ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Temp IP bans

https://mail.forum.configserver.com/viewtopic.php?t=1497

Page 1 of 1

Temp IP bans

Posted: 24 Jul 2008, 16:50
by ckh
I noticed that 67.210.XXX.XXX has been constantly getting blocked because of port scans so I made a permanent block with 67.210.0.0/16

The problem is that even though it's permanently blocked, csf will still detect port scans and block any IP within the permanently blocked range. It will also then permanently block the IP after after X number attempts even though the c-block is already permanently blocked.

It isn't causing any problems but seems to be redundant.

Posted: 29 Jul 2008, 18:27
by ckh
A little update, problem still persists.

I had 67.210.0.0/16 blocked but csf was still adding it to the temp band list and then moving it to the permanent ban list. This is about 50-75 different IP's in the 67.210.3.XX to 67.210.12.XX range.

I thought 67.210.3.0/20 might be a better fit but csf is still blocking temporarily then moving to permanent after X number of attempts (which I do want) but don't think it should be adding them if the IP range is already banned.

Used the quickadd to add the ip and restarted csf/lfm a couple of times but problem still persists.

Emptied out the deny list and it currently shows:
67.210.0.0/20 # port scans - Wed Jul 23 08:01:06 2008
67.210.3.210 # lfd: (PERMBLOCK) 67.210.3.210 has had more than 2 temp blocks in the last 86400 secs - Tue Jul 29 07:38:31 2008
67.210.3.50 # lfd: (PERMBLOCK) 67.210.3.50 has had more than 2 temp blocks in the last 86400 secs - Tue Jul 29 08:47:01 2008
67.210.12.139 # lfd: (PERMBLOCK) 67.210.12.139 has had more than 2 temp blocks in the last 86400 secs - Tue Jul 29 09:10:15 2008
67.210.3.10 # lfd: (PERMBLOCK) 67.210.3.10 has had more than 2 temp blocks in the last 86400 secs - Tue Jul 29 09:26:00 2008
67.210.4.162 # lfd: (PERMBLOCK) 67.210.4.162 has had more than 2 temp blocks in the last 86400 secs - Tue Jul 29 09:44:46 2008
67.210.12.109 # lfd: (PERMBLOCK) 67.210.12.109 has had more than 2 temp blocks in the last 86400 secs - Tue Jul 29 09:54:50 2008
67.210.12.152 # lfd: (PERMBLOCK) 67.210.12.152 has had more than 2 temp blocks in the last 86400 secs - Tue Jul 29 09:56:59 2008
67.210.3.178 # lfd: (PERMBLOCK) 67.210.3.178 has had more than 2 temp blocks in the last 86400 secs - Tue Jul 29 10:16:07 2008
Temp IP ban list has 4 of them in that range in it right now. Just emptied the lists about an hour ago and restarted.

Posted: 30 Jul 2008, 03:25
by ckh
I think I found the problem. I had:

DROP_IP_LOGGING

enabled. I disabled it and it all seems to be working now.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited