when csf/lfd checks for a lot of connections from certain ip, and blocks them if they exceed a treshold.

is it possible to make a button that would force that action at a specific time ? and list the ips that are overloading the server

ip - x connections (over the treshold set in the config) and have option to block them at that specific time?

this would be great

Hi

I suggest to add something like LES (from R-fx) to default install/upgrade of Configserver firewall - it will increase security on cpanel servers, what do you think? maybe there is good point to add checking LES installation on Security Check option in CSF?

Apparently, Security-Enhanced Linux (selinux) isn't as secure as the title implies... :eek: - see post by katmai:

Would it be worth adding another check in the csf Server Security Check to warn if selinux is enabled?

(also, could this be another item addressed by the CS Server Service Package?)

I love the fact that I get an email when the load goes high and it includes the process list from TOP

What would make it even better is if the list that was emailed could be sorted by CPU usage - since thats the priority of the email ...

Keep up the great work

It would be nice if you could set which BLOCKS you would like to be PERM and which TEMP. The items requested with this option would be:

LF_SSHD; LF_FTPD; LF_POP3D; LF_IMAPD; LF_HTACCESS; LF_MODSEC; LF_CPANEL; LT_POP3D; and LT_IMAPD.

Currently you please a postive number in the option for these. What if CSF looks at the number and if it is positive then it is a PERM BLOCK and if negitive it is...

Hello,

Firstly, thank you so much for this script! It is excellent!

Personally I have shut off the cPanel mod_security plugin and installed mod_security myself. This way I don't get cPanel scrubbing the audit_log every hour. Your script does a far better job of displaying more information about each potential attack!

I wonder though for someone that has little to no idea about these things,...

Hello,
i have dedicated server and install csf and lfd

will time i upload one shell c99 on server and run them,and in part :: Command execute :: and enter cat /var/cpanel/accounting.log, i can see all user and all site in my server

and if i enter command ls /home/ /public_html i can enter to any user that want

Do you have away ?
i close them,until hacker can`t see all site and see all files...

Please consider adding support for proftpd and UW IMAP (pop3 and IMAP) detection for lfd processing for non cpanel systems. Thanks.

I think if you could ajax the menus for the WHM integration portion where a person can simply collapse or expand whatever section would be great... Okay enough suggestions or keep going? :)

Instead of seeing reports on a browser and lagging your browser out, I think if CSF could just email it out to a preset email address once it's done compiling or giving the ability to choose, view on screen or email...

I think disabling wget is another nice one if you don't do automated updates, where if you do only updates manually and this will help a lot of sysadmins out for one if they are fighting lamers trying to do a lot wget crons if some can relate to this. So possibly a wget disabler added to CSF. (Sooner or later you all will need a whole screen with menus :eek: )

Maybe adding a feature on setup to enable/disable CSF frontend on WHM be helpfull for those dummies that get managed Dedicated or VPS, so we can disable frontend for those that do not know how to deal with it.

Hi Chirpy :)

I changed your regex.pm a little to not block all mod_security related entries as some IPs were getting blocked for Access Allowed , for example :p

My rule is now :
if (($config{LF_MODSEC}) and ($line =~ /\ mod_security: Access denied/)) {
return ( mod_security triggered by ,$1, mod_security );

But I guess it will be overwritten with the next csf update... maybe you could...

Has anyone tested CSF on Debian?

Is it possible to modify the load monitoring system to run a script when it notices high load ? I think it would be quite an important tool for someone admins who know certain loads happen and may want to write a response to handle things automatically.

Hi,

May be it's possible to give suspicious.tar discovered by lfd a timestamp, so that more files can be kept in /cf/csf in case of more illegal scripts to examine.

Would be great!

Frans

Hello Chirpy,

would it be possible to add the IP address for SU alerts. I though if I just added the shortcut in the email alert it may put the IP in there, but it doesn't. IE:

lfd: SU login alert - Successful login from admin to root

Time: Thu Dec 21 09:09:28 2006
From: admin
To: root
Status: Successful login
IP:

as we now disabling direct root logins and it would be handy, when an alert...

I know there is a feature that allows us to only allow certain ports. Also one that allows us to drop incoming on certain ports. But I would love to see an option that allowed blocks based on destination ports.

It would be nice to have two new enhancements in csf menu:

1. new quick option for input allowing to put one IP same way as

2. new option and maybe other like... stop and start.

Best regards and great respect for Author :-)

Hi,

Your install script assumes that there is a path to sbin. For some reason my provider has omitted this and I haven't gotten around to changing it, as it usually isn't a problem.

Just a suggestion that you might consider adding /sbin/ before the calls to executables.

Or not...