IPSET cc_us table getting very large?

[danfbach]

Hello,

Over the weekend my servers all failed to load/reload csf using the csf -r command.

It appears that the cc_us ip table has gotten massive all of the sudden?
It was failing with:

Code: Select all

csf: IPSET loading set cc_us with 79025 entries
IPSET: [ipset v7.1: Error in line 65537: Hash is full, cannot add more elements]

and then just hangs here.

So i went into csf.conf and tried changing:

Code: Select all

# The following sets the hashsize for ipset sets, which must be a power of 2.
#
# Note: Increasing this value will consume more memory for all sets
# Default: "1024"
LF_IPSET_HASHSIZE = "2048" #changed this to 2048

# The following sets the maxelem for ipset sets.
#
# Note: Increasing this value will consume more memory for all sets
# Default: "65536"
LF_IPSET_MAXELEM = "85000" #changed this to 85000

When i run csf -r now, it gets to the same point, and doesn't error out, but just hangs here. waited 5 minutes which should be long enough to load seeing as previously this took no more than a second or 2.

Can anyone provide guidance here?

Regards,
Dan

[danfbach]

As an addendum, It appears that this bug may be known and bad actors are in the process of exploiting it.
It was brought to my attention because I had thousands of failed ssh login attempts from china over the weekend, which would have normally been outright blocked by the cc_ filter (and also my normal TCP_IN params because SSH port is not included here, so to me that implies that csf is not even running.) Luckily LFD is still working and blocking the IPs after 5 failed attempts, but they're still able to hop IPs and try again.

[danfbach]

A little more info, I'm use maxmind's geoip database on both servers.
I tried switching CC_SRC param to 2 in order to use ipdeny.com databases rather than maxmind to see if it was an issue with maxmind's dbs...unfortunately, this did not help either.

[danfbach]

Well, I guess it just takes very long to populate the hash tables. After waiting nearly 15 minutes it loaded the...
csf: IPSET loading set cc_us with 80332 entries
csf: IPSET loading set cc_6_us with 113197 entries
...nearly 200,000 entries in the tables.

Increasing the LF_IPSET_HASHSIZE to 2048 and/or LF_IPSET_MAXELEM to 95000 seems to be necessary.
I did not try just increasing one or the other and I'm happy that it is just functioning, so I'm going to leave it alone.