ConfigServer Community Forum

Hiya all,

I just noticed this happening since today and I don't know what's going on. See the log below:

Apr 25 17:28:46 arabier lfd[21528]: (WordPress) Failed wordpress login from 88.68.42.8 (DE/Germany/dslb-088-068-042-008.088.068.pools.vodafone-ip.de): 5 in the last 3600 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER]
Apr 25 18:35:35 arabier lfd[2058]: Incoming IP 88.68.42.8 temporary block removed
Apr 25 18:35:35 arabier lfd[2058]: Outgoing IP 88.68.42.8 temporary block removed
Apr 25 22:33:44 arabier lfd[30309]: (WordPress) Failed wordpress login from 88.68.42.8 (DE/Germany/dslb-088-068-042-008.088.068.pools.vodafone-ip.de): 5 in the last 3600 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER]

So what's happening is that LFD is setting the block for 24 hours, but somehow it's being removed just a little over an hour later.
I am pretty sure that the block used to work just fine for 24 hours till this morning, as I only started noticing "blocked permanently" mails due to 5 blocks in a row from the same IP today (there were none of those yesterday, I checked this).

Any help is much appreciated.

I did upgrade mysql two days ago, but as far as I know CSF doesn't rely on mysql, does it?

I just noticed something else: there are exactly 200 perm bans and 100 temp bans at the moment.

Are there perhaps limits to the number of temp bans (and perhaps perm bans too?) which might cause this behavior? As in a First In - First Out system cause otherwise there would be too many iptables rules?

So in the mean time, I solved my own question. The IP Limit in WHM is set to 100 temp and 200 perm by default, which simply did not suffice...

I upped them to 500 each for now.