Incoming portflood over tcp6 won't be blocked

[frustrated]

Hello, I am frustrated, hence the choice of a username.

Getting port-flooded daily, at times that I am supposed to be catching some ZZZ's.

Once the portflooding begins, this IP appears in the email notifications, of which there are plenty:

Code: Select all

tcp6: 19.245.64.24:50654 -> [my VPS IP]:80

The port number ie 50654 in this example, varies with every entry.

I've blocked 19.245.64.24 manually and it's in csf.deny and it makes no difference.

I might have to add that I'm using Cloudflare with mod_cloudflare enabled. The initial email shows the Cloudflare IP, stating that it was blocked with too many connections. Then, subsequent notifications reveal that IP above.

Any help is appreciated!

[Sergio]

this is not right:

tcp6: 19.245.64.24:50654 -> [my VPS IP]:80

as that is not an IP6.

Please post the entire email received.

[frustrated]

Hi Sergio,

I understand that's not an IP6 but I pasted the line verbatim, removing my server's IP.

Here's some more of the email(s) - I trimmed the process list and changed the username.

Code: Select all

Time:    Fri May 16 09:41:13 2014 -0400
PID:     19289 (Parent PID:17399)
Account: USERNAME
Uptime:  55 seconds


Executable:

/usr/bin/php


Command Line (often faked in exploits):

/usr/bin/php /home/USERNAME/public_html/index.php


Network connections by the process (if any):

tcp6: 19.245.64.24:52709 -> [MY VPS IP]:80


Files open by the process (if any):



Memory maps by the process (if any):

00400000-00d19000 r-xp 00000000 08:05 21775030                           /usr/bin/php
00f19000-00fe1000 rw-p 00919000 08:05 21775030                           /usr/bin/php

[Sergio]

I understand about no writing your IP and that is the way to do it.

Now, what I want to check is this:

tcp6: 19.245.64.24:52709 ->

Does your server uses an IP6?

[frustrated]

No, the VPS is on a ipv4.

I'm stumped as the 19.245.64.24 is blocked at Cloudflare level also. Looks like a mistranslation of the real IP by CSF?

Any help is appreciated.

[Sergio]

First try turning off IP& at:
IPV6 = 0

and see if that works for you.

[frustrated]

Ok. First off, IPV6 is disabled in WHM/CPanel.

Second, the CSF setting is already IPV6 = 0

I have not changed any of the default configuration regarding IPV6.

[frustrated]

So the question is, is CSF fooled into reporting an IP that cannot be blocked? Is it a glitch (since that IP isn't even IPV6 to begin with) ?