Using CC denies and full IP Block blocks yet IPs get thru
Posted: 19 Aug 2013, 09:04
OK so we decided to block some well known exploit and spam IPs and countries (mainly China and similar) using BOTH csf (CC_Deny setting) on the server and htaccess on specific domains.. Now here's the kicker and problem.
These blocked IPs are still getting thru to Apache and other services and generating page requests, email login hack attempts, etc..
here is a couple of examples:
Apache hits:
email hits:
CSF:
-----------------------------------------------------
Its not just this IP range, but a large collection of the banned IPs at random times through out the day and night. Way too many to list here in any case.
Anyone seeing issues like this?
How can I fix it so these denies actually block these bad IPs??
These blocked IPs are still getting thru to Apache and other services and generating page requests, email login hack attempts, etc..
here is a couple of examples:
Apache hits:
Code: Select all
7-0 26099 1/1/15583 K 0.26 0 812 38.7 0.04 845.51 110.88.99.1 [redacted].com GET /blog/index.php/b/2009/02/09.
16-0 26241 1/42/14569 K 4.80 1 909 40.3 2.54 715.31 110.89.11.6 [redacted].com GET /blog/index.php/b/2012/01/20/..
Code: Select all
2013-08-19 07:32:53 dovecot_login authenticator failed for (ylmf-pc) [183.32.163.34]:2381: 535 Incorrect authentication data (set_id=sales)
2013-08-19 07:33:00 dovecot_login authenticator failed for (ylmf-pc) [183.32.163.34]:2477: 535 Incorrect authentication data (set_id=sales)
2013-08-19 07:33:12 dovecot_login authenticator failed for (ylmf-pc) [183.32.163.34]:2568: 535 Incorrect authentication data (set_id=sales)
etc...
Code: Select all
Searching for 110.89.11.6...
[b][u]Chain num pkts bytes target prot opt in out source destination [/u][/b]
CC_DENY 1023 0 0 DROP all -- * * 110.88.0.0/14 0.0.0.0/0
...Done.
Code: Select all
Searching for 183.32.163.34...
[b][u]Chain num pkts bytes target prot opt in out source destination [/u][/b]
[b]CC_DENY 284 0 0 DROP all -- * * 183.0.0.0/10 0.0.0.0/0[/b]<-- was already set up before csf.deny ban was added
DENYIN 207 0 0 DROP all -- !lo * 183.32.163.34 0.0.0.0/0
DENYOUT 205 0 0 DROP all -- * !lo 0.0.0.0/0 183.32.163.34
csf.deny: 183.32.163.34 # lfd: (smtpauth) Failed SMTP AUTH login from 183.32.163.34 (CN/China/-): 5 in the last 300 secs - Mon Aug 19 07:33:32 2013
...Done.
Its not just this IP range, but a large collection of the banned IPs at random times through out the day and night. Way too many to list here in any case.
Anyone seeing issues like this?
How can I fix it so these denies actually block these bad IPs??