One IP not fully blocked by csf

[ComtechResearch]

I just had the cPanel Service Package + MailScanner work done to a dedicated LAMP server, and LOVE it! It was money very well spent indeed! :-)

There was just one IP so far that I had to manually enter in order to block. I don't know if this is a bug, something specific to my server, or what. I didn't see anything in the documentation or in this forum about this.

There were hundreds of lines like this (446 in just one email). After several notifications like this from lfd about this IP address, I finally manually blocked the IP below in the WHM plugin, and the notifications --and the entries in /var/log/secure-- immediately stopped.

/var/log/secure:
Aug 10 01:00:24 srv3 sshd[4427]: refused connect from 5.135.143.59 (5.135.143.59)
Aug 10 01:00:33 srv3 sshd[4435]: refused connect from 5.135.143.59 (5.135.143.59)
Aug 10 01:00:33 srv3 sshd[4436]: refused connect from 5.135.143.59 (5.135.143.59)
Aug 10 01:00:33 srv3 sshd[4437]: refused connect from 5.135.143.59 (5.135.143.59)
Aug 10 01:00:33 srv3 sshd[4438]: refused connect from 5.135.143.59 (5.135.143.59)
Aug 10 01:00:33 srv3 sshd[4439]: refused connect from 5.135.143.59 (5.135.143.59)
Aug 10 01:00:33 srv3 sshd[4440]: refused connect from 5.135.143.59 (5.135.143.59)
Aug 10 01:00:33 srv3 sshd[4441]: refused connect from 5.135.143.59 (5.135.143.59)
Aug 10 01:00:33 srv3 sshd[4442]: refused connect from 5.135.143.59 (5.135.143.59)
Aug 10 01:01:37 srv3 sshd[4748]: refused connect from 5.135.143.59 (5.135.143.59)
Aug 10 01:01:47 srv3 sshd[4750]: refused connect from 5.135.143.59 (5.135.143.59)
Aug 10 01:01:47 srv3 sshd[4751]: refused connect from 5.135.143.59 (5.135.143.59)
Aug 10 01:01:47 srv3 sshd[4752]: refused connect from 5.135.143.59 (5.135.143.59)
Aug 10 01:01:47 srv3 sshd[4753]: refused connect from 5.135.143.59 (5.135.143.59)
Aug 10 01:01:47 srv3 sshd[4754]: refused connect from 5.135.143.59 (5.135.143.59)
Aug 10 01:01:47 srv3 sshd[4755]: refused connect from 5.135.143.59 (5.135.143.59)
Aug 10 01:01:47 srv3 sshd[4756]: refused connect from 5.135.143.59 (5.135.143.59)
Aug 10 01:01:47 srv3 sshd[4757]: refused connect from 5.135.143.59 (5.135.143.59)
Aug 10 01:02:50 srv3 sshd[4792]: refused connect from 5.135.143.59 (5.135.143.59)
... [many more like this over an hour]

This only appeared in /var/log/secure, not in any other log such as /var/log/messages.

I even have the last line in /etc/hosts.allow "sshd : ALL : deny" (without the quotes). I don't know how or what this IP is up to or why an attack from only this IP happens. Anyone have any ideas? Should I even be concerned about this?

Thanks,
Mike

[ForumAdmin]

That isn't a log line that csf currently checks for. We'll look at adding it in the next version.

[ForumAdmin]

This has been implemented in csf v6.31:
http://blog.configserver.com/?p=1978

[ComtechResearch]

I noticed that. Thank you!

[ComtechResearch]

It still seems that this is occurring.

/var/log/secure:
Aug 22 17:00:06 srv3 sshd[11726]: refused connect from 37.59.15.158 (37.59.15.158)
Aug 22 17:00:25 srv3 sshd[11763]: refused connect from 37.59.15.158 (37.59.15.158)
Aug 22 17:00:45 srv3 sshd[11769]: refused connect from 37.59.15.158 (37.59.15.158)
Aug 22 17:01:05 srv3 sshd[12055]: refused connect from 37.59.15.158 (37.59.15.158)
Aug 22 17:01:24 srv3 sshd[12066]: refused connect from 37.59.15.158 (37.59.15.158)
... [80+ lines like this edited out here]
Aug 22 17:27:54 srv3 sshd[13207]: refused connect from 37.59.15.158 (37.59.15.158)
Aug 22 17:28:13 srv3 sshd[13214]: refused connect from 37.59.15.158 (37.59.15.158)
Aug 22 17:28:33 srv3 sshd[13225]: refused connect from 37.59.15.158 (37.59.15.158)
Aug 22 17:28:53 srv3 sshd[13233]: refused connect from 37.59.15.158 (37.59.15.158)
Aug 22 17:29:13 srv3 sshd[13240]: refused connect from 37.59.15.158 (37.59.15.158)

I still have to manually add the IP to the FW to stop this.
And, sometimes, the above generates this:

/usr/local/cpanel/logs/error_log:
Previous check_sessions still running with pid: 12088. Possible cpsrvd denial of service attack in progress.
Previous check_sessions still running with pid: 12361. Possible cpsrvd denial of service attack in progress.
Previous check_sessions still running with pid: 12361. Possible cpsrvd denial of service attack in progress.
Previous check_sessions still running with pid: 12952. Possible cpsrvd denial of service attack in progress.
Previous check_sessions still running with pid: 12952. Possible cpsrvd denial of service attack in progress.
Previous check_sessions still running with pid: 12952. Possible cpsrvd denial of service attack in progress.
Previous check_sessions still running with pid: 13402. Possible cpsrvd denial of service attack in progress.
Previous check_sessions still running with pid: 13402. Possible cpsrvd denial of service attack in progress.
Previous check_sessions still running with pid: 13752. Possible cpsrvd denial of service attack in progress.
Previous check_sessions still running with pid: 14014. Possible cpsrvd denial of service attack in progress.
Previous check_sessions still running with pid: 14014. Possible cpsrvd denial of service attack in progress.

When this happens, a cpanel restart usually "flushes" those PIDs.

The above is just one example.

Otherwise, things seem to be working well. I though you would like to know that the attacks in /var/log/secure containing "refused connect from" are still not automatically added to iptables.

[ForumAdmin]

This should now be resolved in csf v6.34:
http://blog.configserver.com/?p=2041

[ComtechResearch]

It seems to be resolved now. Thanks!