Using CC_DENY with ASN and IPSET - seems to be failing

Post Reply
zav
Junior Member
Posts: 2
Joined: 14 May 2020, 09:10

Using CC_DENY with ASN and IPSET - seems to be failing

Post by zav »

Hi all,

I have some ASN that are thoroughly obnoxious and I want to block them.

I notice that CC_DENY can accept AS numbers in place of country ISO codes so I implemented what I thought would work and.....

It does not! LFD just triggered from one of those hosts.

Here is what I did:
# cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
# rpm -qa | grep ipset
ipset-libs-7.1-1.el7.x86_64
ipset-7.1-1.el7.x86_64
# csf -v
csf: v14.04 (cPanel)

Changes I made to my /etc/csf/csf.conf:

Code: Select all

DENY_IP_LIMIT = "0"
DENY_TEMP_IP_LIMIT = "800"
CC_DENY = "AS210273,AS5410,AS197226,AS34665"
FASTSTART = "0"
LF_IPSET = "1"
I initially had

Code: Select all

FASTSTART = "1"
and tried 0 when that did not work. Seems to make no difference.

Code: Select all

csf -ra 
completes without any error output that could explain this. ldf.log also looks fine.

Note how up there I blocked AS210273 ?

Just got this:
Time: Sun Aug 9 11:50:01 2020 +0000
IP: 185.234.219.230 (PL/Poland/-/-/-/[AS210273 World Hosting Farm Limited])
Failures: 1 (cpanel)

Code: Select all

# csf -g 185.234.219.230

Table  Chain            num   pkts bytes target     prot opt in     out     source               destination

filter DENYIN           19       0     0 DROP       all  --  !lo    *       185.234.219.230      0.0.0.0/0

filter DENYOUT          19       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            185.234.219.230


IPSET: Set:cc_as210273 Match:185.234.219.230 Setting:CC_DENY Country:AS210273


ip6tables:

Table  Chain            num   pkts bytes target     prot opt in     out     source               destination
No matches found for 185.234.219.230 in ip6tables

Temporary Blocks: IP:185.234.219.230 Port: Dir:inout TTL:86400 (lfd - (cpanel) Failed cPanel login from 185.234.219.230 (PL/Poland/-/-/-/[AS210273 World Hosting Farm Limited]): 1 in the last 3600 secs)

I do not understand how 185.234.219.230 belonging to AS210273 can make it into LFD when I have CC_DENY = "AS210273,AS5410,AS197226,AS34665" in csf.conf and csf -g shows them blocked.

What am I missing ?

I read somewhere that CC_DENY only affects incoming, not outgoing so pinging random addresses from those ASN doesn't help me troubleshoot but if I wait long enough I get brute forced by them despite there being a rule showing in csf -g <ip address>.

In what order is CC_DENY processed ? This is driving me insane!
Post Reply