I'm using tomcat 9 and csf v12.08. When I try to open a connection on my web app (Java) like this (simple example):
URL url = new URL( url here );
url.openConnection();

I reiceve the error:
java.lang.RuntimeException: java.net.ConnectException: Connection refused (Connection refused)

And if I turn off the CSF there is no error.

I have tried using the default configuration of the CSF, but I...

I understand the need to send resource-depleted services to the server administrator. These are important.

Yet, everywhere I look on how to ignore them or stop innocent alerts from being sent, not in any of them I can find understandable explanation on when to use the cmd vs. pcmd entry in the csf.pingore file.

Can someone please explain the different?

I am receiving boatloads of alert emails...

Hi,

Looking for some help from people if anyone has any idea.

Shortly before and during an inbound syn DDOS attack on https on my server yesterday I notice some weird alerts from CSF Firewall reporting weird outbound traffic.

The IP address is included in the logs as this is null routed and no longer in use.

I interpret the logs as my server was trying to make outbound connections to...

I have 2 items in csf.redirect and FASTSTART=1.
These work fine on normal operation, however upon a server reboot, the redirects stop working until a 'csf -r' is issued.

Any help around this , or a patch to ensure redirects activated properly on reboots?

Hi All,

Can anyone advise why I regularly receive LFD notice on domains and email accounts that no longer exists on the Server.
(Also physically checked cPanel + Forwarder + autoresponder that the email account is deleted and no longer exists).

Is this normal?

Thanks.

I've been sending mail from PHP scripts using an SMTP connection to a remote EXIM mail server, but it just stopped working. I have WHM with CSF installed and when I restart CSF, mail is transported successfully again, but then after a week or so it just stops again.

I've tracked this down to a call to fsocketopen in my PHP script. If I open a connection to any remote IP on port 25 and read from...

Hello,

I have searched the forum and not found an answer to this. There were some old threads that seemed outdated, so I am going to ask again. Apologies if this topic has been addressed and I missed it.

We use IPSET and CIDR blocking at CSF. I have one domain that needs to allow China access to port 80 or their site. Is this possible using csf somehow. I dont want to open up the whole server...

this is a test post2

I looked around and couldnt find the answer.
How can I setup csf to allow only the ip address i select to access ssh and deny all others ? I am using centos 7

Hello, how we can exclude cpanelsolr in pignore?

Thanks!

Time: Fri Nov 16 23:01:20 2018 +0100
Account: cpanelsolr
Resource: Process Time
Exceeded: 274648 > 1800 (seconds)
Executable: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.el6_10.x86_64/jre/bin/java
Command Line: /usr/lib/jvm/jre-1.8.0/bin/java -server -Xms512m -Xmx512m -XX:NewRatio=3 -XX:SurvivorRatio=4 -XX:TargetSurvivorRatio=90

If i were to block all countries but the US, would this load all non-US IPs into the deny list (memory) in order to block? How is this handled, is it memory intensive?

Hello,

I'm using this regex to block wp-login.php POST requests on /etc/csf/regex.custom.pm:

if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] POST \/wp-login\.php.* 200/)) {
return ( Failed WordPress login from ,$1, wordpress , 5 , 80,443 , 3600 );
}

My CUSTOM2_LOG point to the access_log file in csf.conf correctly.
I restart csf after making the changes
csf -r

Still POST...

Hi, I am trying to exclude a few process in the /etc/csf/csf.pignore script with some simple regex rules, but I am still getting alerts. The rules I am trying are;

pexe:/opt/cpanel/ea-php*/root/usr/sbin/php-fpm
pexe:/opt/cpanel/ea-php*/root/usr/bin/php-cgi

However, if I enter these each manually as follows, they do work.
#exe:/opt/cpanel/ea-php54/root/usr/bin/php-cgi...

Hi. I'm getting through a lot of `Suspicious File Alert` emails and wondered if you can shed some light for me. I'm not sure what is triggering the emails, whether its csx or the firewall or what but here's the email I get::

```
Time: Thu Nov 15 02:15:15 2018 +0000
File: /tmp/systemd-private-a6133d7fde4048eb9edfb67e9b7a5554-ea-php72-php-fpm.service-vNsXRF/tmp/error.htm.php4L36dP
Reason: Script,...

HI Eveyone,

We've just had an issue where csf was blocking remote backups to a server on my internal network. I ended up turning off the firewall so we could do backups.

Any idea?

Hi,

I've recently noticed in my logs many of these:

Nov 14 01:50:48 server.fqdn phpMyAdmin : user denied: root (mysql-denied) from x.x.x.x

How can I get CSF /LFD to catch these and block the source IP attempts?

Thanks.

Michael.

Hey Guys,

Would anybody be able to assist with a regex rule for CSF that would block attempts on the SMTP gateway ASSP?
It create's lines like this in exim_mainlog : dovecot_plain authenticator failed for ( - 185.222.209.83 -) :60094: 535 Incorrect authentication data (set_id=user@domain.tld)

How can I have these ip's blocked after let's say 5 attempts?

Hello

I´m using CSF in all my servers with WHM/cPanel since LOT years ago.
I not had any problem in all these years. Now..

the CSF page in WHM take a LOT time to load.
Any action i make there (block an IP, unblock an IP, open the config, restart CSF, etc.) take LOT tme.

The servers itself are OK,, low load, etc.

Any clues?.. some config issue?, some WHM version compatibility issue?

Thanks...

Since the last update to csf we've been getting multiple notifications every time a user accesses phpMyAdmin.

lfd on xxxx.xxxxx.com: Suspicious File Alert
File: /tmp/pma_template_compiles_USERNAME/twig/9f/9f2b0868c0ee3bdb8fbcdba6e363515596d67849ea34a2ad71b70607edbb2a33.php
Reason: Script, file extension
Owner: USERNAME:USERNAME (510:507)
Action: No action taken

I would normally just...

Hi.

I recently enabled a couple of RBL's in CSF. I get reports via X_ARF enabling, and it seems that IP's listed in the RBL's defined in csf.rblconf are still getting through and hitting Brute Force, producing the X_ARF report where I can see 5 attempts.

Shouldn't the RBL match of the IP stop even 1 attempt? (assuming the RBL check is working)

Michael.