You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, as recent discussion on #1169 I've tried to upgrade to head using barracuda up-head system, and everything seems to be ok.
I detect a suspucious CPU usage on my server so I started to check and I can see many mails reporting a distributed ssh attack, this is normal on a daily basis except that csf was not blocking the IPs, I manually block them using csf -d IP_NUMER but it also doesn't take effect. I was curious so I restarted csf using csf -q and again nothing happens.
I then made a full upgrade of barracuda to head keeping octopus in stable using:
# cd;wget -q -U iCab http://files.aegir.cc/BOA.sh.txt;bash BOA.sh.txt
# barracuda up-head
# barracuda up-head system
# octopus up-stable all both
# bash /var/xdrago/manage_ltd_users.sh
# bash /var/xdrago/daily.sh
To found in logs something like:
BOA [09:59:27] ==> INFO: Upgrading csf/lfd firewall...
gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now
/opt/tmp/boa/lib/functions/firewall.sh.inc: line 66: cd: csf: No such file or directory
So maybe csf is not getting installed because is not extracted. But weird thing is that if I run csf -version I can get csf: v10.22 (generic).
Now the bad thing is that if I run iptables -L there is no policy applied !
The thing seems to be ipset:
# csf -r
lfd will restart csf within the next 5 seconds
*WARNING* Binary location for [IPSET] [/usr/sbin/ipset] in /etc/csf/csf.conf is either incorrect, is not installed or is not executable
*WARNING* Missing or incorrect binary locations will break csf and lfd functionality
*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.
Because even if I install manually csf (according to the script and it also reports OK on the test) it sitll runs, it still "works", it still send me mails but in the real world it is not working, it is not blocking ips or doing its magic, it is just reporting things.
This seems to be a critical security issue.
The text was updated successfully, but these errors were encountered:
Thanks for the heads up! It was a matter of missing symlink. Should be fixed on all systems running current BOA HEAD and CSF in a few minutes. Note that this affects standard/popular VPS systems, but not VServer based containers, which typically have firewall on the physical machine or network level only, so it's not managed by BOA.
There were two not really related issues here. The most important was about the missing symlink to ipset which prevented CSF from working, and the second, related to the incorrect download URI for the CSF update. Since BOA doesn't uninstall CSF, the previously installed version still worked, just update didn't work (but there is also self-update, which is used in the first fix). Both fixed now.
Hi, as recent discussion on #1169 I've tried to upgrade to head using
barracuda up-head system
, and everything seems to be ok.I detect a suspucious CPU usage on my server so I started to check and I can see many mails reporting a distributed ssh attack, this is normal on a daily basis except that csf was not blocking the IPs, I manually block them using
csf -d IP_NUMER
but it also doesn't take effect. I was curious so I restarted csf usingcsf -q
and again nothing happens.I then made a full upgrade of barracuda to head keeping octopus in stable using:
To found in logs something like:
So maybe csf is not getting installed because is not extracted. But weird thing is that if I run
csf -version
I can getcsf: v10.22 (generic)
.Now the bad thing is that if I run
iptables -L
there is no policy applied !The thing seems to be ipset:
Because even if I install manually csf (according to the script and it also reports OK on the test) it sitll runs, it still "works", it still send me mails but in the real world it is not working, it is not blocking ips or doing its magic, it is just reporting things.
This seems to be a critical security issue.
The text was updated successfully, but these errors were encountered: