CSF and Maxmind generate wrong CDIR lists
Posted: 26 Mar 2022, 01:38
# csf --version
csf: v14.16 (cPanel)
Because excessive attacks against the SMTP port, I was forced to activate the SMTPAUTH_RESTRICT to filter sending countries.
However, it shows a wrong (and worrying) behavior by blocking legitimate users from authorized countries
Steps:
/etc/csf/csf.conf
exim needed mods, rebuild exim & restart. All working.
Then I found the last day a complaint because the ip 37.24.194.82 (DE) don't have access to the STMP port.
I have checked the file /etc/exim.smtpauth and it is populated with all the [DE] network prefixes. Although no range belonging to that IP:
Then I go to know the IP related prefix:
and then confirm if the prefix is inside the generated DE country list:
However, when I do a whois query to know all the network prefixes belonging to its ISP route, then yes, it show the right prefix:
grep:
the whole prefixes list:
CSF is not generating the right CDIR prefixes list for the countries. I don't know how CSF generate these lists, although I suspect the cause is in the Maxmind databases
According Maxmind, that ip 37.24.194.82 belongs to the asn AS6830
however, according a Whois query, it belongs to the asn AS3209
Interesting thing, the maxmind web don't show the ASN in the web queries (?):
https://www.maxmind.com/en/geoip2-preci ... .24.194.82
I have download an updated GeoLite2-ASN.mmdb, and no difference. It shows a wrong ASN:
I have checked whois.ripe.net, whois.radb.net, whois.cymru.com, and all them shows the right asn AS3209
Also, a direct query for the right prefix it shows asn AS3209;
With geoiplookup utility and the Maxmind databases, the queries for *one ip* will return the right country.
However, in case of using the maxmind ASNs database to extract the CDIR prefixes for blocking purposes, it can cause serious security problems. Not only because the false positives, who are absent in the allowed ASN or CDIR countries lists. Also because the huge networks segments which remain invisible for the firewalls. No only CSF, I imagine
I wonder about attackers and spammers who could collate and extract all these invisible network segments from the Maxmind databases to bypass the ASN's and Countries in the firewalls
csf: v14.16 (cPanel)
Because excessive attacks against the SMTP port, I was forced to activate the SMTPAUTH_RESTRICT to filter sending countries.
However, it shows a wrong (and worrying) behavior by blocking legitimate users from authorized countries
Steps:
/etc/csf/csf.conf
Code: Select all
SMTPAUTH_RESTRICT = "1"
CC_ALLOW_SMTPAUTH = "DE,NL"Then I found the last day a complaint because the ip 37.24.194.82 (DE) don't have access to the STMP port.
I have checked the file /etc/exim.smtpauth and it is populated with all the [DE] network prefixes. Although no range belonging to that IP:
Code: Select all
# grepcidr 37.24.194.82 /etc/exim.smtpauth
no result
Code: Select all
# whois -h whois.cymru.com " -v 37.24.194.82"
AS | IP | BGP Prefix | CC | Registry | Allocated | AS Name
3209 | 37.24.194.26 | 37.24.128.0/17 | DE | ripencc | 2011-12-22 | VODANET International IP-Backbone of Vodafone, DE
Code: Select all
# grepcidr 37.24.128.0/17 /etc/exim.smtpauth
no result
grep:
Code: Select all
# IP=37.24.194.82; whois -h whois.radb.net -i origin -T route $(whois -h whois.radb.net ${IP} | grep origin: | awk '{print $NF}' | head -1) | grep -w "route:" | awk '{print $NF}' | sort -n | grep '37.24.128.0/17'
Code: Select all
# IP=37.24.194.82; whois -h whois.radb.net -i origin -T route $(whois -h whois.radb.net ${IP} | grep origin: | awk '{print $NF}' | head -1) | grepan"route:" | awk '{print $NF}' | sort ment
According Maxmind, that ip 37.24.194.82 belongs to the asn AS6830
Code: Select all
# geoiplookup 37.24.194.82
GeoIP Country Edition: DE, Germany
GeoIP City Edition, Rev 1: DE, 07, Nordrhein-Westfalen, Gladbeck, 45968, 51.556599, 7.002500, 0, 0
GeoIP ASNum Edition: AS6830 Liberty Global Operations B.V.
Code: Select all
# whois -h whois.cymru.com " -v 37.24.194.82"
AS | IP | BGP Prefix | CC | Registry | Allocated | AS Name
3209 | 37.24.194.26 | 37.24.128.0/17 | DE | ripencc | 2011-12-22 | VODANET International IP-Backbone of Vodafone, DE
https://www.maxmind.com/en/geoip2-preci ... .24.194.82
I have download an updated GeoLite2-ASN.mmdb, and no difference. It shows a wrong ASN:
Code: Select all
# geoiplookup /usr/share/GeoIP/GeoLite2-ASN.mmdb 37.24.194.82
GeoIP Country Edition: DE, Germany
GeoIP City Edition, Rev 1: DE, 07, Nordrhein-Westfalen, Gladbeck, 45968, 51.556599, 7.002500, 0, 0
GeoIP ASNum Edition: AS6830 Liberty Global Operations B.V.I have checked whois.ripe.net, whois.radb.net, whois.cymru.com, and all them shows the right asn AS3209
Also, a direct query for the right prefix it shows asn AS3209;
Code: Select all
# whois -h whois.cymru.com " -v 37.24.128.0/17"
AS | IP | BGP Prefix | CC | Registry | Allocated | AS Name
3209 | 37.24.128.0 | 37.24.128.0/17 | DE | ripencc | 2011-12-22 | VODANET International IP-Backbone of Vodafone, DE
With geoiplookup utility and the Maxmind databases, the queries for *one ip* will return the right country.
However, in case of using the maxmind ASNs database to extract the CDIR prefixes for blocking purposes, it can cause serious security problems. Not only because the false positives, who are absent in the allowed ASN or CDIR countries lists. Also because the huge networks segments which remain invisible for the firewalls. No only CSF, I imagine
I wonder about attackers and spammers who could collate and extract all these invisible network segments from the Maxmind databases to bypass the ASN's and Countries in the firewalls