Hi all,
this thread is to add working REGEX that we can share with the community. To add them to this sticky, you should have the regex working in your server, this thread is not intended to solve any issues related with no working regex, the intention is to give users of CSF REGEXs that could make CSF with more security options.
If you want to collaborate, please add your rule to this thread...
If you have one particular IP address that is either dropped or accepted through the firewall that you think should not be, then you can use the new WATCH_MODE in csf.
Before enabling this option and using the CLI command to watch an IP address, check whether it is explicitly listed first using:
csf --grep 11.22.33.44
Where 11.22.33.44 is the IP address you're tracking. If that comes back...
If you get iptables errors when trying to start csf on a VPS then you most likely have missing iptables modules for your VPS.
If your hosting provider wants to know how to configure iptables correctly on a VPS server, then you should point them to this Parallels FAQ and have them follow it (plus to add ip_conntrack_ftp to the list of required modules):
We received this notice from Maxmind and would like to know how it affects us using CSF?
As of Wednesday, May 1, 2024, we will use R2 presigned URLs for all database downloads in order to increase the security and reliability of our services.
This is a potential breaking change. Please ensure that your servers can make HTTPS connections to the following hostname:...
We just ran updates on servers and now on multiple servers I have seen this issue. Customers are having issues connecting to ports that are only available with whitelisting. When I check IP's I see this
csf -g XXX.XXX.XXX.XXX
Table Chain num pkts bytes target prot opt in out source destination
No matches found for XXX.XXX.XXX.XXX in iptables
Every once in awhile, something on my server will get hung up and cause a temporary load spike up to about 10. And then every once in a blue moon, something will REALLY get hung up and cause a load spike up to 100!
I've always had CSF to email me when the load is over 6:
I'm running CentOS v7.9.2009 with WHM/cPanel. I use Cloudflare and CSF with the Cloudflare extension.
A few weeks ago, my sites started throwing intermittent Cloudflare 520 errors. The server load was fine and there was nothing in the Cloudflare logs, but I saw tons of these in /var/log/messages:
I really much appreciated and want to thank you for the implementation of iptables-nft support.
As CPanel's Host Access Control dialogue on Rocky Linux 9.2 and WHM 114 showed errors I solved that by removing firewalld and installing iptables-nft. CSF and Host Access Control both work now without problems.
While reading about nftables I stumbled about the following Redhat documentation stating...
On April 1st 2024, Google will implement a new pricing model that will significantly reduce the free tier usage of reCAPTCHA and introduce new prices for the reCAPTCHA Enterprise service.
A different firewall that we use has developed their own bot protection technology in preparation for this change, which will replace Google's reCAPTCHA.
Are there any plans to replace reCAPTCHA or support...
I'm trying to figure out what configuration setting within ConfigServer Security & Firewall is causing SMTP emailing with 3rd party providers (in our case Mailgun) from working... If I disable ConfigServer Security & Firewall then the email sending works fine.
WordPress SMTP Mail Log
Versions:
WordPress: 6.4.3
WordPress MS: No
PHP: 7.4.33
WP Mail SMTP: 3.11.1
I see one IP address blocked on CSF:
# csf -g xxx.xxx.xxx.xxx
(...)
IPSET: Set:bl_CXS_LF_HTACCESS Match:xxx.xxx.xxx.xxx Setting:CXS_LF_HTACCESS file:/etc/csf/csf.blocklists
(....)
As I see on LFD log, the IP was blocked by LFD for htpasswd fail.
However, I'm unable to unblock it from SSH by csf -tr or csf -dr command. Which command I should use to unblock this IP address?
Hi
there is one of my accounts in the server that keep getting his IP blocked by the firewall because of multiple time failed logins to his email.. we tried to solve the issue by changing his passwords and removing his email accounts from all devices but it still its happening
is there a way to tell the firewall to not block this 1 account no matter what happen?? I tried to look around...
I’m getting a number of emails from CSF for “Suspicious process running under user ____” for Wordfence logs.
Command Line (often faked in exploits):
php-fpm: pool website_url
Files open by the process (if any):
/dev/null
/tmp/.ZendSem.NCrsJg (deleted)
/home/server/public_html/website_url/wp-content/wflogs/ips.php
/home/server/public_html/website_url/wp-content/wflogs/config.php...
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum