Blocked IPs still turns up in access logs

Post Reply
JosKlever
Junior Member
Posts: 4
Joined: 12 Oct 2021, 13:55

Blocked IPs still turns up in access logs

Post by JosKlever »

I'm using a file with IP addresses and ranges as a permanent block list. When I search for an abusive IP address (5.188.62.76) in CSF I see that it's blocked by 5.188.62.0/24 resulting in the following output:

Code: Select all

Table  Chain            num   pkts bytes target     prot opt in     out     source               destination         

filter DENYIN           37291     0     0 DROP       all  --  !lo    *       5.188.62.0/24        0.0.0.0/0

filter DENYOUT          37291     0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            5.188.62.0/24


ip6tables:

Table  Chain            num   pkts bytes target     prot opt in     out     source               destination         
No matches found for 5.188.62.76 in ip6tables

Permanent Blocks (csf.deny): 5.188.62.0/24
However, this IP is still showing up in access logs attempting to do malicious things. This IP is just an example and it's happening with many more. And not just in the access logs, but also in Exim or other logs. Can someone explain this to me and help figure out how this can happen?

I'm using a dedicated server with Almalinux 8.4, DirectAdmin 1.62.9, OpenLiteSpeed 1.7.14, CSF 14.11
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Blocked IPs still turns up in access logs

Post by Sergio »

Remember that CSF is a software firewall, so, any IP blocked or not will connect to the server and depending if it is black listed it will be denied any access but the log will save that connection.

With a Hardware FireWall is a different thing, blocked IPs will never get to your server as the IP will be blocked before it enters into your server.
JosKlever
Junior Member
Posts: 4
Joined: 12 Oct 2021, 13:55

Re: Blocked IPs still turns up in access logs

Post by JosKlever »

What route does a request take? Is OLS accepting the request, then calling CSF to check it and block the request if applicable? Or does CSF check the request first before it reaches OLS? Same for others services of course...
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Blocked IPs still turns up in access logs

Post by Sergio »

On the different OS that CSF works, the OS receives the IP connection and logs it, then the IP is passed to CSF then CSF checks if it is blocked or not.

If the IP is granted to continue, then the other suits of CSF software will be checking what the IP does and triggers any option that CSF is configured to block.
Last edited by Sergio on 26 Oct 2021, 06:29, edited 1 time in total.
JosKlever
Junior Member
Posts: 4
Joined: 12 Oct 2021, 13:55

Re: Blocked IPs still turns up in access logs

Post by JosKlever »

Sergio, what do you mean with "different OS" and "OP"? I just don't understand your last comment.
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Blocked IPs still turns up in access logs

Post by Sergio »

OS = Operating Systems
Linux, CloudLinux, Centos, etc.
JosKlever
Junior Member
Posts: 4
Joined: 12 Oct 2021, 13:55

Re: Blocked IPs still turns up in access logs

Post by JosKlever »

I know what OS is (I'm using AlmaLinux like I said), but what do you mean with "different OS"? And what does it have to do with the process I'm describing, where a service like OLS (webserver) or Exim (mailserver) are reached by an IP that should be completely blocked by CSF? These services should never be reached to save resources.
Post Reply