attack. Even password protecting the /wp-admin directory has no effect in their efforts. Here is a log snippet for just 3 seconds of activity: 74.50.26.15 - - [14/Mar/2013:05:37:13 -0500] "GET /wp-admin/ HTTP/1.1" 302 ...
- 08 Mar 2013, 03:54
- Forum: General Discussion (csf)
- Topic: DNS DoS attacks
- Replies: 7
- Views: 11609
Re: DNS DoS attacks
I would like to learn how to fix this from within CSF.
- Scott
- Scott
- 23 Feb 2013, 04:13
- Forum: General Discussion (csf)
- Topic: How to stop console alerts?
- Replies: 2
- Views: 6217
Re: How to stop console alerts?
I came here looking for the same answer. What I'm seeing is that while any user is SSH'd in, even a normal user, they see random console messages like: Message from syslogd@host at Feb 22 18:34:05 ... kernel:nf_ct_ftp: dropping packetIN= OUT=eth0 SRC=1.2.3.4 DST=5.6.7.8 LEN=65 TOS=0x10 PREC=0x00 TTL...
- 20 Feb 2013, 19:40
- Forum: General Discussion (csf)
- Topic: csf.dirwatch - what does it watch by default?
- Replies: 1
- Views: 4534
csf.dirwatch - what does it watch by default?
Currently my csf.dirwatch file is empty (which is the default). I would like to add some things to it, but I noticed that I already get alerts like this: ============ lfd on example.com: System Integrity checking detected a modified system file The following list of files have FAILED the md5sum comp...
- 14 Jan 2013, 20:17
- Forum: General Discussion (cxs)
- Topic: plupload.silverlight.xap <- is it safe?
- Replies: 14
- Views: 21848
Re: plupload.silverlight.xap <- is it safe?
Thanks, I'll give it a shot -- very helpful!
Also, I see in the docs, it looks like I should be using --ignore instead of -I. Maybe they are the same, but I'm going to switch to --ignore, to match the docs.
- Scott
Also, I see in the docs, it looks like I should be using --ignore instead of -I. Maybe they are the same, but I'm going to switch to --ignore, to match the docs.
- Scott
- 14 Jan 2013, 17:37
- Forum: General Discussion (cxs)
- Topic: plupload.silverlight.xap <- is it safe?
- Replies: 14
- Views: 21848
Re: plupload.silverlight.xap <- is it safe?
I am starting up cxswatch with -I /etc/cxs/cxs.ignore In my ignore file, I have: hfile:plupload.silverlight.xap I have restarted cxswatch Despite all this, I still receive emails like this: cxswatch Scanning /home/redacted/public_html/wp-includes/js/plupload/plupload.silverlight.xap: # (compressed f...
- 04 Jan 2013, 23:21
- Forum: General Discussion (csf)
- Topic: Email on successful root ssh login
- Replies: 2
- Views: 4825
Re: Email on successful root ssh login
I came here to find the answer to the same question. We have a number of power users on our server that log in regularly via SSH, and I don't need to know. However, I would really like to be alerted right away for any root login via SSH. Maybe this is a feature that could be considered for the futur...
- 08 Oct 2012, 19:20
- Forum: General Discussion (csf)
- Topic: DNS DoS attacks
- Replies: 7
- Views: 11609
Re: DNS DoS attacks
Hi Chirpy. I'm wondering if you could provide an example configuration? I am having a similar issue, where I am being hit with hundreds of connections on port 53 from certain IP addresses, all doing IN ANY DNS queries for the same couple of domain names. When I have talked to the admins of the sourc...