ConfigServer Community Forum

I hoping someone can offer some advice.

I have a client who has been blocked from his own site 2 times in the last 2 weeks. Both times he was making updates to Woocommerce products. He had been able to make changes for probably about 30 mins before he lost connection.

A part of the block email is below:

211.29.242.32] ModSecurity: Access denied with code 200, [Rule:...

Hello, I receive a lot of email alarm that looks like this:

Time: Sat Feb 12 20:13:41 2022 +0200
PID: 1934 (Parent PID:4804)
Account: cpanel
Uptime: 98 seconds

Executable:

/opt/cpanel/ea-php80/root/usr/sbin/php-fpm

Command Line (often faked in exploits):

php-fpm: pool cpanel_pool

Network connections by the process (if any):

tcp: CPANEL PUBLIC IP:47104 -> CPANEL PUBLIC IP:443

Files...

I have CSF installed on multiple servers for a number of years. I have one server that takes a very long time (45 to 70 seconds) to stop or restart LFD. I can restart CSF and it restarts quickly/normally. Only LFD is an issue.

I have been investigating this off and on for a few days and it's driving me crazy. I thought maybe a log file got HUGE or something and LFD is having an issue reading it....

Hello,
Webmin Bandwidth monitor module reads from file
/var/log/bandwidth
records like
Feb 17 07:00:30 condor3949 kernel: BANDWIDTH_IN:IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:5d:64:ab:80:8e:08:00 SRC=148.72.175.248 DST=148.73.156.235 LEN=49 TOS=0x00 PREC=0x00 TTL=128 ID=21965 PROTO=UDP SPT=50799 DPT=32412 LEN=29
These records produced by IPTABLES settings
-A FORWARD -o br0 -j LOG --log-level 7...

Hi,
I have ModSecurity 2.9 and OWASP Rule v3.3.0 running on my box Cloudlinux/nginx proxy/Apache 2.4 (+mod_remoteip)
Some rules ban IPs on CSF , other rules just block on moddesc and no CSF ban...
i have all triggers correctly in apache logs and correct setup in csf
MODSEC_LOG=/usr/local/apache/logs/error_log
LF_MODSEC = 5
LF_MODSEC_PERM = 1

is this a normal behavior? i need to edit some...

Hi,
I have a client with 5 sites on a server. She logs in to all 5 one after another in few minutes.
That behaviour cause csf to block her IP as a login attack even though she login once to each site.
Is there a way to let csf count the login of each site separately?
I white listed her IP but that is not a good solution since her IP is dynamic.
I tried to find an answer here but no success....

Hi,
I'm looking for a way to get the information pushed to an email address (if not directly to a webhook) as soon as a specific file size changes.

I found a way to do something similar - using the lfd Directory File Watching as mentioned here and also mentioned here .

I configured the relevant email address as described here - and I started getting the email alerts - The problem is that I get...

On a VPS running current WHM and CSF/LFD:

Time: Fri Feb 11 18:01:06 2022 -0500

The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:

/usr/bin/mysql_install_db: FAILED
/bin/mysql_install_db: FAILED

Time: Fri...

Hello,

Over the weekend my servers all failed to load/reload csf using the csf -r command.

It appears that the cc_us ip table has gotten massive all of the sudden?
It was failing with:

csf: IPSET loading set cc_us with 79025 entries
IPSET:

and then just hangs here.

So i went into csf.conf and tried changing:

# The following sets the hashsize for ipset sets, which must be a power of 2....

Hi,
I have some entries in apache log but csf do not want block it.

my csf setup is:
LF_MODSEC =1
LF_MODSEC_PERM=1

an example of hit:

ModSecurity: Warning.
Pattern match \\\\$+(?: *|\\\\s*{.+})(?:\\\\s|\\\\ |{.+}|/\\\\*.*\\\\*/|//.*|#.*)*\\\\(.*\\\\)
at ARGS:trend_format .
[data Matched Data: $s (%2$s) found within ARGS:trend_format : %1$s %3$s (%2$s) ]

, referer:

how can i fox it?

NEW Linux Accuwebhosting Cloud Server.

Accuweb now uses Zabbix in their server templates to monitor newer servers for UP/SOWN and who all knows.

I REQUIRE CSF to be on ALL my servers and that it be RUNNING and configured properly.

Accuweb Support says they cannot telnet into or get the Zabbix signal from zabbix-agent to their monitor server when my CSF is installed.

I UNINSTALLED and...

I have installed Shadowsocks client (for SOCKS5 proxy) and Privoxy (for convert socks5 to http proxy) on Centos 7 (I use cPanel).

SOCKS5 is running on 127.0.0.1:1080
Privoxy is running on 127.0.0.1:8118

When the CSF is enable, the socks5 and http proxy don't work:

# curl --socks5 127.0.0.1:1080
curl: (35) Encountered end of file

But when I disable CSF (csf -x), It works:

# curl --socks5...

Hi
Is it possible to disable login failure detection of IMAP in the CSF configuration for a particular user?

I would like to make sure login failure in a single account do not add the user IP to a deny list.

Some customers just don’t understand why they are blocked, but it might be an old ipod in their network trying to continually connect with an old password.

Hi team

I am using CSF and mod Security. I have implemented an automated reporting facility to AbuseIPDB.

It all works well - except occasionally, it sends a report to AbuseIPDB but does not block in CSF

When that happens, this is what is reported in AbuseIPDB

(CT) IP 12.345.6.789 (CA/Canada/-) found to have 190 connections;

This is what shows in Hits List for Modsec (there are many...

We are getting blocks from an unknown IP range which is not visible in any of our other logs besides lfd logs. It does not cause any harm as of now but it looks like a csf bug itself. Please suggest some solution if there is available or fix it in next update.

Blocks that we are getting is as below:

Time: Mon Nov 29 05:35:47 2021 -0800
IP: 0.172.31.183 (-)
Connections: 2160
Blocked: Temporary...

Hi,

Is there some way to ignore checks for a specific email address?

My situation is that one of our cPanel users had an email address for an employee. The employee is gone, the address was deleted but the ex-employee still checks the address a thousands of time a day and they keep banning some important IP addresses. We have whitelisted the respective ranges but now we are getting many...

i need to exclude single email login with same To header from distributed attack / permblock

this is sample exim log line
1nBXpM-000DFy-Nx for email@domain.com

if i add this code to csf.logignore should work ?

^.*dovecot_login:email@domain.com.*for email@domain.com

Ever since I try CSF on a new Debian 9.4 server, LFD fails to start.
I first migrated csf.conf and allow and ignore lists etc. from a debian 7 server,
Then also tried a clean install, To no avail. Searches don't bring help either.
Some hits on sendmail requirement? Who still uses sendmail? Seriously. I'm running postfix. Done so for 20 years. Up until now CSF LFD always worked fine....

Hello friends.

How can we block sites like hackertarget.com/reverse-ip-lookup and host and block all domains on one IP address?

Is there a way to block it through CSF/LiteSpeed?

hello

i use whm/cpanel , also last weeks i receive lot of amil notification like :
lfd on servers.site.com: Excessive resource usage: host (24147 (Parent PID:1817))

Time: Wed Feb 26 18:48:07 2020 +0100
Account: host
Resource: RSS Memory Size
Exceeded: 331 > 256 (MB)
Executable: /opt/cpanel/ea-php72/root/usr/sbin/php-fpm
Command Line: php-fpm: pool host_us
PID: 24147 (Parent PID:1817)
Killed:...