I have some ASN that are thoroughly obnoxious and I want to block them.
I notice that CC_DENY can accept AS numbers in place of country ISO codes so I implemented what I thought would work and.....
It does not! LFD just triggered from one of those hosts.
Here is what I did:
# cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
# rpm -qa | grep ipset
ipset-libs-7.1-1.el7.x86_64
ipset-7.1-1.el7.x86_64
# csf -v
csf: v14.04 (cPanel)
Changes I made to my /etc/csf/csf.conf:
Code: Select all
DENY_IP_LIMIT = "0"
DENY_TEMP_IP_LIMIT = "800"
CC_DENY = "AS210273,AS5410,AS197226,AS34665"
FASTSTART = "0"
LF_IPSET = "1"
Code: Select all
FASTSTART = "1"
Code: Select all
csf -ra
Note how up there I blocked AS210273 ?
Just got this:
Time: Sun Aug 9 11:50:01 2020 +0000
IP: 185.234.219.230 (PL/Poland/-/-/-/[AS210273 World Hosting Farm Limited])
Failures: 1 (cpanel)
Code: Select all
# csf -g 185.234.219.230
Table Chain num pkts bytes target prot opt in out source destination
filter DENYIN 19 0 0 DROP all -- !lo * 185.234.219.230 0.0.0.0/0
filter DENYOUT 19 0 0 LOGDROPOUT all -- * !lo 0.0.0.0/0 185.234.219.230
IPSET: Set:cc_as210273 Match:185.234.219.230 Setting:CC_DENY Country:AS210273
ip6tables:
Table Chain num pkts bytes target prot opt in out source destination
No matches found for 185.234.219.230 in ip6tables
Temporary Blocks: IP:185.234.219.230 Port: Dir:inout TTL:86400 (lfd - (cpanel) Failed cPanel login from 185.234.219.230 (PL/Poland/-/-/-/[AS210273 World Hosting Farm Limited]): 1 in the last 3600 secs)
I do not understand how 185.234.219.230 belonging to AS210273 can make it into LFD when I have CC_DENY = "AS210273,AS5410,AS197226,AS34665" in csf.conf and csf -g shows them blocked.
What am I missing ?
I read somewhere that CC_DENY only affects incoming, not outgoing so pinging random addresses from those ASN doesn't help me troubleshoot but if I wait long enough I get brute forced by them despite there being a rule showing in csf -g <ip address>.
In what order is CC_DENY processed ? This is driving me insane!