csf CC_DENY country blocking delayed filling of IPSETs

[eugenevdm]

We are warding off a country denial of service attack on a WHM Exim server that has been ongoing for around 1 week. The attack takes the form of 1000s of servers sending email to non-existing recipients on the Exim server, quickly overwhelming the Exim's server's connection count limit `smtp_accept_max`. The default for Exim is 20 connections. The default for cPanel is 100 connections. In our case, we can raise it to 10000 (maxes out at 4000) and we'll still get overwhelmed. Once the connection count is overwhelmed the server stops responding with "too many connections".

Our business is based in South Africa. We quickly established by way of counting repeat WHOIS on the attack IP addresses that the countries are outliers that don't do business with our clients. For example, these countries were attacking ferociously:
China, Uzbekistan, Kyrgyzstan, Azerbaijan, Kazakhstan, Iran, Pakistan, Russia, etc.

The only thing that worked is to block entire countries by adding to the CC_DENY rule in `/etc/csf/csf.conf` and then doing `csf -r`.

HOWEVER, when we add a new country, the IPSETs are empty. After approximately one day, the IPSETs are populated. I see this when I do `csf -r`:

Today I will see the new one's empty and I can see by way of tail -f | grep -i 'no such person' that the IP addresses from these countries are still attacking:

Code: Select all

...
csf: IPSET creating set cc_mz
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   match-set cc_mz src
csf: IPSET creating set cc_tz
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   match-set cc_tz src
...

Tomorrow I'll come back and I'll see that IPSET loading with ### entries:

Code: Select all

...
csf: IPSET creating set cc_mz
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   match-set cc_mz src
csf: IPSET loading set cc_mz with 47 entries
csf: IPSET creating set cc_tz
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   match-set cc_tz src
csf: IPSET loading set cc_tz with 153 entries

CSF can CC_DENY using either (1) MaxMind or the (2) DB-IP/ipdeny.com/iptoasn.com feature.

I've tried both and currently we're using (2).

I'm trying to understand which batch scheduled routine populates these IPSETs because I would like them to activate quicker.

Please assist.

[Sergio]

One easy way to block Countries is using cPhulk.
Enable it on your server, then go to the BLACK LIST by Country and you can block all the ones that you don't want.

Also, you can add range of IPs that you don't want them to access your server.