ConfigServer Community Forum

Posted: **20 Dec 2021, 19:23**

Hello,

I would like to permanently block/ban the ips that csf detects as "port flood" but I cannot. I have very often back attacks of this type:

Dec 17 23:05:15 nsxxxx kernel: [2415976.555544] Firewall: *Port Flood* IN=eno1 OUT= MAC=1c:b7:2c:ae:da:45:00:ff:ff:ff:ff:fb:08:00 SRC=ip.ip.ip.ip DST=ip.ip.ip.ip LEN=53 TOS=0x00 PREC=0x00 TTL=118 ID=1329 PROTO=UDP SPT=59384 DPT=27017 LEN=33

Dec 17 23:05:19 nsxxxxx kernel: [2415980.720442] Firewall: *Port Flood* IN=eno1 OUT= MAC=1c:b7:2c:ae:da:45:00:ff:ff:ff:ff:fb:08:00 SRC=ip.ip.ip.ip DST=ip.ip.ip.ip LEN=53 TOS=0x00 PREC=0x00 TTL=118 ID=1335 PROTO=UDP SPT=59414 DPT=27015 LEN=33

Dec 17 23:05:24 nsxxxxx kernel: [2415984.947282] Firewall: *Port Flood* IN=eno1 OUT= MAC=1c:b7:2c:ae:da:45:00:ff:ff:ff:ff:fb:08:00 SRC=ip.ip.ip.ip DST=ip.ip.ip.ip LEN=53 TOS=0x00 PREC=0x00 TTL=118 ID=1337 PROTO=UDP SPT=59417 DPT=27017 LEN=33

Dec 17 23:05:26 nsxxxxx kernel: [2415988.379278] Firewall: *Port Flood* IN=eno1 OUT= MAC=1c:b7:2c:ae:da:45:00:ff:ff:ff:ff:fb:08:00 SRC=ip.ip.ip.ip DST=ip.ip.ip.ip LEN=37 TOS=0x00 PREC=0x00 TTL=118 ID=1345 PROTO=UDP SPT=51822 DPT=27015 LEN=17

Dec 17 23:05:26 nsxxxxx kernel: [2415988.381667] Firewall: *Port Flood* IN=eno1 OUT= MAC=1c:b7:2c:ae:da:45:00:ff:ff:ff:ff:fb:08:00 SRC=ip.ip.ip.ip DST=ip.ip.ip.ip LEN=37 TOS=0x00 PREC=0x00 TTL=118 ID=1344 PROTO=UDP SPT=51821 DPT=27015 LEN=17

Dec 17 23:05:29 nsxxxxx kernel: [2415990.722440] Firewall: *Port Flood* IN=eno1 OUT= MAC=1c:b7:2c:ae:da:45:00:ff:ff:ff:ff:fb:08:00 SRC=ip.ip.ip.ip DST=ip.ip.ip.ip LEN=53 TOS=0x00 PREC=0x00 TTL=118 ID=1348 PROTO=UDP SPT=51824 DPT=27015 LEN=33

and csf does not block ip.
I wanted to add fail2ban to csf but apparently no working or bug... Maybe another csf module is needed?

Thank you,

Posted: **27 Dec 2021, 18:17**

You can create your own rules and add it to:
/usr/local/csf/bin/regex.custom.pm (inside the file are instructions on how to use it).

NOTE: Please read CSF manual to know how to create your own rules, the following rules are just examples on how you can do it your own, I don't assume any responsibility if you use my rules and cause any unexpected blocks in your server.

The following are JUST examples on how this could be implemented, don't use them, is better if you create your owns.

Code: Select all

The following rule will block ANY IP doing a Port Flood:

	if (($lgfile eq $config{LFD_LOG}) and ($line =~ /^\S+\s\S+\s\S+\s.*Port Flood.*SRC=(\S+)/i)) {
		return ("PORT FLOOD",$1,"PORT_FLOOD","1","1","1");
	}
	
The following rule will block a direct IP doing a Port Flood (change 123.123.123.123 for the IP that you want to block):

	if (($lgfile eq $config{LFD_LOG}) and ($line =~ /^\S+\s\S+\s\S+\s.*Port Flood.*SRC=(123.123.123.123)/i)) {
		return ("PORT FLOOD",$1,"PORT_FLOOD","1","1","1");
	}

Merry Christmas,
Sergio

ConfigServer Community Forum

Re: Port Flood csf perm ban

Port Flood csf perm ban

Re: Re: Port Flood csf perm ban

ConfigServer Community Forum

Re: *Port Flood* csf perm ban

*Port Flood* csf perm ban

Re: Re: *Port Flood* csf perm ban

Re: Port Flood csf perm ban

Port Flood csf perm ban

Re: Re: Port Flood csf perm ban