ConfigServer Community Forum

Since the latest update we see on at least 1 server till now an strange issue with a temporary block due to a port scan.

We excluded 1 IP to access port 3306 in the csf.allow file ; but this morning suddenly the IP was blocked in the firewall due to a temporary port scan; i have checked the logs and this showed the IP only tried to access port 3306 ; no other ports.

Only difference is that since yesterday the firewall has been updated to a new release, so wanted to make a log of this issue here as it might be a bug ?

content csf.allow for this entry

tcp|in|d=3306|s=sourceip

example log of block
Nov 9 07:28:16 servername kernel: [24355408.855643] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=84:34:97:11:e9:20:80:71:1f:e2:78x:x SRC=sourceip DST=serverip LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=35371 DF PROTO=TCP SPT=38251 DPT=3306 WINDOW=14600 RES=0x00 SYN URGP=0

(replaced IP with term sourceip)

forgot to mention the version number to avoid confusion later on: v8.08

You need to check the email sent to the root forwarder for the reason for the block which contains the information needed.

This shows exactly the same:

Time: Mon Nov 9 06:38:46 2015 +0100
IP: clientIP (DE/Germany/clienthostname)
Hits: 11
Blocked: Temporary Block

with 11 times:

Nov 9 06:38:46 servername kernel: [24352439.138351] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=84:34:97:11:e9:20:80:71:1f:e2:78x:x SRC=clientip DST=serverIP LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=4521 DF PROTO=TCP SPT=37000 DPT=3306 WINDOW=14600 RES=0x00 SYN URGP=0

which only goes to DPT=3306 which is in the csf.allow hence i dont get the temporary block

The only things I can suggest are:

1. Use the following to check that the rule is active:

csf -g clientip

2. Try using the WATCH_MODE functionality

3. Try a fresh csf install with default settings

Other than that, you would need to follow the iptables chains and rules to find out where it is being blocked before the allow rule.