ConfigServer Community Forum

I'm using a file with IP addresses and ranges as a permanent block list. When I search for an abusive IP address (5.188.62.76) in CSF I see that it's blocked by 5.188.62.0/24 resulting in the following output: However, this IP is still showing up in access logs attempting to do malicious things. This IP is just an example and it's happening with many more. And not just in the access logs, but also in Exim or other logs. Can someone explain this to me and help figure out how this can happen?

I'm using a dedicated server with Almalinux 8.4, DirectAdmin 1.62.9, OpenLiteSpeed 1.7.14, CSF 14.11

Remember that CSF is a software firewall, so, any IP blocked or not will connect to the server and depending if it is black listed it will be denied any access but the log will save that connection.

With a Hardware FireWall is a different thing, blocked IPs will never get to your server as the IP will be blocked before it enters into your server.

What route does a request take? Is OLS accepting the request, then calling CSF to check it and block the request if applicable? Or does CSF check the request first before it reaches OLS? Same for others services of course...

On the different OS that CSF works, the OS receives the IP connection and logs it, then the IP is passed to CSF then CSF checks if it is blocked or not.

If the IP is granted to continue, then the other suits of CSF software will be checking what the IP does and triggers any option that CSF is configured to block.

Sergio, what do you mean with "different OS" and "OP"? I just don't understand your last comment.

OS = Operating Systems
Linux, CloudLinux, Centos, etc.

I know what OS is (I'm using AlmaLinux like I said), but what do you mean with "different OS"? And what does it have to do with the process I'm describing, where a service like OLS (webserver) or Exim (mailserver) are reached by an IP that should be completely blocked by CSF? These services should never be reached to save resources.