CSF should never "DROP" outbound connections
Posted: 21 May 2017, 11:12
Greetings, CSF Team.
In its current form, CSF (when configured to also block outgoing connections) will add IP blocks as a "DROP" rule for outgoing conncetions. Outgoing connections should never be dropped. This can lead to a myriad of issues in the right environment, and at least a few issues in most environments.
A "DROP" rule in iptables does not send an error/rejection packet back to the listening socket. Doing this for incoming connections is fine, even preferred. But doing this for outgoing connections is very unnecessary, and even problematic.
For example, SSHD on a default installation of a RHEL distro will not have TCPKeepAlive configured by default, which for SSH, can be ideal. One of the most commonly brute forced services on a public facing server is SSH. The result? The IP, which has an established connection with an sshd startup process, is "DROP"ed for both incoming and outgoing connections. Since the outgoing packets are simply dropped as well, SSHD has absolutely no idea that the connection has been terminated.
Fast forward a few days (or hours, if you're getting hit a lot) and you've already saturated your SSHD maxstartups, and are unable to easily login via SSH. You'll need to continually make connection attempts until SSHD has killed enough stale startup processes that it's now below the maxstartups threshold and you can login.
Ever seen an ssh_exchange_identification error, where attempting to login repeatedly has resolved the issue? Well, this is the root cause.
Furthermore, services like Apache/Nginx/LiteSpeed, MySQL, FTP etc will eventually timeout, but during that time they're wasting precious resources on sending useless dropped packets to that now blocked IP.
Solution? If you must block outgoing connections, "REJECT" should be used. Never "DROP".
Thanks for your time.
In its current form, CSF (when configured to also block outgoing connections) will add IP blocks as a "DROP" rule for outgoing conncetions. Outgoing connections should never be dropped. This can lead to a myriad of issues in the right environment, and at least a few issues in most environments.
A "DROP" rule in iptables does not send an error/rejection packet back to the listening socket. Doing this for incoming connections is fine, even preferred. But doing this for outgoing connections is very unnecessary, and even problematic.
For example, SSHD on a default installation of a RHEL distro will not have TCPKeepAlive configured by default, which for SSH, can be ideal. One of the most commonly brute forced services on a public facing server is SSH. The result? The IP, which has an established connection with an sshd startup process, is "DROP"ed for both incoming and outgoing connections. Since the outgoing packets are simply dropped as well, SSHD has absolutely no idea that the connection has been terminated.
Fast forward a few days (or hours, if you're getting hit a lot) and you've already saturated your SSHD maxstartups, and are unable to easily login via SSH. You'll need to continually make connection attempts until SSHD has killed enough stale startup processes that it's now below the maxstartups threshold and you can login.
Ever seen an ssh_exchange_identification error, where attempting to login repeatedly has resolved the issue? Well, this is the root cause.
Furthermore, services like Apache/Nginx/LiteSpeed, MySQL, FTP etc will eventually timeout, but during that time they're wasting precious resources on sending useless dropped packets to that now blocked IP.
Solution? If you must block outgoing connections, "REJECT" should be used. Never "DROP".
Thanks for your time.