Hi all,
this thread is to add working REGEX that we can share with the community. To add them to this sticky, you should have the regex working in your server, this thread is not intended to solve any issues related with no working regex, the intention is to give users of CSF REGEXs that could make CSF with more security options.
If you want to collaborate, please add your rule to this thread...
If you have one particular IP address that is either dropped or accepted through the firewall that you think should not be, then you can use the new WATCH_MODE in csf.
Before enabling this option and using the CLI command to watch an IP address, check whether it is explicitly listed first using:
csf --grep 11.22.33.44
Where 11.22.33.44 is the IP address you're tracking. If that comes back...
If you get iptables errors when trying to start csf on a VPS then you most likely have missing iptables modules for your VPS.
If your hosting provider wants to know how to configure iptables correctly on a VPS server, then you should point them to this Parallels FAQ and have them follow it (plus to add ip_conntrack_ftp to the list of required modules):
I have a VPS with Almalinux8, Cpanel and CSF installed and with a 600Mpbs port. I started experiencing speed issues with FTP uploads (because it limited data upload) and so to check the speeds from the server, I installed speedtest cli.
I'm using csf 14.20 on an Ubuntu Jammy system behind a 1GB FIOS connection. With csf/lfd running, I get throughput of about 30M/s, which increases to about 800M/s with csf/lfd disabled. I'm using a fairly generic csf.conf (shown below) and have tried to improve performance by reducing DENY_IP_LIMIT and DENY_TEMP_IP_LIMIT to 100, but obviously it's still subpar. Any suggestions for how to narrow...
For a server I manage, I explicitly want to receive notification emails of successful ssh logins. I've enabled this, and allow-listed my own fixed IP address.
My customer can login to one account using ssh, but doesn't have a fixed ip. Is there a way to allow-list the public ssh key he's using?
An example of such notification would be:
Nov 28 13:05:51 srv sshd : Accepted publickey for...
Currently, I get a ton of emails like this:
lfd on : Suspicious File Alert
Time: Mon Nov 27 10:17:20 2023 +0100
File: /tmp/xxxxxxxx.o
Reason: Linux Binary
Owner: varnish:varnish (xxx:xxx)
Action: No action taken
These files are created by Varnish when it compiles the VCL for reloading.
However, I already whitelisted the varnish user from /etc/csf/csf.fignore like this:
user:varnish...
Hi,
I have already looked around this form , but did not come to a positive conclusion in the end.
I have been working for years with csf (and now also with cxs ). Now I am getting 'weird' messages on /opt/cpanel/ea php81/root/usr/sbin/php-fpm. Especially since multiple files are being opened/transferred.
I have investigated the ip's and they are from cloudflare and google (even 1 from...
Recently I disabled WP-CRON for wordpress and started using CPANEL with WGET to replace it. I've started getting emails lfd on XXXXX: Suspicious process running under user . I found some instructions on where to go to tell CSF to ignore these in the /etc/csf/csf.pignore edit, but I'm unclear exactly how to do this. Here is what the LFD emails are showing:
SYSTEM INFORMATION
OS type and version Rocky linux 8.8
Webmin version 2.101
Virtualmin version. 7.8.2
Config server Firewall(CSF) verison 14.20(generic)
I want to see alerts of outgoing emails from my server when they cross a certain limit and I have configured everything accordingly but alerts are not coming in my given email. Everything is working fine except Relay Tracking. We are using...
I've always used CC_ALLOW_FILTER to block non-US IPs, but I recently began using Cloudflare and now all connections come from a Cloudflare IP! My server load has skyrocketed, so I don't think that CSF is able to block non-US IPs anymore.
I blocked them in Apache configuration, but I think that runs after CSF, too, so I'm still getting the Apache connection for each request. And I'm talking about...
We are warding off a country denial of service attack on a WHM Exim server that has been ongoing for around 1 week. The attack takes the form of 1000s of servers sending email to non-existing recipients on the Exim server, quickly overwhelming the Exim's server's connection count limit ` smtp_accept_max `. The default for Exim is 20 connections. The default for cPanel is 100 connections. In our...
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum