ConfigServer Community Forum

As clearly indicated, these ports in the emails are ephemeral, and not the port SSH is on. Why is that? Hope this clarifies what I tried to wrote. The only one who knows the SSH port is you, so, hackers have to guess what port to attack. They use exploit scripts that tries to guess the SSH port and ...

This does not answer my question and seems to be missing several underlying key points. Why is this showing up in an ephemeral port range in the first place? SSH is not on a standard port as indicated and can only be hit there. It appears to be more of a case of false positives. It is because the ha...

The latest version of configserver firewall. This one is driving me a little bonkers. We are all aware of the increase in SSH attacks lately. We run SSH on a non-standard port pretty high up but we are still seeing a MASSIVE influx of distributed SSH blocks on ports not related to our SSH port which...

I am seeing this on one of our installs: Web upload script path : /home/csf/public_html/wp-content Web upload script URL : http://thedomain.com/wp-content/plugins/real3d-flipbook/includes/process.php Remote IP : 111.111.111.111 Deleted : No Quarantined : Yes [/home/cxs/cxscgi/20190902-111450-XW1cGlR...

My pleasure.

Have you restarted ftp since the passive range change? Is it enabled in the config? Have you run a csf -r since the update to csf? Doesn't look like it but are you using TLS? If so, add 990 as well. 22 if using sftp. What happens if you whitelist the remote host?

That is good. Do you have port 20 allowed as well?

You are playing with fire. You can but this would be ill-advised as bots scan across IPs and attack anything.

ETH_DEVICE_SKIP = "eth1"

The following post may be of help:
viewtopic.php?t=8940

Use the following command and I am sure you will see it:
ls -lha

This could be partition corruption or an exploit. Run an fsck and do yourself a favor and purchase CXS from configserver.