Issue with the alert emails being send by csf

Post Reply
Linuxlover
Junior Member
Posts: 16
Joined: 01 Feb 2014, 11:58

Issue with the alert emails being send by csf

Post by Linuxlover »

Hello,

I have a cPanel / whm server with csf installed on it.I have csf configuerd to automatically report abusive ip addresses to abuseipdb blacklist it works fine however when i receive the email csf sends the blocked ip address has the wrong country for example csf just sends to me that

Code: Select all

194.87.138.228 (RU/Russia/-) is blocked for a portscan however in this case Russia should be Germany
this could be a bug it's not the first time i notice this or csf is innocent and my configuration is wrong somewhere.
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: Issue with the alert emails being send by csf

Post by ForumAdmin »

Sounds like out of date country code data.
  • Which csf option are you using to send a report?
  • What is the full line in csf.deny and lfd.log for the block?
What are the following set to:
  • CC_LOOKUPS
  • CC_SRC
  • What are the dates on the files in /var/lib/csf/Geo/
Linuxlover
Junior Member
Posts: 16
Joined: 01 Feb 2014, 11:58

Re: Issue with the alert emails being send by csf

Post by Linuxlover »

Hello,
  • PS_LIMIT
  • *Port Scan* detected from 194.87.138.228 (RU/Russia/-). 11 hits in the last 250 seconds.I use temp blocks
  • CC_LOOKUPS = 1
  • CC_SRC = 1
  • The dates in /var/lib/csf/Geo are reasonable recent oldest is 18 Oktober 2020
regarding CC_SRC i did read your notice maxmind now requires an apikey i got one also csf does retrieve that database
Oct 30 10:58:16 lfd[23861]: CCL: Retrieving MaxMind Country database [http://download.maxmind.com/app/geoip_d ... xxxxxxxxxx]
I also have a geoipupdate cron that runs everyday.
Linuxlover
Junior Member
Posts: 16
Joined: 01 Feb 2014, 11:58

Re: Issue with the alert emails being send by csf

Post by Linuxlover »

problem is still there i forced a redownload of Maxmind databases by deleting the corrosponding files in /var/lib/csf/Geo but it didn't help it does download the databases but reports the wrong country sometimes not always.
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: Issue with the alert emails being send by csf

Post by ForumAdmin »

I just checked the MaxMind database and it is a problem with their data:

This is their range match:
194.87.128.0/18,2017370,2017370,,0,0

This is their country match:
2017370,en,EU,Europe,RU,Russia,0

Which is why Country Code to IP address matching can be unreliable.

I'd suggest switching to:
CC_SRC = "2"

Then restart csf and then lfd and check the lfd.log for completion of the CCL files. They appear to report that IP correctly:

Code: Select all

# csf -i 194.87.138.228
194.87.138.228 (DE/Germany/North Rhine-Westphalia/Düsseldorf/-/[AS24961 MYLOC-AS])
Linuxlover
Junior Member
Posts: 16
Joined: 01 Feb 2014, 11:58

Re: Issue with the alert emails being send by csf

Post by Linuxlover »

Hello,

Ok i'll change that csf setting and in the meantime i'll go complain to Maxmind :-) thank you.
Linuxlover
Junior Member
Posts: 16
Joined: 01 Feb 2014, 11:58

Re: Issue with the alert emails being send by csf

Post by Linuxlover »

Hello,

Problem is still there even after setting CC_SRC = "2".Csf emails me that 194.26.25.126 is blocked it reports that ip as (US/United States/California/Los Angeles/-) however that should be (RU/Russia/Moscow/-).
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: Issue with the alert emails being send by csf

Post by ForumAdmin »

That is again down to the source files. It is why there is a warning about relying on Country Codes in csf and the inherent inaccuracy of Geolocation by IP address. There is nothing at all that we can do to help with third party provided resources:

Code: Select all

194.26.25.0,194.26.25.255,NA,US,California,"Los Angeles",34.0522,-118.244
Post Reply