lfd keeps blocking IP
Posted: 30 Jul 2008, 17:36
latest version v3.39
[root@liber www]# grep 24.166.55.38 /var/log/lfd.log|grep htpass
Tue Jul 29 20:16:20 2008 lfd: 5 (htpasswd) login failures from 24.166.55.38 - *Blocked in csf* port=80
Tue Jul 29 20:16:21 2008 lfd: 5 (htpasswd) login failures from 24.166.55.38 - *Blocked in csf* port=443
Tue Jul 29 21:08:07 2008 lfd: 5 (htpasswd) login failures from 24.166.55.38 - *Blocked in csf* port=80
Tue Jul 29 21:08:07 2008 lfd: 5 (htpasswd) login failures from 24.166.55.38 - *Blocked in csf* port=443
Tue Jul 29 21:10:24 2008 lfd: 5 (htpasswd) login failures from 24.166.55.38 - *Blocked in csf* port=80
Tue Jul 29 21:10:24 2008 lfd: 5 (htpasswd) login failures from 24.166.55.38 - *Blocked in csf* port=443
Tue Jul 29 21:16:01 2008 lfd: 5 (htpasswd) login failures from 24.166.55.38 - *Blocked in csf* port=80
Tue Jul 29 21:16:01 2008 lfd: 5 (htpasswd) login failures from 24.166.55.38 - *Blocked in csf* port=443
[root@liber www]# iptables -nL|grep 24.166.55.38
ACCEPT all -- 24.166.55.38 0.0.0.0/0
DROP tcp -- 24.166.55.38 0.0.0.0/0 tcp dpt:443
DROP tcp -- 24.166.55.38 0.0.0.0/0 tcp dpt:80
ACCEPT all -- 0.0.0.0/0 24.166.55.38
[root@liber www]#
IP is in csf.allow file but lfd doesn't see that and tries to block it again and again (my guess). Adding it to csf.ignore would help, but are two entries really necessary ?
How does lfd actually checks for failed password attempts ?
[root@liber www]# grep 24.166.55.38 /var/log/lfd.log|grep htpass
Tue Jul 29 20:16:20 2008 lfd: 5 (htpasswd) login failures from 24.166.55.38 - *Blocked in csf* port=80
Tue Jul 29 20:16:21 2008 lfd: 5 (htpasswd) login failures from 24.166.55.38 - *Blocked in csf* port=443
Tue Jul 29 21:08:07 2008 lfd: 5 (htpasswd) login failures from 24.166.55.38 - *Blocked in csf* port=80
Tue Jul 29 21:08:07 2008 lfd: 5 (htpasswd) login failures from 24.166.55.38 - *Blocked in csf* port=443
Tue Jul 29 21:10:24 2008 lfd: 5 (htpasswd) login failures from 24.166.55.38 - *Blocked in csf* port=80
Tue Jul 29 21:10:24 2008 lfd: 5 (htpasswd) login failures from 24.166.55.38 - *Blocked in csf* port=443
Tue Jul 29 21:16:01 2008 lfd: 5 (htpasswd) login failures from 24.166.55.38 - *Blocked in csf* port=80
Tue Jul 29 21:16:01 2008 lfd: 5 (htpasswd) login failures from 24.166.55.38 - *Blocked in csf* port=443
[root@liber www]# iptables -nL|grep 24.166.55.38
ACCEPT all -- 24.166.55.38 0.0.0.0/0
DROP tcp -- 24.166.55.38 0.0.0.0/0 tcp dpt:443
DROP tcp -- 24.166.55.38 0.0.0.0/0 tcp dpt:80
ACCEPT all -- 0.0.0.0/0 24.166.55.38
[root@liber www]#
IP is in csf.allow file but lfd doesn't see that and tries to block it again and again (my guess). Adding it to csf.ignore would help, but are two entries really necessary ?
How does lfd actually checks for failed password attempts ?