Page 1 of 1
Incoming portflood over tcp6 won't be blocked
Posted: 16 May 2014, 21:28
by frustrated
Hello, I am frustrated, hence the choice of a username.
Getting port-flooded daily, at times that I am supposed to be catching some ZZZ's.
Once the portflooding begins, this IP appears in the email notifications, of which there are plenty:
Code: Select all
tcp6: 19.245.64.24:50654 -> [my VPS IP]:80
The port number ie 50654 in this example, varies with every entry.
I've blocked 19.245.64.24 manually and it's in csf.deny and it makes no difference.
I might have to add that I'm using Cloudflare with mod_cloudflare enabled. The initial email shows the Cloudflare IP, stating that it was blocked with too many connections. Then, subsequent notifications reveal that IP above.
Any help is appreciated!
Re: Incoming portflood over tcp6 won't be blocked
Posted: 16 May 2014, 22:12
by Sergio
this is not right:
tcp6: 19.245.64.24:50654 -> [my VPS IP]:80
as that is not an IP6.
Please post the entire email received.
Re: Incoming portflood over tcp6 won't be blocked
Posted: 17 May 2014, 18:01
by frustrated
Hi Sergio,
I understand that's not an IP6 but I pasted the line verbatim, removing my server's IP.
Here's some more of the email(s) - I trimmed the process list and changed the username.
Code: Select all
Time: Fri May 16 09:41:13 2014 -0400
PID: 19289 (Parent PID:17399)
Account: USERNAME
Uptime: 55 seconds
Executable:
/usr/bin/php
Command Line (often faked in exploits):
/usr/bin/php /home/USERNAME/public_html/index.php
Network connections by the process (if any):
tcp6: 19.245.64.24:52709 -> [MY VPS IP]:80
Files open by the process (if any):
Memory maps by the process (if any):
00400000-00d19000 r-xp 00000000 08:05 21775030 /usr/bin/php
00f19000-00fe1000 rw-p 00919000 08:05 21775030 /usr/bin/php
Re: Incoming portflood over tcp6 won't be blocked
Posted: 17 May 2014, 20:57
by Sergio
I understand about no writing your IP and that is the way to do it.
Now, what I want to check is this:
tcp6: 19.245.64.24:52709 ->
Does your server uses an IP6?
Re: Incoming portflood over tcp6 won't be blocked
Posted: 17 May 2014, 23:21
by frustrated
No, the VPS is on a ipv4.
I'm stumped as the 19.245.64.24 is blocked at Cloudflare level also. Looks like a mistranslation of the real IP by CSF?
Any help is appreciated.
Re: Incoming portflood over tcp6 won't be blocked
Posted: 17 May 2014, 23:49
by Sergio
First try turning off IP& at:
IPV6 = 0
and see if that works for you.
Re: Incoming portflood over tcp6 won't be blocked
Posted: 18 May 2014, 01:33
by frustrated
Ok. First off, IPV6 is disabled in WHM/CPanel.
Second, the CSF setting is already IPV6 = 0
I have not changed any of the default configuration regarding IPV6.
Re: Incoming portflood over tcp6 won't be blocked
Posted: 18 May 2014, 17:46
by frustrated
So the question is, is CSF fooled into reporting an IP that cannot be blocked? Is it a glitch (since that IP isn't even IPV6 to begin with) ?