Port Scan Tracking - Wont work ubuntu 20.04

[miguelandroidcsf]

Hi, i think there is a bug with the last version 14.16 and ubuntu 20.04 lts (vps digitalocean), wen i try to activate Port Scan Tracking, wont work, just dont ban the ip.

Configs

Code: Select all

PS_INTERVAL = 300
PS_Limit = 3
PS_PERMANENT = 1

Testing 5 ports different and dont temporary ban or permanent ban.

Code: Select all

Mar 24 17:24:19 ubuntu-s kernel: [ 6066.501407] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:fe:00:00:00:01:01:08:00 SRC=xx.xx.xx.27 DST=xx.xx.xx.245 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=41042 DF PROTO=TCP SPT=46252 DPT=230 WINDOW=65535 RES=0x00 SYN URGP=0 
Mar 24 17:24:20 ubuntu-s kernel: [ 6067.607555] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:fe:00:00:00:01:01:08:00 SRC=xx.xx.xx.27 DST=xx.xx.xx.245 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=57507 DF PROTO=TCP SPT=46232 DPT=231 WINDOW=65535 RES=0x00 SYN URGP=0 
Mar 24 17:24:30 ubuntu-s kernel: [ 6077.765788] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:fe:00:00:00:01:01:08:00 SRC=xx.xx.xx.27 DST=xx.xx.xx.245 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=54762 DF PROTO=TCP SPT=46248 DPT=232 WINDOW=65535 RES=0x00 SYN URGP=0  
Mar 24 17:24:43 ubuntu-s kernel: [ 6090.847050] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:fe:00:00:00:01:01:08:00 SRC=xx.xx.xx.27 DST=xx.xx.xx.245 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=7926 DF PROTO=TCP SPT=46234 DPT=233 WINDOW=65535 RES=0x00 SYN URGP=0 
Mar 24 17:24:55 ubuntu-s kernel: [ 6102.298225] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:fe:00:00:00:01:01:08:00 SRC=xx.xx.xx.27 DST=xx.xx.xx.245 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=25378 DF PROTO=TCP SPT=46242 DPT=234 WINDOW=65535 RES=0x00 SYN URGP=0 
Mar 24 17:25:05 ubuntu-s kernel: [ 6112.466467] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:fe:00:00:00:01:01:08:00 SRC=xx.xx.xx.27 DST=xx.xx.xx.245 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=57009 DF PROTO=TCP SPT=46246 DPT=235 WINDOW=65535 RES=0x00 SYN URGP=0 

Iam missing something?

[miguelandroidcsf]

So this is a bug right?

Because new version csf 14.16 has configured by default this way

Code: Select all

SU_LOG = "/var/log/messages"
FTPD_LOG = "/var/log/messages"
IPTABLES_LOG = "/var/log/messages"
SUHOSIN_LOG = "/var/log/messages"
BIND_LOG = "/var/log/messages"
SYSLOG_LOG = "/var/log/messages"

And i have an older version in a older vps that show the correct paths.

Code: Select all

SU_LOG = "/var/log/kern.log"
FTPD_LOG = "/var/logkern.log"
IPTABLES_LOG = "/var/log/kern.log"
SUHOSIN_LOG = "/var/log/kern.log"
BIND_LOG = "/var/log/kern.log"
SYSLOG_LOG = "/var/log/kern.log"

So the problem is the csf now dont detect the right path to logs, after i change manually IPTABLES_LOG = "/var/log/messages" to IPTABLES_LOG = "/var/log/kern.log" the Port Scan Tracking started working fine and baning the ips.

And i need to correct the path for the others SU_LOG, FTPD_LOG,BIND_LOG... have "/var/log/messages" to "/var/log/kern.log" ?

[miguelandroidcsf]

I tested this in Ubuntu 18.04, 20.04, 21.10 with the last csf 14.16 and all have the same problem dont have correct path to /var/log/kern.log only to /var/log/messages.

And dont work Port Scan Tracking this way by default need to fix to correct path to start working.