Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
CSF Firewall / Re: CSF would not block custom port for SSH
« on: June 25, 2025, 08:26:13 PM »
I can not believe nobody responded on your post. If you still have that problem try this. I had same issue and this fixed for me
In /etc/csf/csf.conf do serch for "RESTRICT_SYSLOG ="
# 0 = Allow those options listed above to be used and configured
# 1 = Disable all the options listed above and prevent them from being used
# 2 = Disable only alerts about this feature and do nothing else
# 3 = Restrict syslog/rsyslog to system logs
RESTRICT_SYSLOG = "3"
If you are only one admin then 0 will be okay otherwise put on 3. Restart firewll, csf -r
In /etc/csf/csf.conf do serch for "RESTRICT_SYSLOG ="
# 0 = Allow those options listed above to be used and configured
# 1 = Disable all the options listed above and prevent them from being used
# 2 = Disable only alerts about this feature and do nothing else
# 3 = Restrict syslog/rsyslog to system logs
RESTRICT_SYSLOG = "3"
If you are only one admin then 0 will be okay otherwise put on 3. Restart firewll, csf -r
2
CSF Firewall / Re: CSF analyzer
« on: June 24, 2025, 04:42:47 AM »
Yes I know but there is some key elements missing for my needs. My script dues subnet consolidation /24, /64 and /128, check aging, duplicates and coverage. Also my script has native CSF integration, works 100% offline and it is focused on local firewall optimization based on observed log patterns. Also one major key difference is real time subnet control without any outdated confidence score. Botnets are changing subnet all the time and in my opinion any kind of scoring is more or less useless, sorry. I catch them very fast and block whole subnet for next 2 months after it get dropped from the list. By that time they will use another subnet range anyway...
Like you mention everyone has different needs. I could not find anything close I had on my mind so I build it my self. Simple and convenient. It needs 2 seconds to burst true my deny list. It is just a little addition to the already existing excellent firewall and deny list.
I choose to share it with others. That is all. Plain and simple.
BTW this options in csf.conf file are there to fine tune your server for your needs. Again, changing some of these option will help a lot to catch these slow botnet attacks. That is why I mention it. You have to know that we are not all IT geeks. Like my self I have to study all of it before I say ahhhh
Like you mention everyone has different needs. I could not find anything close I had on my mind so I build it my self. Simple and convenient. It needs 2 seconds to burst true my deny list. It is just a little addition to the already existing excellent firewall and deny list.
I choose to share it with others. That is all. Plain and simple.
BTW this options in csf.conf file are there to fine tune your server for your needs. Again, changing some of these option will help a lot to catch these slow botnet attacks. That is why I mention it. You have to know that we are not all IT geeks. Like my self I have to study all of it before I say ahhhh
3
CSF Firewall / Re: CSF analyzer
« on: June 24, 2025, 01:43:32 AM »
There is couple: speed, native to Unix/Linux systems, lightweight with no dependencies, excellent for chaining tools, great for simple automation and cron job...
I did some benchmarks and shell is a winner for this.
I did some benchmarks and shell is a winner for this.
4
CSF Firewall / Re: CSF analyzer
« on: June 24, 2025, 01:00:58 AM »
Also recommended settings to fine tune SCF firewall
CSF Optimization Recommendations:
- LF_TRIGGER = 3 # Lower threshold to catch slower, stealthy attacks (default is often 10)
- LF_INTERVAL = 21600 # Longer observation window in seconds (6 hours) detects slow scans or attacks
- LF_PERMBLOCK = 1 # Enable permanent blocks for repeated offenders
- LF_PERMBLOCK_INTERVAL = 21600 # Time window in seconds (6 hours) to consider repeated offenses
- LF_PERMBLOCK_COUNT = 2 # Number of temp bans before an IP gets permanently blocked
- DENY_IP_LIMIT = 20000 # Allow a larger deny list size to prevent early purging
- LF_IPSET = 1 # Enable ipset for faster large-scale deny processing
- LF_IPSET_HASHSIZE = 4096 # Increase hash size to support thousands of entries
- LF_SELECT = 1 # Only log/select login failures (reduces false positives)
- PORTFLOOD = 22;tcp;5;60,25;tcp;10;60 # Rate-limit SSH and SMTP to protect against slow brute-force or spam
- LF_DSHIELD = 1 # Enable DShield blocklist (community-based malicious IPs)
- LF_SPAMHAUS = 1 # Enable Spamhaus blocklist (blocks known spam/malware IPs)
- LF_GREYLIST = 1 # Enable greylisting for suspicious IPs (adds delay, discourages bots)
CSF Optimization Recommendations:
- LF_TRIGGER = 3 # Lower threshold to catch slower, stealthy attacks (default is often 10)
- LF_INTERVAL = 21600 # Longer observation window in seconds (6 hours) detects slow scans or attacks
- LF_PERMBLOCK = 1 # Enable permanent blocks for repeated offenders
- LF_PERMBLOCK_INTERVAL = 21600 # Time window in seconds (6 hours) to consider repeated offenses
- LF_PERMBLOCK_COUNT = 2 # Number of temp bans before an IP gets permanently blocked
- DENY_IP_LIMIT = 20000 # Allow a larger deny list size to prevent early purging
- LF_IPSET = 1 # Enable ipset for faster large-scale deny processing
- LF_IPSET_HASHSIZE = 4096 # Increase hash size to support thousands of entries
- LF_SELECT = 1 # Only log/select login failures (reduces false positives)
- PORTFLOOD = 22;tcp;5;60,25;tcp;10;60 # Rate-limit SSH and SMTP to protect against slow brute-force or spam
- LF_DSHIELD = 1 # Enable DShield blocklist (community-based malicious IPs)
- LF_SPAMHAUS = 1 # Enable Spamhaus blocklist (blocks known spam/malware IPs)
- LF_GREYLIST = 1 # Enable greylisting for suspicious IPs (adds delay, discourages bots)
5
CSF Firewall / Re: How big deny list can be before affecting performance?
« on: June 23, 2025, 05:43:23 PM »
Let it grow but make sure you remove older then 60 days entries. Block subnet IPs and clean individual botnet IPs.
My suggestion put DENY_IP_LIMIT = "5000" and run this script daily. I have created it exactly for that.
https://forum.centos-webpanel.com/csf-firewall/csf-analyzer/
DENY_IP_LIMIT will check first 5000 entries from deny list and this script will take care of your deny list to stay clean and lean.
If your list still grow over 5000 entries then enlarge your DENY_IP_LIMIT.
My suggestion put DENY_IP_LIMIT = "5000" and run this script daily. I have created it exactly for that.
https://forum.centos-webpanel.com/csf-firewall/csf-analyzer/
DENY_IP_LIMIT will check first 5000 entries from deny list and this script will take care of your deny list to stay clean and lean.
If your list still grow over 5000 entries then enlarge your DENY_IP_LIMIT.
6
CSF Firewall / CSF analyzer
« on: June 23, 2025, 05:16:49 PM »
I have created intelligent analyzer and fixer script for CSF firewall deny list and i would like to share it with everyone.
In short what it doues:
- Finds IPv4 /24 and IPv6 /64 or /128 subnets with more than 3 individual IPs.
- Reports those subnets with the associated comment.
- Detects and reports redundant IPs already covered by subnet blocks.
- Detects and reports duplicate subnet entries.
- Detects and reports entries older then 60 days.
- Detects and reports entries withoud date stamp.
- To fix all of that call it with -fix
Let me know how you like it and is there anything else what could be smart to add.
https://www.simunovic.net/TMP/scfanalyzer.sh
In short what it doues:
- Finds IPv4 /24 and IPv6 /64 or /128 subnets with more than 3 individual IPs.
- Reports those subnets with the associated comment.
- Detects and reports redundant IPs already covered by subnet blocks.
- Detects and reports duplicate subnet entries.
- Detects and reports entries older then 60 days.
- Detects and reports entries withoud date stamp.
- To fix all of that call it with -fix
Let me know how you like it and is there anything else what could be smart to add.
https://www.simunovic.net/TMP/scfanalyzer.sh
7
Suggestions / Enable DAV for Roundcube
« on: February 03, 2025, 07:00:49 AM »
Hello
I would like to request this feature if possible. In my case I am not using Roundcube for web email but it should be the same. I am using Afterlogic WebMail Pro and I need DAV to sync all my calendars and contacts to my phone. In my case I have Android and for syncing I have used DAVx5 app before when I was paying for hosting with cPanel.
On my CWP WebMail Pro is installed in mydomain/mail and that is where DAV should be enabled. I am hoping if we can enable DAV server in CWP settings and also have a possibility to set path, in my case mydomain/mail.
I know there is probably the way how I can enable and set this up but with every update I may run into the problems.
I would like to request this feature if possible. In my case I am not using Roundcube for web email but it should be the same. I am using Afterlogic WebMail Pro and I need DAV to sync all my calendars and contacts to my phone. In my case I have Android and for syncing I have used DAVx5 app before when I was paying for hosting with cPanel.
On my CWP WebMail Pro is installed in mydomain/mail and that is where DAV should be enabled. I am hoping if we can enable DAV server in CWP settings and also have a possibility to set path, in my case mydomain/mail.
I know there is probably the way how I can enable and set this up but with every update I may run into the problems.
8
CentOS Configuration / Re: WebDAV installation
« on: January 28, 2025, 04:03:36 PM »
Is there any new, up to date guide for WebDAV?
9
CentOS Configuration / WebDAV installation
« on: January 25, 2025, 11:45:29 PM »
I am trying to get WebDAV working on my CWP. I have found some older guides but it is just not working for me.
I am using Afterlogic WebMail Pro for my email app and all I need DAV for is to sync my contacts and calendars with my Android phone using DAVx5.
DAV should be accessed from mydomain/mail/dav.php. That is where WebMail Pro store all the data.
My skills are somewhat limited and I really need step by step guide for this if possible. I really hope somebody can guide me to accomplish this.
I am using Afterlogic WebMail Pro for my email app and all I need DAV for is to sync my contacts and calendars with my Android phone using DAVx5.
DAV should be accessed from mydomain/mail/dav.php. That is where WebMail Pro store all the data.
My skills are somewhat limited and I really need step by step guide for this if possible. I really hope somebody can guide me to accomplish this.
Pages: [1]
