Hello,
I have updated csf to 4.46.
I found that Connection Tracking does not work although those ips are noted in tempip file.
For a very strick connection tracking, I have the following:
CT_LIMIT = 2
CT_INTERVAL = 200
CT_PORTS = 25,137,445
On the above ports there is constant spamming. The third connection should be imposing a temporary block (perm=0). This occurs very rarely although there are several ips that gets registered by spamdyke and are searchable in maillog. They are connectted multiple times and, thus, should be blocked by csf.
Other than this, most of the configuration is working fine.
I have port scan values, as well as all other values, setup higher. hence CT_LIMIT must be activated and that connection must be blocked. Unfortunately, this does not work anymore after the update.
Any suggestions for further infos to be given by me?
Connection Tracking does not work!
-
AdminWonder
- Junior Member
- Posts: 19
- Joined: 25 Feb 2014, 16:26
-
ForumAdmin
- Moderator
- Posts: 1524
- Joined: 01 Oct 2008, 09:24
Re: Connection Tracking does not work!
Typically, connection tracking will not work on SMTP attacks as they are usually sequential, not concurrent which is what the feature it for. Nothing at all has changed in the connection tracking for a long time.
-
AdminWonder
- Junior Member
- Posts: 19
- Joined: 25 Feb 2014, 16:26
Re: Connection Tracking does not work!
Hi,
I totally disagree with you.
I need connection tracking for something like 10 CONNCERRANT CONNECTIONS or more.
Anyway, it did start to work, as well as Port Scan.
The reason why it began to work is - most likely - the internal recognition and logging of csf.
If there was a hint, that csf will not start blocking for a certain time, then I would have not placed this message.
Further, there are heaps of issues that must be developed. But for that discussion this thread is off topic.
If connection tracking is related with Port Scan, then one knows the relationship between the two.
I have ten connections to intercept.
What is better then, Connection Tracking or Port Scan? Both must trigger, theoretically, and block.
However, I use Port Scan as Connection Tracking does not get triggered, although both have similar values.
Thus Connection Tracking does not work properly and not as good as Port scan. Try yourself.
I totally disagree with you.
I need connection tracking for something like 10 CONNCERRANT CONNECTIONS or more.
Anyway, it did start to work, as well as Port Scan.
The reason why it began to work is - most likely - the internal recognition and logging of csf.
If there was a hint, that csf will not start blocking for a certain time, then I would have not placed this message.
Further, there are heaps of issues that must be developed. But for that discussion this thread is off topic.
If connection tracking is related with Port Scan, then one knows the relationship between the two.
I have ten connections to intercept.
What is better then, Connection Tracking or Port Scan? Both must trigger, theoretically, and block.
However, I use Port Scan as Connection Tracking does not get triggered, although both have similar values.
Thus Connection Tracking does not work properly and not as good as Port scan. Try yourself.