ConfigServer Community Forum

Hello Team Config-server .

We were and still are fans of the Config-server firewall and use this firewall a lot. But recently we have been experiencing a lot of complaints of IP getting blocked from multiple sources and its frequency has been rising . On investigating the incident it was found that many IP's have been blacklisted on site maintaining the Spamhaus ZEN, RATS NoPtr, UCEPROTECTL3 and SORBS Spam respectively.

All the blacklisted IP addresses belonged to service providers who provide broadband to local and corporate customers. Broadband customers who get an IP lease of such a blacklisted IP are unaware of such things. When he tries to connect to Servers or websites which use config-server firewall they are blocked by the firewall cause of IP listed in such blacklist .Convincing them becomes difficult as they start comparing providers who do not use such firewalls or rather providers whose firewalls do not refer to the Spam list database .

Result of this is of course losing a valuable customer . If not losing then we end up adding such IP in the whitelists and providing them access . But such activity ends up in waste of productive man hours of the customer as well as the provider/IT team who is using this kind of firewall.
Our intentions are not to point the drawback which are increasing day by day but to request the config-server team to provide an option of avoiding such spam check database OR an option in config-server firewall which will only check such databases for SMTP/IMAP/POP3 ports only and not SSH or WWW ports due to which users do not lose their productive time in sorting out why the entire access was blocked.

@bigadmin,
Have you tried to add those IPs in Exim Configuration Manager under the option:

Whitelist: IP addresses that should not be checked against RBLs [?]

@Serigo , Thank you for responding to my query .
We are not using any mail services (postfix or exim) on this server . Its just the Apache web server serving pages and CSF firewall installed on it .
So let me put my question again in a simple manager , CSF is checking Spam Databases (mentioned in original post) for IP address accessing the web pages and blocking them in LF_PERMBLOCK .
Setting the TEMP block count on higher side doesn't help too.
So want some workaround or solution where either the CSF firewall stop checking Blacklisted IP in Spam list
OR
CSF firewall shall only block ports related to mails and spam for the blacklisted IP addresses and not the entire IP .

Note: CSF installation there is no modification in CSF.BLOCKLIST or CSF.BLOCKLIST.NEW files and we haven't UN-comented any of the lines in blocklist

So if A.B.C.D is blacklisted IP , CSF shall only block port like 25, 587,465,993,995 ...etc and not 80,443,8080,8181 ..etc

Hope i am clear in the approach .
Please let me know if i am not.

@bigadmin,
if CSF is checking Spam Databases could it be that at the directory: /var/lib/csf/ should be debris of blocked lists, you should check in that directory that there are no files like "csf.block.NAME". That would be the only reason on why CSF could be checking the Spam Databases even if you have cancelled them in CSF "LFD Blocklists".

@Sergio
Yes i found file called csf.block.BFB and other files .
So how are these files created ?? and when i saw the modification date of this file it was present date .
Do i clear this file ?? What shall be my next step.

List of file seen in /var/lib/csf

auto1406 csf.block.BFB csf.dnscache csf.load csf.tempallow csf.tempint csf.temppids csf.tempwatch lock ui zone
backup csf.cclookup csf.dnscache: csf.lock csf.tempban csf.tempip csf.tempusers

@bigadmin

Take care on what you will delete on that directory a lot of things in there are used for CSF to do its work, you just should delete the files that starts with "csf.block." don't delete any other file just that ones.

Per example, you wrote that there is a file called "csf.block.BFB", well that is the only file that you have to delete, but before you delete it you have to be sure that CSF will not reload it again, to do that do:
- Enter into CSF.
- Enter into the option "LFD BLOCKLISTS"
Search for the following:

# BruteForceBlocker IP List
# Details: http://danger.rulez.sk/index.php/bruteforceblocker/
#BFB|86400|0|http://danger.rulez.sk/projects/brutefo ... /blist.php

Does that line has the hash tag symbol at the beginning like in my line above or it doesn't has it?
If it doesn't has it, then you should add it, so CSF will no longer will be using that black list.

After you save this, go to /var/lib/csf/ and manually delete the file: csf.block.BFB
and again, don't delete anything else or CSF will stop working.