Page 1 of 2
CSF IP Blocking on VPS
Posted: 06 Jul 2016, 20:26
by stmx
Hello friends,
Please help me to mitigate DDoS attack. I used own script which parse access.log and block IPs in default way -
The problem is CSF (latest cpanel version) can't block some IPs, every time I got error:
Code: Select all
--
deny failed: <IP> is in already in the deny file /etc/csf/csf.deny 1 times
--
This IP seem to be blocked, but it still have full access to my server. However, most IPs are blocked. I really do not know, why CSF can't block some IPs. I checked these IPs using command:
Code: Select all
Chain num pkts bytes target prot opt in out source destination
DENYIN 259 0 0 DROP all -- !lo * 77.46.174.215 0.0.0.0/0
DENYOUT 259 0 0 LOGDROPOUT all -- * !lo 0.0.0.0/0 77.46.174.215
ip6tables:
Chain num pkts bytes target prot opt in out source destination
No matches found for 77.46.174.** in ip6tables
csf.deny: 77.46.174.215 # Manually denied: 77.46.174.2** (RS/Serbia/77-46-174-215.dynamic.isp.telekom.rs) - Wed Jul 6 14:02:06 2016
My site is under attack at this moment. I use VPS server with 512 mb RAM. Please give me any suggestions to go ahead.
Thanks
Re: CSF IP Blocking on VPS
Posted: 06 Jul 2016, 20:32
by Sergio
Have you talked to your data center that you are under a DDoS attack?
Some data centers moves the affected servers to a Hardware FireWall to mitigate the attack and it is free of charge.
Re: CSF IP Blocking on VPS
Posted: 06 Jul 2016, 20:38
by stmx
I used CloudFlare with "I'm under attack" function. This is helped, but not at all.
I can mitigate attack using software firewall but I ran into a problem that has already been observed before on other servers. Looks like this is CSF bug which should be investigated by experts or developers. Looking for replies regarding this.
Re: CSF IP Blocking on VPS
Posted: 06 Jul 2016, 20:45
by Sergio
If you think this is a bug, the best option is to post on the "Report Bug" and you will be answered by the developers directly.
Re: CSF IP Blocking on VPS
Posted: 06 Jul 2016, 21:07
by stmx
Still waiting reply from anyone from CSF team. Maybe this is not a bug, just incorrect settings or something else.
Re: CSF IP Blocking on VPS
Posted: 06 Jul 2016, 21:24
by stmx
Just for example:
Live output from access.log of nginx:
Code: Select all
119.207.122.52 - - [06/Jul/2016:23:21:03 +0300] GET / HTTP/1.1 "200" 10103 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36" "119.207.122.52"
^C
root@server [/var/log/nginx]# csf -d 119.207.122.52
deny failed: 119.207.122.52 is in already in the deny file /etc/csf/csf.deny 1 times
So I cant block 10-20 IPs due to CSF considers that it is already blocked.
UPDATE: I transfered-out this site to dedicated server with another CSF and another settings. The problem is as well as on a VPS.
Re: CSF IP Blocking on VPS
Posted: 06 Jul 2016, 21:26
by ForumAdmin
That looks like the block has already happened but the logs are still being written to disk after the event (i.e. cached) so it appears that the IP still has access when it does not. This is not uncommon when logs are being flooded by DOS attacks.
That said, csf cannot help with a true DDOS, that can only be mitigated at the network router level.
Re: CSF IP Blocking on VPS
Posted: 06 Jul 2016, 21:56
by stmx
Thanks for reply.
I just want to block these IPs, I do not want to buy hardware firewall for 1000-2000 ips botnet. This not a problem for dedicated server to block small botnet.
I do not think that this is cached logs problem. I restarted nginx many many times so logs still record some IPs that CSF can't block. At this time I have only 10-20 IPs which cannot be blocked by CSF and flood my web server, so site working good but I think you should investigate why CSF not working for some IPs, looks like this is bug.
Re: CSF IP Blocking on VPS
Posted: 06 Jul 2016, 22:12
by ForumAdmin
It is not a bug. Csf is generating the iptables rules, which is all its job is. Are you using cloudflare? If you are then a firewall will not help as it changes the source IP, you have to block IPs on cloudflare itself.
Re: CSF IP Blocking on VPS
Posted: 06 Jul 2016, 22:43
by stmx
I have blocked some IPs using CloudFlare firewall. After that, these IPs can't reach my server.
I also tried to use iptables to block these IPs without luck before. Ok, this is not CSF bug but I never think that this is possible - firewall should block network addresses, why certain IP can not be blocked, while thousands of others can.