CSF blocking IPs, but users can still visit website

Post Reply
specialkev
Junior Member
Posts: 4
Joined: 14 Jan 2015, 14:39

CSF blocking IPs, but users can still visit website

Post by specialkev »

As the title says, we have CSF running and successfully blocking IPs from .htaccess based login failures. We are running nginx, but we have updated the log file locations to our nginx logs and CSF is working great. IPs are auto added to csf.deny after several failed login attempts.

Our problem arises in that users can still load up the website even after their IP has been blocked. They are locked out of SSH and probably other system services, but can continue to load the page and perform attacks. How can we change the CSF configuration so that requests to the website are also denied when an IP is blocked?
jcats
Junior Member
Posts: 29
Joined: 03 Jan 2015, 14:36

Re: CSF blocking IPs, but users can still visit website

Post by jcats »

What does this show:

# service iptables status|grep 123.123.123.123

obviously replace with 123.123.123.123 with the blocked IP
specialkev
Junior Member
Posts: 4
Joined: 14 Jan 2015, 14:39

Re: CSF blocking IPs, but users can still visit website

Post by specialkev »

I had to alter your command a bit, but here is what I'm seeing with iptables -L

Chain DENYIN (1 references)
target prot opt source destination
DROP all -- 17x-21x-xx-xx.region.isp.tld anywhere

Chain DENYOUT (1 references)
target prot opt source destination
DROP all -- anywhere 17x-21x-xx-xx.region.isp.tld anywhere



There are other rules in the chains that have proper IPs, but for the listing created by my failed logins, it's stored in 17x-21x-xx-xx.isp.region.tld for some reason.
jcats
Junior Member
Posts: 29
Joined: 03 Jan 2015, 14:36

Re: CSF blocking IPs, but users can still visit website

Post by jcats »

Hmm, what if you do

#csf -dr ipaddress
then
#csf -d ipaddress

does it still block by hostname?
Post Reply