Temp IP bans

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
Post Reply
ckh
Junior Member
Posts: 147
Joined: 10 Dec 2006, 15:35

Temp IP bans

Post by ckh »

I noticed that 67.210.XXX.XXX has been constantly getting blocked because of port scans so I made a permanent block with 67.210.0.0/16

The problem is that even though it's permanently blocked, csf will still detect port scans and block any IP within the permanently blocked range. It will also then permanently block the IP after after X number attempts even though the c-block is already permanently blocked.

It isn't causing any problems but seems to be redundant.
ckh
Junior Member
Posts: 147
Joined: 10 Dec 2006, 15:35

Post by ckh »

A little update, problem still persists.

I had 67.210.0.0/16 blocked but csf was still adding it to the temp band list and then moving it to the permanent ban list. This is about 50-75 different IP's in the 67.210.3.XX to 67.210.12.XX range.

I thought 67.210.3.0/20 might be a better fit but csf is still blocking temporarily then moving to permanent after X number of attempts (which I do want) but don't think it should be adding them if the IP range is already banned.

Used the quickadd to add the ip and restarted csf/lfm a couple of times but problem still persists.

Emptied out the deny list and it currently shows:
67.210.0.0/20 # port scans - Wed Jul 23 08:01:06 2008
67.210.3.210 # lfd: (PERMBLOCK) 67.210.3.210 has had more than 2 temp blocks in the last 86400 secs - Tue Jul 29 07:38:31 2008
67.210.3.50 # lfd: (PERMBLOCK) 67.210.3.50 has had more than 2 temp blocks in the last 86400 secs - Tue Jul 29 08:47:01 2008
67.210.12.139 # lfd: (PERMBLOCK) 67.210.12.139 has had more than 2 temp blocks in the last 86400 secs - Tue Jul 29 09:10:15 2008
67.210.3.10 # lfd: (PERMBLOCK) 67.210.3.10 has had more than 2 temp blocks in the last 86400 secs - Tue Jul 29 09:26:00 2008
67.210.4.162 # lfd: (PERMBLOCK) 67.210.4.162 has had more than 2 temp blocks in the last 86400 secs - Tue Jul 29 09:44:46 2008
67.210.12.109 # lfd: (PERMBLOCK) 67.210.12.109 has had more than 2 temp blocks in the last 86400 secs - Tue Jul 29 09:54:50 2008
67.210.12.152 # lfd: (PERMBLOCK) 67.210.12.152 has had more than 2 temp blocks in the last 86400 secs - Tue Jul 29 09:56:59 2008
67.210.3.178 # lfd: (PERMBLOCK) 67.210.3.178 has had more than 2 temp blocks in the last 86400 secs - Tue Jul 29 10:16:07 2008
Temp IP ban list has 4 of them in that range in it right now. Just emptied the lists about an hour ago and restarted.
ckh
Junior Member
Posts: 147
Joined: 10 Dec 2006, 15:35

Post by ckh »

I think I found the problem. I had:

DROP_IP_LOGGING

enabled. I disabled it and it all seems to be working now.
Post Reply