Page 1 of 1

possible bug with csf.ignore

Posted: 21 Jan 2007, 01:31
by robm
In /etc/csf/csf.ignore I have, for example:
127.0.0.1
123.456.789.0/24
234.567.890.0/24

But if I ssh in from 123.456.789.32, it still triggers an SSH email alert. I restarted both csf and lfd, but it still triggers the alert. Thoughts?

Posted: 21 Jan 2007, 02:57
by mickalo
robm wrote:In /etc/csf/csf.ignore I have, for example:
127.0.0.1
123.456.789.0/24
234.567.890.0/24

But if I ssh in from 123.456.789.32, it still triggers an SSH email alert. I restarted both csf and lfd, but it still triggers the alert. Thoughts?
In the csf.ignore file it states: CIDR addressing _not_ allowed
so what you have will not work, CIDR/Masking doesn't work in this file

Mickalo

Posted: 21 Jan 2007, 03:52
by robm
2.61 csf.ignore file has:
# The following IP addresses will be ignored by all lfd checks
# One IP address per line
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24)
# Only list IP addresses, not domain names (they will be ignored)
So I thought it was allowed as the comments seem to indicate it, and lfd.pl checks against cidr code from what I can tell. If it's a typo in the config file, just let me know. Thanks.

Posted: 21 Jan 2007, 10:39
by chirpy
CIDR blocks were added to csf.ignore and it does work when I try it, so I don't know why it isn't working for you so long as you're running the latest csf - also make sure you're adding it to /etc/csf/csf.ignore ;)

If you want, you can log a ticket on our helpdesk with SSH access details and I'll add some debug code to see if I can see why it isn't happening.

Posted: 21 Jan 2007, 14:44
by mickalo
robm wrote:2.61 csf.ignore file has:



So I thought it was allowed as the comments seem to indicate it, and lfd.pl checks against cidr code from what I can tell. If it's a typo in the config file, just let me know. Thanks.
my mistake. My csf.ignore must be an older file, it still states it does not allow CIDR ips.

Mickalo

Posted: 21 Jan 2007, 15:17
by robm
Running the latest version, generic linux, and running both csf -r and service lfd restart after each change.

ok, some more testing. With this in /etc/csf/csf.ignore:
127.0.0.1
123.45.0.0/16

If I ssh in from 123.45.32.15 it does not send an email, which is expected.

If I put this in /etc/csf/csf.ignore:
127.0.0.1
123.45.0.0/16
67.89.0.0/16

and I ssh in from 67.89.104.78, I do get an email, which I shouldn't. Seems to be problem with handling multiple CIDR lines possibly? If you need me to test anything, run a debug version, etc... just let me know.

Rob

Posted: 22 Jan 2007, 11:44
by chirpy
I've recreated the problem and will work on a fix.

Posted: 22 Jan 2007, 11:53
by chirpy
Fixed in v2.62 :)

Thank you for persisting with this.

Posted: 22 Jan 2007, 16:07
by robm
Thanks! Working great now.