CSF IP Blocking on VPS

[stmx]

Hello friends,

Please help me to mitigate DDoS attack. I used own script which parse access.log and block IPs in default way -

Code: Select all

 "csf -d <IP>"

The problem is CSF (latest cpanel version) can't block some IPs, every time I got error:

Code: Select all

--
deny failed: <IP> is in already in the deny file /etc/csf/csf.deny 1 times
--

This IP seem to be blocked, but it still have full access to my server. However, most IPs are blocked. I really do not know, why CSF can't block some IPs. I checked these IPs using command:

Code: Select all

Chain            num   pkts bytes target     prot opt in     out     source               destination         

DENYIN           259      0     0 DROP       all  --  !lo    *       77.46.174.215        0.0.0.0/0

DENYOUT          259      0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            77.46.174.215


ip6tables:

Chain            num   pkts bytes target     prot opt in     out     source               destination         
No matches found for 77.46.174.** in ip6tables

csf.deny: 77.46.174.215 # Manually denied: 77.46.174.2** (RS/Serbia/77-46-174-215.dynamic.isp.telekom.rs) - Wed Jul  6 14:02:06 2016

My site is under attack at this moment. I use VPS server with 512 mb RAM. Please give me any suggestions to go ahead.

Thanks

[Sergio]

Have you talked to your data center that you are under a DDoS attack?
Some data centers moves the affected servers to a Hardware FireWall to mitigate the attack and it is free of charge.

[stmx]

I used CloudFlare with "I'm under attack" function. This is helped, but not at all.

I can mitigate attack using software firewall but I ran into a problem that has already been observed before on other servers. Looks like this is CSF bug which should be investigated by experts or developers. Looking for replies regarding this.

[Sergio]

If you think this is a bug, the best option is to post on the "Report Bug" and you will be answered by the developers directly.

[stmx]

Still waiting reply from anyone from CSF team. Maybe this is not a bug, just incorrect settings or something else.

[stmx]

Just for example:

Live output from access.log of nginx:

Code: Select all

119.207.122.52 - - [06/Jul/2016:23:21:03 +0300] GET / HTTP/1.1 "200" 10103 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36" "119.207.122.52"
^C
root@server [/var/log/nginx]# csf -d 119.207.122.52
deny failed: 119.207.122.52 is in already in the deny file /etc/csf/csf.deny 1 times

So I cant block 10-20 IPs due to CSF considers that it is already blocked.

UPDATE: I transfered-out this site to dedicated server with another CSF and another settings. The problem is as well as on a VPS.

[ForumAdmin]

That looks like the block has already happened but the logs are still being written to disk after the event (i.e. cached) so it appears that the IP still has access when it does not. This is not uncommon when logs are being flooded by DOS attacks.

That said, csf cannot help with a true DDOS, that can only be mitigated at the network router level.

[stmx]

Thanks for reply.

I just want to block these IPs, I do not want to buy hardware firewall for 1000-2000 ips botnet. This not a problem for dedicated server to block small botnet.

I do not think that this is cached logs problem. I restarted nginx many many times so logs still record some IPs that CSF can't block. At this time I have only 10-20 IPs which cannot be blocked by CSF and flood my web server, so site working good but I think you should investigate why CSF not working for some IPs, looks like this is bug.

[ForumAdmin]

It is not a bug. Csf is generating the iptables rules, which is all its job is. Are you using cloudflare? If you are then a firewall will not help as it changes the source IP, you have to block IPs on cloudflare itself.

[stmx]

I have blocked some IPs using CloudFlare firewall. After that, these IPs can't reach my server.

I also tried to use iptables to block these IPs without luck before. Ok, this is not CSF bug but I never think that this is possible - firewall should block network addresses, why certain IP can not be blocked, while thousands of others can.