GLOBAL_DENY list in CSF apparently no longer working.

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
Post Reply
jols
Junior Member
Posts: 111
Joined: 08 May 2007, 04:43

GLOBAL_DENY list in CSF apparently no longer working.

Post by jols »

The challange is to block all scanalert.com scans as they are apparently used by hackers to probe our servers.

Okay, so for the past two months we have collected all the scanalert IPs that we can and we have inserted these in an world accessible (via URL) list, and then inserted the URL in the GLOBAL_DENY = slot with an LF_GLOBAL = value of 1800

At first this seemed to work fine, but for the past week or so, I am getting several of these kinds of notices per day that involve IPs that should be blocked, i.e. that are in the GLOBAL_DENY list:

-----------------------
Time: Mon Oct 29 15:37:13 2007
IP: 216.35.7.105 (sc4-scan37.scanalert.com)
Failures: 12 (webmail)
Interval: 45 seconds
Blocked: Yes

Log entries:

216.35.7.105 - 0 [10/29/2007:20:37:01 -0000] "POST /login/ HTTP/1.1" webmaild: user name not specified or invalid user
216.35.7.105 - >"><script>alert(123)<script><" [10/29/2007:20:37:02 -0000] "POST /login/ HTTP/1.1" webmaild: user password hash is missing from system (user probably does not exist)
216.35.7.105 - 0 [10/29/2007:20:37:02 -0000] "POST /login/ HTTP/1.1" webmaild: user name not specified or invalid user
216.35.7.105 - 0 [10/29/2007:20:37:03 -0000] "POST /login/ HTTP/1.1" webmaild: user name not specified or invalid user
...... etc. etc. etc
-----------------------

Could there be something wrong with our IPTables?

Thanks very much for any help here.
jols
Junior Member
Posts: 111
Joined: 08 May 2007, 04:43

Post by jols »

Anything?

I guess the basic question is this:

If an IP is in the GLOBAL_DENY list, then why am I still receiving notices that we are still being hit with fake log-ins, etc. by this same IP?
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

No idea, is the IP listed in the GDENY chain? If so, make sure the IP isn't being allowed via a rule or chain before it hits GDENY in the INPUT chain.
Post Reply