csf CC_DENY country blocking delayed filling of IPSETs
Posted: 16 Nov 2023, 07:38
We are warding off a country denial of service attack on a WHM Exim server that has been ongoing for around 1 week. The attack takes the form of 1000s of servers sending email to non-existing recipients on the Exim server, quickly overwhelming the Exim's server's connection count limit `smtp_accept_max`. The default for Exim is 20 connections. The default for cPanel is 100 connections. In our case, we can raise it to 10000 (maxes out at 4000) and we'll still get overwhelmed. Once the connection count is overwhelmed the server stops responding with "too many connections".
Our business is based in South Africa. We quickly established by way of counting repeat WHOIS on the attack IP addresses that the countries are outliers that don't do business with our clients. For example, these countries were attacking ferociously:
China, Uzbekistan, Kyrgyzstan, Azerbaijan, Kazakhstan, Iran, Pakistan, Russia, etc.
The only thing that worked is to block entire countries by adding to the CC_DENY rule in `/etc/csf/csf.conf` and then doing `csf -r`.
HOWEVER, when we add a new country, the IPSETs are empty. After approximately one day, the IPSETs are populated. I see this when I do `csf -r`:
Today I will see the new one's empty and I can see by way of tail -f | grep -i 'no such person' that the IP addresses from these countries are still attacking:
Tomorrow I'll come back and I'll see that IPSET loading with ### entries:
CSF can CC_DENY using either (1) MaxMind or the (2) DB-IP/ipdeny.com/iptoasn.com feature.
I've tried both and currently we're using (2).
I'm trying to understand which batch scheduled routine populates these IPSETs because I would like them to activate quicker.
Please assist.
Our business is based in South Africa. We quickly established by way of counting repeat WHOIS on the attack IP addresses that the countries are outliers that don't do business with our clients. For example, these countries were attacking ferociously:
China, Uzbekistan, Kyrgyzstan, Azerbaijan, Kazakhstan, Iran, Pakistan, Russia, etc.
The only thing that worked is to block entire countries by adding to the CC_DENY rule in `/etc/csf/csf.conf` and then doing `csf -r`.
HOWEVER, when we add a new country, the IPSETs are empty. After approximately one day, the IPSETs are populated. I see this when I do `csf -r`:
Today I will see the new one's empty and I can see by way of tail -f | grep -i 'no such person' that the IP addresses from these countries are still attacking:
Code: Select all
...
csf: IPSET creating set cc_mz
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 match-set cc_mz src
csf: IPSET creating set cc_tz
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 match-set cc_tz src
...
Code: Select all
...
csf: IPSET creating set cc_mz
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 match-set cc_mz src
csf: IPSET loading set cc_mz with 47 entries
csf: IPSET creating set cc_tz
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 match-set cc_tz src
csf: IPSET loading set cc_tz with 153 entries
I've tried both and currently we're using (2).
I'm trying to understand which batch scheduled routine populates these IPSETs because I would like them to activate quicker.
Please assist.