Multiple email notifications upon single action

Vano · Post by **Vano** » 06 Apr 2009, 14:53

Hello,

We use CSF v4.60 (generic)

When the IP is added to tempban by Connection tracking tool, we receive multiple emails with interval equal to CT_INTERVAL

Here is a CT config:
CT_LIMIT = "100"
CT_INTERVAL = "30"
CT_EMAIL_ALERT = "1"
CT_PERMANENT = "0"
CT_BLOCK_TIME = "86400"
CT_STATES = ""
CT_PORTS = ""

here is the example of the last temp-banned IP and the logs

in /etc/csf/csf.tempban
1239012534:82.114.69.24::inout:86400:lfd - (CT) IP 82.114.69.24 found to have 478 connections

in /var/log/lfd.log
Apr 6 14:08:54 server lfd[21167]: (CT) IP 82.114.69.24 found to have 478 connections - *Blocked in csf* for 86400 secs

here are some copies of the 7 emails received upon this action:

===== 1st one =========
Time: Mon Apr 6 14:08:54 2009 +0400
IP: 82.114.69.24 (CZ/Czech Republic/-)
Connections: 478
Blocked: temporarily

Connections:
tcp: 82.114.69.24:1742 -> 208.100.40.200:80 (SYN_RECV)
tcp: 82.114.69.24:1741 -> 208.100.40.200:80 (SYN_RECV)
tcp6: 82.114.69.24:1364 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1620 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1365 -> 208.100.40.200:80 (ESTABLISHED)
......
tcp6: 82.114.69.24:1706 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1450 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1451 -> 208.100.40.200:80 (ESTABLISHED)

======= 2nd one ===========
Time: Mon Apr 6 14:09:34 2009 +0400
IP: 82.114.69.24 (CZ/Czech Republic/-)
Connections: 476
Blocked: temporarily

Connections:
tcp6: 82.114.69.24:1364 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1620 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1365 -> 208.100.40.200:80 (ESTABLISHED)
......
tcp6: 82.114.69.24:1706 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1450 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1451 -> 208.100.40.200:80 (ESTABLISHED)

====== 3rd one =======
Time: Mon Apr 6 14:10:14 2009 +0400
IP: 82.114.69.24 (CZ/Czech Republic/-)
Connections: 478
Blocked: temporarily

Connections:
tcp6: 82.114.69.24:1364 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1620 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1365 -> 208.100.40.200:80 (FIN_WAIT1)
......
tcp6: 82.114.69.24:1706 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1450 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1451 -> 208.100.40.200:80 (FIN_WAIT1)

====== 7th (last) one ========
Time: Mon Apr 6 14:12:54 2009 +0400
IP: 82.114.69.24 (CZ/Czech Republic/-)
Connections: 473
Blocked: temporarily

Connections:
tcp6: 82.114.69.24:1364 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1620 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1365 -> 208.100.40.200:80 (FIN_WAIT1)
.....
tcp6: 82.114.69.24:1706 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1450 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1451 -> 208.100.40.200:80 (FIN_WAIT1)

================

Do you have any ideas how to fix the issue? perhaps this is a kind of bug that comes out due to quite low value of CT_INTERVAL?

Thanks,

-Vano

Post by **chirpy** » 06 Apr 2009, 18:09

I've added a workaround for this issue in the forthcoming csf release.