CC_IGNORE not working after upgrade to csf: v12.02

[marcele]

After the upgrade to CSF 12.02 the login failure daemon is blocking IP addresses from countries that are listed in CC_IGNORE!

[marcele]

Also note that I'm using the CSF cluster functions and its happening across all servers now I've disabled the LFD triggers on all our servers until this can get fixed.

[ForumAdmin]

1. What do you have listed in CC_IGNORE and what is CC_LOOKUPS set to (exactly as set)?
2. Please provide a log line with an IP that should be ignored by that list so we can test

The code for CC_IGNORE has not changed since v12.00 was released with the new lookups.

Note: Edited a few times

[ForumAdmin]

Looking at the code, this issue can arise if you have listed the country codes in lower-case. This has always been the case though.

If they are listed in uppercase and the IP resolves to a country I'm unable to recreate an issue, so will need the setting and log lines.

[marcele]

# CC_LOOKUPS must be enabled to use this option
CC_IGNORE = "CA"

We have always allowed Canada as that is where all our servers are from. After the upgrade within an hour we got about 20 calls from Canadian clients getting blocked.

I've emailed your sales email account with screenshots to better describe it.

[ForumAdmin]

I need an actual log line that triggered a block that should have been ignored. I also need the CC_LOOKUP setting. As I said, we're unable to recreate a problem.

Have you also checked on the server that triggered the block that the GeoLite2 files are actually listed in /var/lib/csf/Geo/ that corresponds to the CC_LOOKUP setting, i.e.they have been downloaded unzipped by lfd from /var/log/lfd.log?

[marcele]

On all servers:

Code: Select all

CC_LOOKUPS = "1"

On the older servers (centos 5)I'm seeing this:

Code: Select all

# ls -la /var/lib/csf/Geo/        
total 5888
drw------- 2 root root    4096 Apr  9 15:26 .
drw------- 9 root root    4096 Apr  9 10:26 ..
-rw------- 1 root root 4345880 Apr  9 15:26 GeoLite2-ASN-CSV.zip
-rw------- 1 root root 1651128 Apr  9 15:26 GeoLite2-Country-CSV.zip

On the newer servers (Centos 7) I'm seeing this:

Code: Select all

# ls -la /var/lib/csf/Geo/        
total 35040
drw------- 2 root root     4096 Apr  9 09:47 .
drw------- 9 root root     4096 Apr  9 14:55 ..
-rw-r--r-- 1 root root       55 Apr  9 09:47 COPYRIGHT.txt
-rw-r--r-- 1 root root 19244527 Apr  9 08:47 GeoLite2-ASN-Blocks-IPv4.csv
-rw-r--r-- 1 root root  2629108 Apr  9 08:47 GeoLite2-ASN-Blocks-IPv6.csv
-rw-r--r-- 1 root root 10743419 Apr  9 09:47 GeoLite2-Country-Blocks-IPv4.csv
-rw-r--r-- 1 root root  3224646 Apr  9 09:47 GeoLite2-Country-Blocks-IPv6.csv
-rw-r--r-- 1 root root     9928 Apr  9 09:47 GeoLite2-Country-Locations-en.csv
-rw-r--r-- 1 root root      433 Apr  9 09:47 LICENSE.txt
-rw-r--r-- 1 root root      116 Apr  9 09:47 README.txt

From the lfd log (server is Centos 6):

Code: Select all

Apr  9 09:43:47 web4 lfd[21909]: (imapd) Failed IMAP login from 69.172.158.167 (69-172-158-167.cable.teksavvy.com): 3 in the last 3600 secs - *Blocked in csf* [LF_IMAPD]

The maillog (server is Centos 6)::

Code: Select all

Apr  9 09:36:25 web4 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<education@removed.com>, method=PLAIN, rip=69.172.158.167, lip=216.138.192.180, TLS, session=<sBoOK2xpGcxFrJ6n>
Apr  9 09:36:38 web4 dovecot: imap-login: Aborted login (auth failed, 1 attempts in 6 secs): user=<education@removed.com>, method=PLAIN, rip=69.172.158.167, lip=216.138.192.180, TLS: Disconnected, session=<D0qZK2xpH8xFrJ6n>
Apr  9 09:43:42 web4 dovecot: imap-login: Disconnected: Inactivity (auth failed, 1 attempts in 179 secs): user=<education@removed.com>, method=PLAIN, rip=69.172.158.167, lip=216.138.192.180, TLS, session=<MGyUOmxpf8xFrJ6n>
Apr  9 09:43:42 web4 dovecot: imap-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=69.172.158.167, lip=216.138.192.180, TLS, session=<XlJARWxpgMxFrJ6n>

[marcele]

After looking at the logs maybe this causing the issue on the newer server?

Code: Select all

Apr  9 08:47:26 web4 lfd[13105]: CC Error: Unable to retrieve GeoLite2 CSV Country database [http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip] - Unable to rename /var/lib/csf/Geo/GeoLite2-Country-CSV.zip.tmp to /var/lib/csf/Geo/GeoLite2-Country-CSV.zip: No such file or directory

[marcele]

Update. OK so I've re-enabled the triggers and they seem to be working on the new servers.

I manually copied the new /var/lib/csf/Geo directories from the newer servers over to the older server and it looks like everything is working now.

1. I think that the new country unzip routines don't work on those legacy centos 5 servers.

2. I also think that after you do a csf -u there might be a race condition that happens if the country DB isn't downloaded yet with the switch from the old legacy to new geolite 2 DBs where IPs might get blocked ..

[marcele]

This is what is causing the problems on the older servers:

Code: Select all

Apr  9 08:48:09 web3 lfd[26765]: CCL: Retrieving GeoLite2 Country database [http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip]
Apr  9 08:48:09 web3 lfd[25962]: Country Code Ignores...
Apr  9 08:48:12 web3 lfd[26765]: CCL Error: /var/lib/csf/Geo/GeoLite2-Country-Blocks-IPv4.csv empty or missing
Apr  9 08:48:19 web3 lfd[26764]: CC: Retrieving GeoLite2 CSV Country database [http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip]
Apr  9 08:48:21 web3 lfd[26764]: CC Error: GeoLite2-Country-Blocks-IPv4.csv empty or missing
Apr  9 08:48:21 web3 lfd[26764]: CC: Retrieving GeoLite2 CSV ASN database [http://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN-CSV.zip]
Apr  9 08:48:27 web3 lfd[26764]: CC Error: GeoLite2-ASN-Blocks-IPv4.csv empty or missing
Apr  9 08:48:27 web3 lfd[26764]: CC: Processing GeoLite2 CSV Country/ASN database
Apr  9 08:48:27 web3 lfd[26764]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [BR]
Apr  9 08:48:27 web3 lfd[26764]: CC: No entries found for [BR] in /var/lib/csf/Geo/GeoLite2-Country-Blocks-IPv4.csv
Apr  9 08:48:27 web3 lfd[26764]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [CN]
Apr  9 08:48:27 web3 lfd[26764]: CC: No entries found for [CN] in /var/lib/csf/Geo/GeoLite2-Country-Blocks-IPv4.csv
Apr  9 08:48:27 web3 lfd[26764]: CC: Extracting zone from GeoLite2 CSV Country/ASN database for [CA]
Apr  9 08:48:27 web3 lfd[26764]: CC: No entries found for [CA] in /var/lib/csf/Geo/GeoLite2-Country-Blocks-IPv4.csv
Apr  9 08:48:27 web3 lfd[26764]: CC: Repopulating CC_ALLOWP with IP addresses from [CA]
Apr  9 08:48:29 web3 lfd[26764]: CC: Finished repopulating CC_ALLOWP with IP addresses from [CA]
Apr  9 08:48:30 web3 lfd[26764]: CC: Repopulating CC_DENYP with IP addresses from [BR]
Apr  9 08:48:31 web3 lfd[26764]: CC: Finished repopulating CC_DENYP with IP addresses from [BR]
Apr  9 08:48:31 web3 lfd[26764]: CC: Repopulating CC_DENYP with IP addresses from [CN]
Apr  9 08:48:32 web3 lfd[26764]: CC: Finished repopulating CC_DENYP with IP addresses from [CN]