Using CC denies and full IP Block blocks yet IPs get thru

[PPNSteve]

OK so we decided to block some well known exploit and spam IPs and countries (mainly China and similar) using BOTH csf (CC_Deny setting) on the server and htaccess on specific domains.. Now here's the kicker and problem.
These blocked IPs are still getting thru to Apache and other services and generating page requests, email login hack attempts, etc..

here is a couple of examples:
Apache hits:

Code: Select all

7-0	26099	1/1/15583 	K 	0.26	0	812	38.7	0.04	845.51 	110.88.99.1	[redacted].com	GET /blog/index.php/b/2009/02/09.
16-0	26241	1/42/14569	K 	4.80	1	909	40.3	2.54	715.31 	110.89.11.6	[redacted].com	GET /blog/index.php/b/2012/01/20/..

email hits:

Code: Select all

2013-08-19 07:32:53 dovecot_login authenticator failed for (ylmf-pc) [183.32.163.34]:2381: 535 Incorrect authentication data (set_id=sales)
2013-08-19 07:33:00 dovecot_login authenticator failed for (ylmf-pc) [183.32.163.34]:2477: 535 Incorrect authentication data (set_id=sales)
2013-08-19 07:33:12 dovecot_login authenticator failed for (ylmf-pc) [183.32.163.34]:2568: 535 Incorrect authentication data (set_id=sales)
etc...

CSF:

Code: Select all

Searching for 110.89.11.6...

[b][u]Chain            num   pkts bytes target     prot opt in     out     source               destination  [/u][/b]       
CC_DENY          1023     0     0 DROP       all  --  *      *       110.88.0.0/14        0.0.0.0/0
...Done.

Code: Select all

Searching for 183.32.163.34...

[b][u]Chain            num   pkts bytes target     prot opt in     out     source               destination    [/u][/b]
[b]CC_DENY          284      0     0 DROP       all  --  *      *       183.0.0.0/10         0.0.0.0/0[/b]<-- was already set up before csf.deny ban was added     
DENYIN           207      0     0 DROP       all  --  !lo    *       183.32.163.34        0.0.0.0/0
DENYOUT          205      0     0 DROP       all  --  *      !lo     0.0.0.0/0            183.32.163.34

csf.deny: 183.32.163.34 # lfd: (smtpauth) Failed SMTP AUTH login from 183.32.163.34 (CN/China/-): 5 in the last 300 secs - Mon Aug 19 07:33:32 2013

...Done.

-----------------------------------------------------

Its not just this IP range, but a large collection of the banned IPs at random times through out the day and night. Way too many to list here in any case.
Anyone seeing issues like this?

How can I fix it so these denies actually block these bad IPs??

[ForumAdmin]

Make sure that you have SAFECHAINUPDATE enabled and then restart lfd.

[PPNSteve]

Thanks for your reply.. It's telling me:

# This option should not be enabled on servers with long dynamic chains (e.g.
# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on
# Virtuozzo VPS servers with a restricted numiptent value. This is because each
# chain will effectively be duplicated while the update occurs, doubling the
# number of iptables rules

So, seriously, should I enable it or not? I have restarted csf/lfd a few times now since I added the CC_DENY entries

[PPNSteve]

OK

Now, so how are these blocked IPs getting past the firewall?

One of my Hands-On techs said the allow, deny order should be reversed.. but I don't know.
Need some help here.