ConfigServer Community Forum

Most new operating systems are switching to journald instead of syslog for logging as it provides a much needed unified interface for logging. It would be good if CSF could support this similar to fail2ban. fail2ban: https://unix.stackexchange.com/questions/268357/how-to-configure-fail2ban-with-syst...

Why not just enable MESSENGERV3 in CSF then LFD won't have to spawn up its own service and will just use your Apache service (which will pass any PCI compliance scans if configured correctly).

Unfortunately this is seems to be still happening on some servers with a normal IPv4 addresses (This server is ubuntu 20.04). 78.46.65.XXX is the servers own primary IP address. They are running csf: v14.17 (generic) From the lfd log: Oct 10 22:45:26 srv lfd[66827]: (CT) IP 78.46.65.XXX (DE/Germany/...

Your best bet is to enable the messenger service. Then you can have links in the messenger templates explaining why they are banned and what they can do to correct it.

That site is storing cookie information that your modsecurity rules think are a "Remote Command Execution: Unix Command Injection". You need to disable that rule for the site or figure out what is dropping that cookie and remove it (if its an addon).

There is no need for this. Remember that the csf .deny file supports include statements like Include /etc/csf/csf.custom.deny where you can store all your own custom entries.

Look at the DENY_IP_LIMIT and CT_PERMANENT options in /etc/csf/csf.conf. By default CT_PERMANENT is set to 0 meaning that connection tracking blocks are only temporary. Also If you set CT_PERMANENT to 1 then they will be permanent and will still rotate out depending on your DENY_IP_LIMIT.

This is what the processes look like at the time: root@server:~# ps aux | grep lfd root 2829470 21.3 0.1 46976 36912 ? Ss 15:42 0:06 lfd - sleeping root 2829834 0.0 0.0 8112 596 pts/2 S+ 15:42 0:00 tail -f /var/log/lfd.log root 2834890 2.5 0.1 48876 36864 ? S 15:42 0:00 lfd - (child) blocking 162.15...

Under heavy attacks the login failure daemon will constantly restart with the error: *Error* Excessive number of children (344), restarting lfd... Unfortunately some times LFD doesn't come back after restarting and errors with: *Error* pid mismatch or missing, at line 1161 Here is a sample from the ...

Look at the PT_USERKILL and PT_USERKILL_ALERT options in /etc/csf/csf.conf