Multiple email notifications upon single action
Posted: 06 Apr 2009, 14:53
Hello,
We use CSF v4.60 (generic)
When the IP is added to tempban by Connection tracking tool, we receive multiple emails with interval equal to CT_INTERVAL
Here is a CT config:
CT_LIMIT = "100"
CT_INTERVAL = "30"
CT_EMAIL_ALERT = "1"
CT_PERMANENT = "0"
CT_BLOCK_TIME = "86400"
CT_STATES = ""
CT_PORTS = ""
here is the example of the last temp-banned IP and the logs
in /etc/csf/csf.tempban
1239012534:82.114.69.24::inout:86400:lfd - (CT) IP 82.114.69.24 found to have 478 connections
in /var/log/lfd.log
Apr 6 14:08:54 server lfd[21167]: (CT) IP 82.114.69.24 found to have 478 connections - *Blocked in csf* for 86400 secs
here are some copies of the 7 emails received upon this action:
===== 1st one =========
Time: Mon Apr 6 14:08:54 2009 +0400
IP: 82.114.69.24 (CZ/Czech Republic/-)
Connections: 478
Blocked: temporarily
Connections:
tcp: 82.114.69.24:1742 -> 208.100.40.200:80 (SYN_RECV)
tcp: 82.114.69.24:1741 -> 208.100.40.200:80 (SYN_RECV)
tcp6: 82.114.69.24:1364 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1620 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1365 -> 208.100.40.200:80 (ESTABLISHED)
......
tcp6: 82.114.69.24:1706 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1450 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1451 -> 208.100.40.200:80 (ESTABLISHED)
======= 2nd one ===========
Time: Mon Apr 6 14:09:34 2009 +0400
IP: 82.114.69.24 (CZ/Czech Republic/-)
Connections: 476
Blocked: temporarily
Connections:
tcp6: 82.114.69.24:1364 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1620 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1365 -> 208.100.40.200:80 (ESTABLISHED)
......
tcp6: 82.114.69.24:1706 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1450 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1451 -> 208.100.40.200:80 (ESTABLISHED)
====== 3rd one =======
Time: Mon Apr 6 14:10:14 2009 +0400
IP: 82.114.69.24 (CZ/Czech Republic/-)
Connections: 478
Blocked: temporarily
Connections:
tcp6: 82.114.69.24:1364 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1620 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1365 -> 208.100.40.200:80 (FIN_WAIT1)
......
tcp6: 82.114.69.24:1706 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1450 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1451 -> 208.100.40.200:80 (FIN_WAIT1)
====== 7th (last) one ========
Time: Mon Apr 6 14:12:54 2009 +0400
IP: 82.114.69.24 (CZ/Czech Republic/-)
Connections: 473
Blocked: temporarily
Connections:
tcp6: 82.114.69.24:1364 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1620 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1365 -> 208.100.40.200:80 (FIN_WAIT1)
.....
tcp6: 82.114.69.24:1706 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1450 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1451 -> 208.100.40.200:80 (FIN_WAIT1)
================
Do you have any ideas how to fix the issue? perhaps this is a kind of bug that comes out due to quite low value of CT_INTERVAL?
Thanks,
-Vano
We use CSF v4.60 (generic)
When the IP is added to tempban by Connection tracking tool, we receive multiple emails with interval equal to CT_INTERVAL
Here is a CT config:
CT_LIMIT = "100"
CT_INTERVAL = "30"
CT_EMAIL_ALERT = "1"
CT_PERMANENT = "0"
CT_BLOCK_TIME = "86400"
CT_STATES = ""
CT_PORTS = ""
here is the example of the last temp-banned IP and the logs
in /etc/csf/csf.tempban
1239012534:82.114.69.24::inout:86400:lfd - (CT) IP 82.114.69.24 found to have 478 connections
in /var/log/lfd.log
Apr 6 14:08:54 server lfd[21167]: (CT) IP 82.114.69.24 found to have 478 connections - *Blocked in csf* for 86400 secs
here are some copies of the 7 emails received upon this action:
===== 1st one =========
Time: Mon Apr 6 14:08:54 2009 +0400
IP: 82.114.69.24 (CZ/Czech Republic/-)
Connections: 478
Blocked: temporarily
Connections:
tcp: 82.114.69.24:1742 -> 208.100.40.200:80 (SYN_RECV)
tcp: 82.114.69.24:1741 -> 208.100.40.200:80 (SYN_RECV)
tcp6: 82.114.69.24:1364 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1620 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1365 -> 208.100.40.200:80 (ESTABLISHED)
......
tcp6: 82.114.69.24:1706 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1450 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1451 -> 208.100.40.200:80 (ESTABLISHED)
======= 2nd one ===========
Time: Mon Apr 6 14:09:34 2009 +0400
IP: 82.114.69.24 (CZ/Czech Republic/-)
Connections: 476
Blocked: temporarily
Connections:
tcp6: 82.114.69.24:1364 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1620 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1365 -> 208.100.40.200:80 (ESTABLISHED)
......
tcp6: 82.114.69.24:1706 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1450 -> 208.100.40.200:80 (ESTABLISHED)
tcp6: 82.114.69.24:1451 -> 208.100.40.200:80 (ESTABLISHED)
====== 3rd one =======
Time: Mon Apr 6 14:10:14 2009 +0400
IP: 82.114.69.24 (CZ/Czech Republic/-)
Connections: 478
Blocked: temporarily
Connections:
tcp6: 82.114.69.24:1364 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1620 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1365 -> 208.100.40.200:80 (FIN_WAIT1)
......
tcp6: 82.114.69.24:1706 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1450 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1451 -> 208.100.40.200:80 (FIN_WAIT1)
====== 7th (last) one ========
Time: Mon Apr 6 14:12:54 2009 +0400
IP: 82.114.69.24 (CZ/Czech Republic/-)
Connections: 473
Blocked: temporarily
Connections:
tcp6: 82.114.69.24:1364 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1620 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1365 -> 208.100.40.200:80 (FIN_WAIT1)
.....
tcp6: 82.114.69.24:1706 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1450 -> 208.100.40.200:80 (FIN_WAIT1)
tcp6: 82.114.69.24:1451 -> 208.100.40.200:80 (FIN_WAIT1)
================
Do you have any ideas how to fix the issue? perhaps this is a kind of bug that comes out due to quite low value of CT_INTERVAL?
Thanks,
-Vano