ConfigServer Community Forum

Hi,

I have set LF_PERMBLOCK_ALERT = 0 and restarted CSF through WHM but I am still receiving email alerts on Excessive resource usage. Are there any other configurations that I have missed out?

We are constantly receiving Excessive Resource Usage emails, example:

Time: Sun Jan 16 10:10:34 2022 -0700
Account:
Resource: Virtual Memory Size
Exceeded: 514 > 512 (MB)
Executable: /opt/cpanel/ea-php74/root/usr/sbin/php-fpm
Command Line: php-fpm: pool
PID: 1446 (Parent PID:3470)
Killed: No

We have tried setting PT_USERMEM to 1024, and to 0 and we still receive the notices (this setting...

Its not every day I find something this perplexing, so I thought I would toss this out there to the hive mind and see if anyone can guess what might be going on here.

Server is a Centos 7, fully updated server, high end specs, bare metal, latest Release version of cPanel. Running Litespeed.

This is so weird.

So, this url:

For any of you in the forum would load perfectly normally across all...

Hello,

I am asking this question on behalf of the organisation I currently work for.

Can you please confirm this product is not vulnerable to the following CVE's in relation to the recently discovered log4j vulnerabilities

CVE-2021-44228
CVE-2021-45046
CVE-2021-45105

Thank you for your time and I apologize for the inconvenience.

Regards

Hi there,

From what I can make out, the settings are correct to only receive notifications for successful logins via SSH.

# Send an email alert if anyone logs in successfully using SSH
LF_SSH_EMAIL_ALERT = 1

LF_PERMBLOCK_ALERT = 0

Though we're still receiving alerts when there are blocks caused by failed SSH logins.

Time: Mon Jan 17 23:29:24 2022 +1000
IP: 0.0.0.0 (ZZ/Country/-)...

Hello,

I was wondering if it would be possible to send lfd notifications like: login notification, suspicious process,... to an REST API endpoint/server, instead of sending them by email? In case of an email system failure, emails are not sent, but sending them to another (monitoring) system over eg. Https (to an API) would be a good alternative.

There seems to be an option to execute a script,...

Hello,

This topic has been mentioned already. I have read all the relative posts, I think and cannot find an answer.

We are running centos 7.9, mod_security 3, CSF rules and mod_lsapi. We do see that mod_security is correctly identifying attacks in the cPanel tools. When we look in our CSF logs, we see only about a third of the IP's are being blocked.

Saw mention of the need to create a...

In what order does CSF will be triggered if I have this config set:

CT_LIMIT = 100
CT_INTERVAL = 10
CT_SKIP_TIME_WAIT = 1
CT_PORTS = 80,443

SYNFLOOD = 1

CONNLIMIT = 443;100,80;50

PORTFLOOD = 443;tcp;20;3,80;tcp;20;3

I also observe after adding CONNLIMIT and PORTFLOOD rule for port 443/80... CT_LIMIT doesn't work/block abused IP anymore.

Seems that command line help ( -h --help -?) does not work any more.
csf: v14.15 (cPanel)

I have problem with coding in file /etc/csf/csf.deny.

When I'm editing this file in Python I'm getting error: UnicodeDecodeError: 'utf-8' codec can't decode byte 0xce in position 2882: invalid continuation byte .

# file -i /etc/csf/csf.deny
/etc/csf/csf.deny: text/plain; charset=unknown-8bit

# find . -type f -print | xargs file | grep deny
./csf.deny: Non-ISO extended-ASCII text

So my...

Hello,

I would like to permanently block/ban the ips that csf detects as port flood but I cannot. I have very often back attacks of this type:

Dec 17 23:05:15 nsxxxx kernel: Firewall: *Port Flood* IN=eno1 OUT= MAC=1c:b7:2c:ae:da:45:00:ff:ff:ff:ff:fb:08:00 SRC=ip.ip.ip.ip DST=ip.ip.ip.ip LEN=53 TOS=0x00 PREC=0x00 TTL=118 ID=1329 PROTO=UDP SPT=59384 DPT=27017 LEN=33

Dec 17 23:05:19 nsxxxxx...

I have been beating my head on this for quite a while. I have lost track at all of the things I have tried. I am getting notices of the following:

Executable:

/opt/cpanel/ea-php74/root/usr/bin/php.cagefs

Command Line (often faked in exploits):

/usr/local/bin/ea-php74 -q /home/p42portal/public_html/modules/addons/DNSManager2/cron/cron.php

Network connections by the process (if any):

udp:...

Hello Forum,
I want to block an IP Adresse in the range of 91.241.72.0 to 91.241.72.254. Due to spam and multiple IP Adresse in that range.
So i added 91.241.72.0/24 #do not delete to /etc/csf/csf.deny.
And yes i restarted the firewall.

Then i tried to ping 91.241.72.1 from my host... no ping.. Great I thought it works.
The next day I got spam from that IP range agian. WTF!

After some...

Hi, i have two servers that every hour the settings are reseting, and removes on special cofig on TCP_IN, TCP_OUT and SMTP_ALLOWUSER,
i tryed to fix this reinstalling, searching for a cronjob but i already not found what is happening, on the logs there is no not about the resetting

Unless I have an IP address/port entry in the csf.allow (tcp|in|d=5061|s=my_ip_address/32), incoming SIP signaling with TLS transport (not UDP) on port 5061 is blocked.
I suspect SPI is rejecting this traffic.
Is it possible to turn off SPI on specific ports?

port 5061 is being opened with port knocking. I can see incoming traffic on tcp 5061 port with tcpdump, so I guess port has been...

I recently discovered a very odd entry in the lfd.log file (I have replaced my actual domain with 'domain.com'):

Dec 19 14:20:11 cobalt lfd : here: []
Dec 20 00:28:25 cobalt lfd : here: []
Dec 20 17:15:07 cobalt lfd : here: []
Dec 20 19:54:16 cobalt lfd : here: []
Dec 20 22:59:28 cobalt lfd : here: []
Dec 20 23:00:48 cobalt lfd : here: []
Dec 21 00:35:36 cobalt lfd : here: []
Dec 21...

Any idea how to make CSF Firewall only logging to file not the console ?
Using CloudLinux 8.5 with cPanel, last time i check the server it was correctly logging into the log file, but now it's shows the log too in the console.

Hi All,

We have seen a behaviour in all CloudLinux 8 servers with the introduction of nftables with iptables with connections using PASV.

To this test, we have ensured that on TCP_IN ports for FTP are defined between 50000-59000 and Pure-FTPD configured to use that ports.

With CSF enabled, when we try to connect to a remote FTP and it tries to list directories, this is the result:

# ftp...

Hi,

LF_SUDO_EMAIL_ALERT = 0 is ignored.

I have some scripts that use sudo to be executed, and I got a lot of emails even if the variable is set to 0.

lfd on srv1: SUDO login alert - Successful login from user1(uid=0) to user2

I've added UID 0 to csf.uidignore but still no working..

Can you please fix it?

Thank you!

Recently I started get these error messages. They are for one customer only.
Can anyone tell me what a possible cause may be.

Time: Tue Dec 14 16:16:03 2021 +1300
Type: AUTHRELAY, Remote IP - 124.248.134.94 (NZ/New Zealand/124-248-134-94.dynamic.lightwire.co.nz)
Count: 101 emails relayed
Blocked: No

2021-12-14 07:57:43 1mx2gw-0002Ok-OM <=email@domain.co.nz...