Welcome to Centmin Mod Community
Register Now

CSF Not block IP

Discussion in 'Other Centmin Mod Installed software' started by YuchiRO, Mar 9, 2016.

  1. YuchiRO

    YuchiRO Member

    93
    6
    8
    Jan 12, 2015
    Ratings:
    +8
    Local Time:
    12:52 PM
    5.5.4
    Hi

    I had brutal force to my site, but why i add this IP to csf deny, iptable this IP .. still connect and brutal force ? I added IP and restart csf, and reboot but look like not working.

    IP 162.255.116.72

    Please advice to stop.

    I used centos 6.5
    Centmin Mod 1.2.3-eva2000.08
    csf 8.16
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    3:52 PM
    Nginx 1.13.x
    MariaDB 5.5
    @YuchiRO you may find more CSF Firewall info and commands at CSF - CSF Firewall info | Centmin Mod Community The LFD daemon only blocks brute force against defined service ports in /etc/csf/csf.conf i.e. for SSHD port 22 default (LF_SSHD) under Login Failure Blocking and Alerts section as outlined in the csf.conf itself and official CSF documentation at http://configserver.com/free/csf/readme.txt. CSF doesn't protect you from DDOS attacks but should block the IP if you set CSF to deny it via
    Code (Text):
    csf -d 162.255.116.72


    example
    Code (Text):
    ###############################################################################
    # SECTION:Login Failure Blocking and Alerts
    ###############################################################################
    # The following[*] triggers are application specific. If you set LF_TRIGGER to
    # "0" the value of each trigger is the number of failures against that
    # application that will trigger lfd to block the IP address
    #
    # If you set LF_TRIGGER to a value greater than "0" then the following[*]
    # application triggers are simply on or off ("0" or "1") and the value of
    # LF_TRIGGER is the total cumulative number of failures that will trigger lfd
    # to block the IP address
    #
    # Setting the application trigger to "0" disables it
    LF_TRIGGER = "0"
    
    # If LF_TRIGGER is > "0" then LF_TRIGGER_PERM can be set to "1" to permanently
    # block the IP address, or LF_TRIGGER_PERM can be set to a value greater than
    # "1" and the IP address will be blocked temporarily for that value in seconds.
    # For example:
    # LF_TRIGGER_PERM = "1" => the IP is blocked permanently
    # LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour
    #
    # If LF_TRIGGER is "0", then the application LF_[application]_PERM value works
    # in the same way as above and LF_TRIGGER_PERM serves no function
    LF_TRIGGER_PERM = "1"
    
    # To only block access to the failed application instead of a complete block
    # for an ip address, you can set the following to "1", but LF_TRIGGER must be
    # set to "0" with specific application[*] trigger levels also set appropriately
    #
    # The ports that are blocked can be configured by changing the PORTS_* options
    LF_SELECT = "0"
    
    # Send an email alert if an IP address is blocked by one of the [*] triggers
    LF_EMAIL_ALERT = "1"
    
    # [*]Enable login failure detection of sshd connections
    #
    # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
    # this file about RESTRICT_SYSLOG before enabling this option:
    LF_SSHD = "5"
    LF_SSHD_PERM = "1"
    
    # [*]Enable login failure detection of ftp connections
    #
    # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
    # this file about RESTRICT_SYSLOG before enabling this option:
    LF_FTPD = "3"
    LF_FTPD_PERM = "1"
    
    # [*]Enable login failure detection of SMTP AUTH connections
    LF_SMTPAUTH = "5"
    LF_SMTPAUTH_PERM = "1"
    
    # [*]Enable syntax failure detection of Exim connections
    LF_EXIMSYNTAX = "10"
    LF_EXIMSYNTAX_PERM = "1"
    
    # [*]Enable login failure detection of pop3 connections
    #
    # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
    # this file about RESTRICT_SYSLOG before enabling this option:
    LF_POP3D = "0"
    LF_POP3D_PERM = "1"
    
    # [*]Enable login failure detection of imap connections
    #
    # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
    # this file about RESTRICT_SYSLOG before enabling this option:
    LF_IMAPD = "0"
    LF_IMAPD_PERM = "1"
    
    # [*]Enable login failure detection of Apache .htpasswd connections
    # Due to the often high logging rate in the Apache error log, you might want to
    # enable this option only if you know you are suffering from attacks against
    # password protected directories
    LF_HTACCESS = "5"
    LF_HTACCESS_PERM = "1"
    


    First grep for the IP using the command below. What output do you get ?
    Code (Text):
    csf -g 162.255.116.72


    Next ensure CSF Firewall and LFD daemon is actually running. What output do you get from these commands
    Code (Text):
    grep 'TESTING =' /etc/csf/csf.conf

    Code (Text):
    csf --lfd status
    service lfd status

    For CSF status output if you have changed your SSHD port, it will be listed in the output below, so may want to remove or hide that port number from public display below posting output on public forum
    Code (Text):
    service csf status
    

    For output, you will want to use CODE or CODEB tags for code How to use forum BBCODE code tags :)
     
  3. YuchiRO

    YuchiRO Member

    93
    6
    8
    Jan 12, 2015
    Ratings:
    +8
    Local Time:
    12:52 PM
    5.5.4
    Thanks @eva2000

    Here my info

    Code:
    csf -g 162.255.116.72
    
    Chain            num   pkts bytes target     prot opt in     out     source               destination
    INPUT            63       0     0 DROP       all  --  *      *       162.255.116.72       0.0.0.0/0
    
    
    IPSET: Set:chain_DENY Match:162.255.116.72 Setting: File:/etc/csf/csf.deny
    
    
    ip6tables:
    
    Chain            num   pkts bytes target     prot opt in     out     source               destination
    No matches found for 162.255.116.72 in ip6tables
    
    csf.deny: 162.255.116.72 # Manually denied: 162.255.116.72 (US/United States/server2.smedia.ca) - Wed Mar  9 11:26:04 2016
    You have new mail in /var/spool/mail/root
    
    Code:
    grep 'TESTING =' /etc/csf/csf.conf
    TESTING = "0"
    
    Code:
    csf --lfd status
    Status of lfd:lfd (pid  1313) is running...
    
    Code:
    service lfd status
    Status of lfd:lfd (pid  1313) is running...
    
    Code:
    service csf status
    Status of csf:Chain INPUT (policy DROP 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 ACCEPT     tcp  --  !lo    *       8.8.8.8              0.0.0.0/0           tcp dpt:53
    2        0     0 ACCEPT     udp  --  !lo    *       8.8.8.8              0.0.0.0/0           udp dpt:53
    3        0     0 ACCEPT     tcp  --  !lo    *       8.8.8.8              0.0.0.0/0           tcp spt:53
    4        0     0 ACCEPT     udp  --  !lo    *       8.8.8.8              0.0.0.0/0           udp spt:53
    5        0     0 ACCEPT     tcp  --  !lo    *       108.59.15.5          0.0.0.0/0           tcp dpt:53
    6        0     0 ACCEPT     udp  --  !lo    *       108.59.15.5          0.0.0.0/0           udp dpt:53
    7        0     0 ACCEPT     tcp  --  !lo    *       108.59.15.5          0.0.0.0/0           tcp spt:53
    8        0     0 ACCEPT     udp  --  !lo    *       108.59.15.5          0.0.0.0/0           udp spt:53
    9        0     0 ACCEPT     tcp  --  !lo    *       172.29.56.1          0.0.0.0/0           tcp dpt:53
    10       0     0 ACCEPT     udp  --  !lo    *       172.29.56.1          0.0.0.0/0           udp dpt:53
    11       0     0 ACCEPT     tcp  --  !lo    *       172.29.56.1          0.0.0.0/0           tcp spt:53
    12    1847  144K ACCEPT     udp  --  !lo    *       172.29.56.1          0.0.0.0/0           udp spt:53
    13   1806K 1646M LOCALINPUT  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0
    14     15M   16G ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    15   1805K 1646M INVALID    tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0
    16       2   112            tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 state NEW recent: SET name: 21 side: source
    17       0     0 PORTFLOOD  tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 state NEW recent: UPDATE seconds: 300 hit_count: 5 name: 21 side: source
    18   1709K 1640M ACCEPT     all  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    19       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:20
    20       2   112 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
    21       5   236 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    22       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
    23       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53
    24   95727 4978K ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
    25       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110
    26       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143
    27       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:161
    28       4   220 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
    29       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:465
    30       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:587
    31       2    80 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993
    32       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995
    33       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:1110
    34       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:1186
    35       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:1194
    36       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2112
    37       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22000
    38       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22001
    39       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2222
    40       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:3000
    41       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:3334
    42       3   120 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8080
    43       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8888
    44       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:81
    45       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:9312
    46       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:9418
    47       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:6081
    48       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:6082
    49       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:30865
    50       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpts:3000:3050
    51       0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:67
    52       0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:68
    53       0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:1110
    54       0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpts:33434:33534
    55       0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:20
    56       0     0 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:21
    57       1    60 ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53
    58       2    60 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 1/sec burst 5
    59       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0           icmp type 0 limit: avg 1/sec burst 5
    60       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0           icmp type 11
    61       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0           icmp type 3
    62     199 11680 LOGDROPIN  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0
    63       0     0 DROP       all  --  *      *       162.255.116.72       0.0.0.0/0
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    
    Chain OUTPUT (policy DROP 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            8.8.8.8             tcp dpt:53
    2        0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            8.8.8.8             udp dpt:53
    3        0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            8.8.8.8             tcp spt:53
    4        0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            8.8.8.8             udp spt:53
    5        0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            108.59.15.5         tcp dpt:53
    6        0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            108.59.15.5         udp dpt:53
    7        0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            108.59.15.5         tcp spt:53
    8        0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            108.59.15.5         udp spt:53
    9        0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            172.29.56.1         tcp dpt:53
    10    1847  113K ACCEPT     udp  --  *      !lo     0.0.0.0/0            172.29.56.1         udp dpt:53
    11       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            172.29.56.1         tcp spt:53
    12       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            172.29.56.1         udp spt:53
    13   1408K  916M LOCALOUTPUT  all  --  *      !lo     0.0.0.0/0            0.0.0.0/0
    14       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           tcp dpt:53
    15       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           udp dpt:53
    16       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           tcp spt:53
    17       1    60 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           udp spt:53
    18     15M   16G ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    19   1408K  916M INVALID    tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0
    20   1394K  915M ACCEPT     all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    21       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993
    22       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995
    23       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:465
    24       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:587
    25       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:1110
    26       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:1194
    27       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:9418
    28       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:20
    29       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
    30       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    31       1    60 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
    32       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53
    33      31  1860 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
    34       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110
    35       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:113
    36   14395  864K ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
    37       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:587
    38       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993
    39       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995
    40       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:67
    41       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:68
    42       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:1110
    43       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpts:33434:33534
    44       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:20
    45       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:21
    46       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53
    47       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:113
    48      67  5092 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:123
    49       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0           icmp type 0
    50       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0           icmp type 8
    51       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0           icmp type 11
    52       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0           icmp type 3
    53       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            0.0.0.0/0
    
    Chain ALLOWDYNIN (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           match-set chain_ALLOWDYN src
    
    Chain ALLOWDYNOUT (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           match-set chain_ALLOWDYN dst
    
    Chain ALLOWIN (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           match-set chain_ALLOW src
    
    Chain ALLOWOUT (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           match-set chain_ALLOW dst
    
    Chain DENYIN (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1       21  1216 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           match-set chain_DENY src
    
    Chain DENYOUT (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 LOGDROPOUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           match-set chain_DENY dst
    
    Chain INVALID (2 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1       50  3634 INVDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    2        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00
    3        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F
    4        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03
    5        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06
    6        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x05/0x05
    7        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x11/0x01
    8        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x18/0x08
    9        0     0 INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x30/0x20
    10     148  123K INVDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW
    
    Chain INVDROP (10 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1      198  126K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    Chain LOCALINPUT (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1    1806K 1646M ALLOWDYNIN  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0
    2    1806K 1646M ALLOWIN    all  --  !lo    *       0.0.0.0/0            0.0.0.0/0
    3    1806K 1646M DENYIN     all  --  !lo    *       0.0.0.0/0            0.0.0.0/0
    
    Chain LOCALOUTPUT (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1    1408K  916M ALLOWDYNOUT  all  --  *      !lo     0.0.0.0/0            0.0.0.0/0
    2    1408K  916M ALLOWOUT   all  --  *      !lo     0.0.0.0/0            0.0.0.0/0
    3    1408K  916M DENYOUT    all  --  *      !lo     0.0.0.0/0            0.0.0.0/0
    4       68  5152 UDPFLOOD   udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0
    
    Chain LOGDROPIN (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:111
    2        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:111
    3        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113
    4        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:113
    5        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:135:139
    6        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:135:139
    7        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:445
    8        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:445
    9        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:500
    10       1    57 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:500
    11       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:513
    12       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:513
    13       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:520
    14       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    15     185  7768 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
    16      13  3855 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '
    17       0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '
    18     198 11623 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    Chain LOGDROPOUT (2 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *TCP_OUT Blocked* '
    2        0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *UDP_OUT Blocked* '
    3        0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *ICMP_OUT Blocked* '
    4        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    Chain PORTFLOOD (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *Port Flood* '
    2        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    
    Chain UDPFLOOD (1 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1       68  5152 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           owner UID match 0
    2        0     0 RETURN     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0           limit: avg 100/sec burst 500
    3        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: *UDPFLOOD* '
    4        0     0 DROP       udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0
    
    Chain PREROUTING (policy ACCEPT 110K packets, 5682K bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    
    Chain POSTROUTING (policy ACCEPT 274K packets, 16M bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    
    Chain OUTPUT (policy ACCEPT 274K packets, 16M bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    3:52 PM
    Nginx 1.13.x
    MariaDB 5.5
    looks to be properly setup in CSF to block that IP to me

    if you grep your /var/log/messages for that IP you should get entries listing *Blocked*
    tail/show the last 10 entries for grep on that IP and then output todays date right now for time reference
    Code (Text):
    grep '162.255.116.72' /var/log/messages | tail -10
    date
     
  5. YuchiRO

    YuchiRO Member

    93
    6
    8
    Jan 12, 2015
    Ratings:
    +8
    Local Time:
    12:52 PM
    5.5.4
    Code:
    date
    Wed Mar  9 16:52:00 UTC 2016
    
    But log show nothing :(
    Code:
     grep '162.255.116.72' /var/log/messages | tail -10
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    3:52 PM
    Nginx 1.13.x
    MariaDB 5.5
    your /var/log/messages log might have been log rotated so file name might be timestamped i.e.
    Code (Text):
    ls -lah /var/log/ | grep messages
    -rw-------  1 root          root           631K Mar  9 16:54 messages
    -rw-------  1 root          root           1.3M Feb 14 03:38 messages-20160214
    -rw-------  1 root          root           2.1M Feb 21 03:49 messages-20160221
    -rw-------  1 root          root           1.5M Feb 28 04:15 messages-20160228
    -rw-------  1 root          root           1.6M Mar  6 04:09 messages-20160306

    so might need to change the grepped log name i.e.
    Code (Text):
    grep '162.255.116.72' /var/log/messages-20160306 | tail -10

    or grep them all recursively with -R
    Code (Text):
    grep -R '162.255.116.72' /var/log/messages* | tail -10


    compare the logged entry date timestamp with current server date to see how long ago it was - it could be already blocked and you're just not reading your log file's date correctly - pay attention to year/day/month or year/month/day where month and day are reversed in some different log files
     
  7. YuchiRO

    YuchiRO Member

    93
    6
    8
    Jan 12, 2015
    Ratings:
    +8
    Local Time:
    12:52 PM
    5.5.4
    I checked my log, same as your example

    Code:
    ls -lah /var/log/ | grep messages
    -rw-------   1 root  root 1.3M Mar  9 16:58 messages
    -rw-------   1 root  root 891K Feb 14 03:31 messages-20160214
    -rw-------   1 root  root 782K Feb 21 03:31 messages-20160221
    -rw-------   1 root  root 2.2M Feb 28 03:17 messages-20160228
    -rw-------   1 root  root 2.4M Mar  6 03:18 messages-20160306
    
    But when i try to search, nothing display
    Code:
    grep '162.255.116.72' /var/log/messages-20160306 | tail -10
    OR
    grep -R '162.255.116.72' /var/log/messages* | tail -10
    
     
  8. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    3:52 PM
    Nginx 1.13.x
    MariaDB 5.5
    It means that IP hasn't hit your server since Feb 14th it seems so nothing logged. How are you determining that IP is the culprit ?

    Oh silly question but has happened before, if you have more than one VPS/server ?, make sure you ran csf deny on the right server ;)
     
  9. YuchiRO

    YuchiRO Member

    93
    6
    8
    Jan 12, 2015
    Ratings:
    +8
    Local Time:
    12:52 PM
    5.5.4
    i double check :D

    Correct VPS, i have a wordpress site and install iThemes Security.

    I check log and see many invalid login, but when i add this IP to csf, and check log again still show every second :((

    Code:
    Invalid Login Attempt    5    2016-03-09 16:46:23    162.255.116.72    
    Invalid Login Attempt    5    2016-03-09 16:46:23    162.255.116.72    
    Invalid Login Attempt    5    2016-03-09 16:46:22    162.255.116.72    
    Invalid Login Attempt    5    2016-03-09 16:46:22    162.255.116.72    
    Invalid Login Attempt    5    2016-03-09 16:46:21    162.255.116.72    
    Invalid Login Attempt    5    2016-03-09 16:46:21    162.255.116.72    
    Invalid Login Attempt    5    2016-03-09 16:46:20    162.255.116.72    
    Invalid Login Attempt    5    2016-03-09 16:46:20    162.255.116.72    
    Invalid Login Attempt    5    2016-03-09 16:46:19    162.255.116.72    
     
  10. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    3:52 PM
    Nginx 1.13.x
    MariaDB 5.5
  11. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    3:52 PM
    Nginx 1.13.x
    MariaDB 5.5
    Also do other CSF blocks get logged ?
    Code (Text):
    grep -R 'TCP_IN Blocked' /var/log/messages* | tail -5
     
  12. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    3:52 PM
    Nginx 1.13.x
    MariaDB 5.5
    Also what's output for csf test script command ?
    Code (Text):
    /etc/csf/csftest.pl

    example output
    Code (Text):
    /etc/csf/csftest.pl
    Testing ip_tables/iptable_filter...OK
    Testing ipt_LOG...OK
    Testing ipt_multiport/xt_multiport...OK
    Testing ipt_REJECT...OK
    Testing ipt_state/xt_state...OK
    Testing ipt_limit/xt_limit...OK
    Testing ipt_recent...OK
    Testing xt_connlimit...OK
    Testing ipt_owner/xt_owner...OK
    Testing iptable_nat/ipt_REDIRECT...OK
    Testing iptable_nat/ipt_DNAT...OK
    
    RESULT: csf should function on this server
     
  13. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    3:52 PM
    Nginx 1.13.x
    MariaDB 5.5
  14. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    3:52 PM
    Nginx 1.13.x
    MariaDB 5.5
    Also are you behind a reverse proxy like Cloudflare, Varnish, Incapsula, Sucuri Proxy, Nginx proxy cache in front of a backend Centmin Mod Nginx server ? If you are be sure you have setup Nginx to pass the real visitor's IP address over to Centmin Mod Nginx as outlined in Getting Started Guide step 5 which links to Nginx Cloudflare & Incapsula (reverse proxy HttpRealIpModule) - CentminMod.com LEMP Nginx web stack for CentOS

    I haven't used that WP plugin but also make sure it's detecting right IP if you're behind a reverse proxy like Cloudflare etc.
     
  15. YuchiRO

    YuchiRO Member

    93
    6
    8
    Jan 12, 2015
    Ratings:
    +8
    Local Time:
    12:52 PM
    5.5.4
    Yes, my Centmin Mod Nginx behind CloudFlare, i'm follow your guide to fix this problem.
    Look like with your awesome help, this IP doesnt show in my log.

    Thanks and have a good day @eva2000
     
    • Informative Informative x 1
  16. eva2000

    eva2000 Administrator Staff Member

    30,196
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    3:52 PM
    Nginx 1.13.x
    MariaDB 5.5
    ah ha so it was Cloudflare issue - glad you sorted it out :)
     
    • Like Like x 2