LFD-triggered temporary block failed to be removed
Posted: 04 Sep 2008, 20:54
Hello,
With v3.43 of CSF I have been seeing that an IP address may not always be removed from iptables/csf after the temporary time span has elapsed. The IP address is blocked for triggering LFD from failed logins; here is a more descriptive log report from LFD:
(I''ve replaced the last octet with an X.)
# grep -i 72.226.154.X /var/log/lfd.log
Tue Sep 2 21:42:18 2008 lfd: Failed cPanel login from 72.226.154.X - 1 failure(s) in the last 80 secs
Tue Sep 2 21:42:46 2008 lfd: Failed cPanel login from 72.226.154.X - 2 failure(s) in the last 120 secs
Thu Sep 4 11:00:10 2008 lfd: Failed cPanel login from 72.226.154.X - 1 failure(s) in the last 55 secs
Thu Sep 4 11:00:25 2008 lfd: Failed cPanel login from 72.226.154.X - 2 failure(s) in the last 60 secs
Thu Sep 4 11:00:25 2008 lfd: Failed cPanel login from 72.226.154.X - 3 failure(s) in the last 60 secs
Thu Sep 4 11:00:25 2008 lfd: Failed cPanel login from 72.226.154.X - 4 failure(s) in the last 60 secs
Thu Sep 4 11:00:25 2008 lfd: Failed cPanel login from 72.226.154.X - 5 failure(s) in the last 60 secs
Thu Sep 4 11:00:25 2008 lfd: 5 (cpanel) login failures from 72.226.154.X - *Blocked in csf* for 1200 secs
Thu Sep 4 11:00:25 2008 lfd: alert email sent for 72.226.154.X
Thu Sep 4 11:20:26 2008 lfd: 72.226.154.X temporary block removed
It was 2:40 p.m. (14:40 hours) when I found the IP via the search function in CSF's GUI as it was still blocked in iptables.
Please let me know if you need more than the provided csf.conf entries or if a copy of them all; I've attached what I believe are the most relevant (LF_).
With v3.43 of CSF I have been seeing that an IP address may not always be removed from iptables/csf after the temporary time span has elapsed. The IP address is blocked for triggering LFD from failed logins; here is a more descriptive log report from LFD:
(I''ve replaced the last octet with an X.)
# grep -i 72.226.154.X /var/log/lfd.log
Tue Sep 2 21:42:18 2008 lfd: Failed cPanel login from 72.226.154.X - 1 failure(s) in the last 80 secs
Tue Sep 2 21:42:46 2008 lfd: Failed cPanel login from 72.226.154.X - 2 failure(s) in the last 120 secs
Thu Sep 4 11:00:10 2008 lfd: Failed cPanel login from 72.226.154.X - 1 failure(s) in the last 55 secs
Thu Sep 4 11:00:25 2008 lfd: Failed cPanel login from 72.226.154.X - 2 failure(s) in the last 60 secs
Thu Sep 4 11:00:25 2008 lfd: Failed cPanel login from 72.226.154.X - 3 failure(s) in the last 60 secs
Thu Sep 4 11:00:25 2008 lfd: Failed cPanel login from 72.226.154.X - 4 failure(s) in the last 60 secs
Thu Sep 4 11:00:25 2008 lfd: Failed cPanel login from 72.226.154.X - 5 failure(s) in the last 60 secs
Thu Sep 4 11:00:25 2008 lfd: 5 (cpanel) login failures from 72.226.154.X - *Blocked in csf* for 1200 secs
Thu Sep 4 11:00:25 2008 lfd: alert email sent for 72.226.154.X
Thu Sep 4 11:20:26 2008 lfd: 72.226.154.X temporary block removed
It was 2:40 p.m. (14:40 hours) when I found the IP via the search function in CSF's GUI as it was still blocked in iptables.
Please let me know if you need more than the provided csf.conf entries or if a copy of them all; I've attached what I believe are the most relevant (LF_).
