ConfigServer Community Forum

I have several VPS's and even a dedicated server all working fine with CSF. Some with Webmin, some with DA.

I have one VPS though without CSF. In the past I installed CSF on it but it was'nt working. After working with CSF for some time now I decided to try again.

Unfortunately after disabling testing mode the VPS frooze (locked up). With the help of the service desk I regained control again...

We have just received a brand new server from singlehop, and when attempting to install CSF etc, we apparently are blocked by the configserver's actual firewall. Our IP range includes 198.20.70.XXX

I have had to edit my evidence below due to:
You are not currently authorized to post url links, please remove or rename:

traceroute to configserver.XXX (85.13.195.235), 30 hops max, 60 byte...

After we upgraded to 6.47 we no longer get email alerts for permblocks and the comments after the IP address in csf.deny are missing now (seel below). We do however still get alerts for temp blocks. Anyone else having this problem?

92.87.5.14 # lfd: (PERMBLOCK) 92.87.5.14 (RO/Romania/-) has had more than 4 temp blocks in the last 86400 secs - Tue Jan 14 11:08:32 2014
200.77.249.162 # lfd:...

The IP's have been changed to dummy IP's but what I have going on is the following.

I have a cpanel server 10.10.10.10 and a web site builder server at 9.9.9.9. The site builder software compiles the web site on 9.9.9.9 and then FTP's it to 10.10.10.10. I have explicitly allowed 9.9.9.9 via csf -a 9.9.9.9 on the cpanel server. However I noticed when publishing some of the ftp activity works but...

Hello,

It seems every time CSF upgrades to the latest version csfpre .sh is not run after the upgrade when csf restarts.

I have some extra rules and have to manually restart the firewall after an upgrade to re-enable these rules. This happens on 2 systems with Centos 5.10 (+ cPanel VPS) & Centos 6.5 (+ cPanel DNS only).

Thanks,

Chris

Hi,

I'm starting make a rule to csf block ips of fail on asterisk SIP user login.

This is line of log:

NOTICE chan_sip.c: Registration from ' 8260 ' failed for '2.2.2.2:5075' - No matching peer found

111.111.111.111 is asterisk server ip
2.2.2.2 is a source of attack ip

log file: /var/log/asterisk/full

I create this regex, but on my testes not work?

if (($lgfile eq $config{CUSTOM3_LOG})...

I had a maxed out csf.deny

if I then do

csf -d 1.2.3.4/24

it will happily remove do not delete lines

there were clearly other lines available to delete in the csf.deny

mostly auto NETBLOCK and PERMBLOCK, but they were left untouched

Hello.
I am being hammered from anonymous TOR ips.
I have enabled the TOR blocklist and it's working.
I can read at lfd.log Retrieved and blocking blocklist TOR IP address ranges
But I am still being hammered with SQLInyections from that IPs.
When I inspect the iptables rules, I see that the TOR chain is incomplete, with 1961 entries. While at the torproject website the list is of arround 2200...

Hi There,

First of all i would to say thanks to CSF and it's entire team for making an outstanding firewall utility and that too for free!

I would like you to make Reset default settings for CSF & it's other tool, if anything goes wrong after making changes to csf firewall settings we can simply use Reset Default Settings

It would be good if you can implement this feature ASAP.

Vote Guys, if...

hello all -

Sergio was kind enough to introduce me to regex.custom.pm. i need to block access to the wordpress file wp-login.php .

here is what i am proposing to do:

1) file /etc/httpd/conf/httpd.conf

change:
CUSTOM2_LOG = /var/log/messages
to:
CUSTOM2_LOG = /var/log/virtualmin/marksdomain.com_access_log

2) file /usr/local/csf/bin/regex.custom.pm

add:

if (($lgfile eq...

Hello,

The URL in csf.blocklists is invalid:

#RBN|86400|0|
I went through the EmergingThreats website and found these links which may be of interest:

Detail: - lists a number of links to text files which contain ips.
- last update seems to be February 2012 so not sure how accurate this list would be over two years on. There's no date in the list itself so I don't know if the list is...

Hi

I am using Filezilla to upload files to my server, I start to upload them and it works fine, then I get blocked by the firewall meaning I can't access anything until the block times out.

Can you tell me how I adjust these settings so that it does not keep blocking me please?

Thanks
M

Good Day,

This is my first time using CSF as my firewall for my VPS, I have it working now because certain ports were closed when i enable CSF, but i would like to know as to what logfile should i look if i wanted to see CSF blocked ips or what log file should i tail to see it working? I have it installed on a debian system. Thanks!

hello all -

when i issue a command such as:
csf --deny 111.222.333.444 ;

do i also need to issue the command:
csf --restart ;

to make this IP number actually blocked?

i notice even though there is an IP ## in the csf.deny file, that IP can still reach our server.

hello all -

i have a crontab script that runs every two minutes scanning logfiles for brute-force wordpress login attempts. if i find more than 40 in a one minute period, my script issues the following command something like:

csf --deny 111.222.333.444 ;

this seems to do the same thing as the Quick Deny button.

is there a command line equivalent of the Quick Ignore button? i am thinking this...

My vps keeps down for the past 3 consecutive days and I had to reboot to bring the server back. After talking to my vps provider, they told me that there's nothing wrong on their end. So I did a little investigation on my end.

I have looked at my /var/log/messages, and found out that

Mar 30 05:00:09 servername lfd : SYSLOG check
...
Mar 31 05:00:08 servername lfd : SYSLOG check
after logging...

I have a very strange problem with CSF running on a VPS with cPanel.

This started to happen at a random moment.
When trying to access any site hosted on that VPS, the title of the page loads and so do some of the first bytes. Sometimes the header of the webpage is shown, sometimes not. The browser shows as the page is loading, but nothing more happens.

I checked the logs, but haven't seen...

I want to block any offender that generates that kind of message in syslog:

Mar 30 20:20:43 ns drupal: SOMESITEURL|1396203643|BOTCHA|110.82.153.175|SOMESITEURL/contact|SOMESITEURL/contact|0||contact-mail-page post blocked by BOTCHA: submission looks like from a spambot.
(SOMESITEURL = what is says, because this forum is absolutely paranoid, not allowing an URL to appear in posts)

I put this...

I'd like the option to ban a whole /24 or larger when a custom trigger or other event happens.

Bonus if there are individual settings for temp ban vs perm ban

(ie. a temp ban, just the single ip, temp moving to perm ban = whole /24, or maybe other way around)

I could have sworn csf/lfd already had something like this but maybe I am mistaken.

Am I correct in that there is no extra burden on...