would be great if csf would block the attacker from the ip (or ip of hostname) being attacked. useful for dedicated ip customers or allowing a blocked ip to access a support site on another ip on the same server in order to request thier ip be unbanned.
The new cPanel WebDisk facility occasionally throws up suspicious process emails when people use it. It may be worth adding its process to the ignore processes list if you let customers use it.
This is whats needed inside the process ignore list:
It would be nice if I could move certain logon failures to a timed list so that they would clear in a specified time.
We never remove SSH failures but FTP, SMTP are often legit users that for whatever reason get themselves locked out.
If we could set this list to clear at certain intervals, it would make life a bit easier and at the same time, anyone trying hack in is going to be long gone...
CSF already does a nice job watching the exim_mainlog file. Many of us have also setup WHM to not allow any domain to send over x amount of emails per hour. When a spammer gets on the server and attempts to do so it is logged in exim_mainlog. It would be a great help if CSF could also check for multiple failures of this limit by checking for excessive sending attempts as well. I think that this...
Hello everyone,
I am using csf on all my servers and I think it's great.
I just wanted to make a sugestion about the detection of disabled_functions in php.
For example I am using suhosin to have separate disabled functions for domains.
In this way disabled_functions will be empty in php.ini and csf will detect this as a hole and as no function is disabled even if they are through suhosin.
It...
would like to suggest to add an option for the auto refresh when viewing the lfd.log through the WHM, to either refresh it or disable it. this is somewhat of a pain when trying to review the log in the WHM.
I noticed that filtering based on UID or GID of source packet in csf.allow works only if d=port is specified.
I think it would be nice to make s/d=port setting optional (unless you had a good reason to design it like that)
If IP x.x.x.x is in csf.allow but not in csf.ignore then after say N number of failed pop3d authentication attempts I get an email saying that the IP was just blocked by lfd when actually it isn't.
I think this is somewhat confusion behaviour and having lfd sent a rather different notification informing of the IP reaching the blocking threshold would be nice.
First thanks for the product it helped me catch exploited php scripts numerous times.
I'd like to see a more simple way of e-mail notications, I now edit all the .txt messages, but on different servers I have different recipients. Could you add something like a MAILTO to the csf.conf?
Is there any way to have an email sent to either the server administrator or maybe even a field setup within CSF admin page, so that when your upgrade button appears in WHM it would email telling you an update is available.
Not sure if others would benifit from this but hey worth asking.
The script alert is excellent but will work only when so many emails are sent from a local script, not when the mails are sent from a mail client, for example.
A nice addition would be to monitor the exim_paniclog as well :)
also. if i run multiple ips for example 200 ips on 1 box, the icmp block rule will add 200x2 = 400 rules in the firewall, can't that be tweaked to have 1 rule? iptables -A INPUT -p icmp -j DROP ?
this would pretty much have no impact and help A BUNCH in tweaking the firewall.
Would it be possible to have an option to make lfd fetch the GLOBAL_* urls upon startup instead in an interval?
For example LF_GLOBAL = -1 ?
The reason is I would like to manage the GLOBAL_* lists via svn. So when I update the file in svn, it triggers a restart of lfd and fetches the new file.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum