Exactly where do you set the temporary ban duration? My temporary blocks are lasting only 60 seconds and I can't seem to find the place in the configuration to make it longer. I'm getting hit with excessive SMPTAUTH failures, and although my LF_SMTPAUTH setting is 5, the bans only last a minute and then the game continues...
I'm having a bit of an issue. I have setup a KVM VPS on my CentOS 6.5 which has routed networking.
I have a DNAT rule in csfpre file which as traffic comes in (PREROUTING), the external IP is changed to the local IP. As the traffic traverses the iptables chain, it seems to be dropped (not rejected) somewhere in the FILTER FORWARD table. This is not being logged in /var/log/messages.
Background:
I like the way that CSF warns (via email) about Excessive resource usage
I have learned to use the csf.pignore file to ingnore a process that I know is resource intensive.
For example, in csf.pignore I added cmd:spamd child and no longer get warnings about spam assasin running.
Problem:
Every night when my daily backups run I get many email alerts about...
Hello to everyone !
Is it possible to use CSF to allow access to a port only from a certain IPs ?
It seems to be a simple question - but I did not find an answer yet.
Let's say I have SMTP on 110 port.
I want to allow access only from external IP 68.192.172.14 and 85.5.39.156 (what means only these 2 IPs are allowed to send emails)
All other Ips must be blocked by default.
We use CSF since three years and never had any problems. Great script!
Since about 48 hours, though, there is a problem with CSF running on Linux VPS servers (both, with node running 5.x and 6.5 of CentOS, and the VPS themselves running 6.5). This seems independent of the control panel installed in the VPS -- I see it in case of DirectAdmin as well as cPanel.
I've got a server with multiple public-facing IPs, and I'd like certain services to only be bound on certain IPs. Services like SSH and FTP can simply be configured to only bind to a single interface, but I've got a couple stubborn ones that insist on binding to them all.
What I'm basically looking for is something like the TCP_IN option, but address-specific. For example, connections to...
I'm using a subset of the OWASP ruleset, and I'm still getting lots of false positives. Almost every time that happens, the IP responsible gets a permanent block in iptables, which I think is a little strict even if they were trying to attack the server.
I've tried Googling around a bit, and I can't find a way to make bans temporary. I think a block of 5~30 minutes would be reasonable.
If the server has a high load level, I get a nice little email that contains a snapshot of the running processes, vmstat and a dump of the server-status page.
The problem here is that our server-status page is behind a http password protection so all I ever see in the report is:
Unable to retrieve Apache Server Status - Unable to download: 401 - Authorization Required
i alreandy tryed everyting as in the doc. to ignore this process but I still become around 100 email notifications with this. Could you helpe me how I can ignore this on the csf.pignore, Process Tracking? And could this process be a virus? I opned the file session_mm_cgi-fcgi501.sem and is empty :s. Thanks in advance for any help
I really love the solution you are providing, but there is one function that we are missing.
Is it possible to make a ip block on the SSH service (port).
What I mean is to make a config file with some IP adresses, when somebody connects to SSH it will check the config file or the IP is allowed to connect to SSH.
Can anyone explain exactly what situations cause this message? Has the CRON process been killed or not? What should I do in response to this message? I am not familiar with Linux.
Remote server: Centos with CPanel and WHM
Local email client: Thunderbird on Windows 8
I deleted many small parts of the message because your forum software complains that there are URLs in it when there are no URLs...
At my server If an user try to 10 times wrong password, my server banning the user's ip address. After that i should remove the ban by manually. Otherwise they cannot use their email address.
But if I want to set a bantime on my server, is that possible or not or how can i do it ?
May 28 11:28:32 moodle2 lfd : daemon started on moodle2 - csf v7.03 (generic)
May 28 11:28:32 moodle2 lfd : CSF Tracking...
May 28 11:28:32 moodle2 lfd : IPv6 Enabled...
May 28 11:28:32 moodle2 lfd : LOAD Tracking...
May 28 11:28:32 moodle2 lfd : csf Integrated UI running up on port 6666...
May 28 11:28:32 moodle2 lfd : Country Code Filters...
May 28 11:28:32...
May 26 03:12:43 host pure-ftpd: (?@66.249.64.165) Authentication failed for user
May 26 03:12:25 host pure-ftpd: (?@66.249.64.134) Authentication failed for user
May 26 03:14:00 host pure-ftpd: (?@66.249.64.216)...
Hi, today i get this csf.error Error: FASTTART: (CC_DENY IPv4) [] . Try restarting csf with FASTSTART disabled, at line 3767 in /usr/sbin/csf after this command line csf -r command (used via webmin).
LFD.log entrys May 17 13:49:54 lfd : csf (re)start requested - running *csf startup*...
May 17 13:50:09 lfd : csf (re)start completed
May 17 13:50:14 lfd : *Error* You have an unresolved error when...
I would like to know if it's possible: we want to receive alerts if someone reached RT_AUTHRELAY_LIMIT limit (for example, 100) and blocks an IP (and alert) if someone reached second RT_AUTHRELAY_LIMIT limit (for example, 200).
As I'm still pondering (in another thread) why csf won't block an IP at all and actually miscategorizes it as IPV6, here's another email sent that appears to have issues identifying the IPs in question:
Banned the following ip addresses on Tue May 20 13:09:01 EDT 2014
2400 with 266 connections
That number 2400 is supposed to be an IP, correct?
My /var/lib/csf/csf.logtemp is quite large on both servers where I have csf installed. By quite large I mean about 500 MBs. Is that normal? Can it be cleared? If so, what is the best way to clear it if something other than deleting it and restarting csf?
I did trying restarting csf and lfd but it didn't clear the log.
FYI, the log contains entries that are months old at the beginning.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum