Page 1 of 3
new attacks from banned IPs
Posted: 16 Feb 2014, 07:06
by mbsmt
Hi.
I have many blocked IPs in csf with "do not delete" comment. But every day I got notifications from server about new brute force attacks via some of these IPs.
What's the problem ?
Re: new attacks from banned IPs
Posted: 17 Feb 2014, 07:11
by joo003464
Apologies , I have face same Problem .. .. Please give me solution .. ..
Re: new attacks from banned IPs
Posted: 19 Feb 2014, 03:04
by hostmart
Have you checked cphulk if enabled
I think it runs before csf checks
and it has a setting to send email when blocking a ip
Cheers
Sean
Re: new attacks from banned IPs
Posted: 19 Feb 2014, 05:16
by mbsmt
Problem is not sending email hostmart, no IP baned automatically through csf. This is the problem
Re: new attacks from banned IPs
Posted: 19 Feb 2014, 06:00
by hostmart
It must be a csf setting
what is your permanent deny limit set to.
Re: new attacks from banned IPs
Posted: 19 Feb 2014, 06:03
by mbsmt
Hostmart, where can I check it exactly? Please tell me where, and I will say what it is.
Thank you for your attention to my problem
Re: new attacks from banned IPs
Posted: 19 Feb 2014, 06:10
by hostmart
Check the number of denied ips in csf frontend
then to see if it up to the limit
click firewall configuration
in the dropdown box at the top choose general settings
scroll down to DENY_IP_LIMIT , the default is 200
I don't use more than 500 if I can avoid it.
Re: new attacks from banned IPs
Posted: 19 Feb 2014, 06:13
by mbsmt
Currently I have 88 permanent banned IPs and DENY_IP_LIMIT is set to 200
Re: new attacks from banned IPs
Posted: 19 Feb 2014, 06:32
by hostmart
That is strange then
A firewall that doesn't block ips is just a log that will make you paranoid.
I know it a stupid question but
at the top of firewall configuration is TESTING set to 0
and did you restart csf after adding ips.
Other settings that could be the problem are in the Login Failure Blocking and Alerts section of firewall configuration.
Re: new attacks from banned IPs
Posted: 19 Feb 2014, 06:57
by mbsmt
TESTING is set to 0. And I think there is no need to restart csf after each ip blocking. However, I have done it sometimes.