Page 1 of 1

block "xx" domain

Posted: 10 Dec 2013, 18:39
by raz
hi,

My csf stats have the "xx" country code as the most often blocked (aside from cn/china). I couldn't find any information on this country code online. 1) what is it (besides being "user assigned"? 2) is it safe to block, or might I be blocking legit visitors too that use VPNs, proxies, some other reason they are being tagged as "xx"?

According to this:
if you go to wikipedia's site then /wiki/ISO_3166-1_alpha-2#XX
they are "user assigned". But xx doesn't show up in the example list at the link, just in the same row in the table, and it links to that section of text. Basically, would someone ID'd with that code feasibly be a legitimate site visitor?

Thank you,
rz

Re: block "xx" domain

Posted: 11 Dec 2013, 07:13
by Sergio
Go to https://www.countryipblocks.net/search_ip.php and search there the country the IP belongs to.

It seems that the country database in your server has not updated the IPs and that is why it is showing "XX", write the IP here, if possible.

Sergio

Re: block "xx" domain

Posted: 11 Dec 2013, 17:49
by raz
It could be this, what I think is happening actually, looking at logs of new and old servers, the addresses are actually coming from china, because in the temp block list, it recognizes it as china, in the website you gave me same thing, and it is blocked. But in the
"LFD Satistics" it shows up as a different category of XX.
I think this makes sense in a way b/c I have china, (CN) blocked from all ports but 80 and 443. But once in a big while since blocking all other ports from CN, guys still get through and do stuff like ssh and portscans to get blocked. So What you're saying sounds right, that the database isn't properly updated, so there is some portion of china that gets through, and the Stats reports it as XX, but the LFD itself correctly tags it with origin, even though it's allowed to connect until it gets blocked by my settings.
Here is the IP i think is responsible. Does this make sense? Thanks for helping me look at this closer.

36.248.241.22


Would there be a better way to try to capture these or something? Like some detective work?
How about a way to reset the LFD stats? Or, a file, not a visual chart, that I can look at to get exact changes in numbers. Since the chart is so top heavy with china, it makes other bars (XX) being second biggest, look so small. My new server is just starting out, so I can actually count the occurrences, but it's really not going to be fun that way either.

Thanks Sergio!

Re: block "xx" domain

Posted: 11 Dec 2013, 18:55
by Sergio
Ok, now I get a better picture of what happened.

The XX that you see is because the first time that the IP was recorded there was no info for the IP and CSF wrote that as XX in the file /var/lib/csf/stats/lfdmain

The show of XX in the LFD stats will not affect CSF operations at all, so, you can leave it there, or if that bothers you too much :) you can reset/modify the counter that is inside the lfdmain file, usually at the last of the lines, look for something like:
CN,3,AU,1,GB,1,NL,1,PT,1,US,7,
that is the country code followed by the counter hits.

Sergio

Re: block "xx" domain

Posted: 27 Jan 2014, 18:11
by raz
Thanks Sergio!

To share the wealth:

XX IPs actually appear in the file /var/lib/csf/stats/lfdmain as "**" (that's double asterisk)