Join the community today
Become a Member

CSF Firewall alerts

Discussion in 'Other Centmin Mod Installed software' started by fabianski, Apr 7, 2019.

  1. fabianski

    fabianski New Member

    24
    0
    1
    Feb 20, 2019
    Ratings:
    +4
    Local Time:
    1:47 PM
    I closed some ports that were open from the csf firewall and left only the ones I use:

    TCP IP = 951,80,443,587
    TCP OUT = 80,443,587

    UDP IN and OUT = all closes

    But now I have received many alerts in the / var / log / messages file, like these:
    (I do not know any of these ip)

    Code:
    Apr  6 11:52:54 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=185.176.26.107 DST=MYIPADRESS LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=64669 PROTO=TCP SPT=42173 DPT=4500 WINDOW=1024 RES=0x00 SYN URGP=0
    Apr  6 11:52:59 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=185.200.118.46 DST=MYIPADRESS LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=54321 PROTO=TCP SPT=50575 DPT=3389 WINDOW=65535 RES=0x00 SYN URGP=0
    Apr  6 11:53:28 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=185.209.0.81 DST=MYIPADRESS LEN=52 TOS=0x02 PREC=0x00 TTL=112 ID=30243 DF PROTO=TCP SPT=54062 DPT=3389 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0
    Apr  6 11:53:28 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=81.22.45.185 DST=MYIPADRESS LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=31732 PROTO=TCP SPT=40827 DPT=11296 WINDOW=1024 RES=0x00 SYN URGP=0
    Apr  6 11:53:31 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=185.209.0.81 DST=MYIPADRESS LEN=52 TOS=0x02 PREC=0x00 TTL=112 ID=30245 DF PROTO=TCP SPT=54062 DPT=3389 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0
    Apr  6 11:53:37 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=185.209.0.81 DST=MYIPADRESS LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=30247 DF PROTO=TCP SPT=54062 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0
    Apr  6 11:53:45 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=185.209.0.143 DST=MYIPADRESS LEN=52 TOS=0x02 PREC=0x00 TTL=113 ID=31025 DF PROTO=TCP SPT=53261 DPT=3389 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0
    Apr  6 11:53:48 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=185.209.0.143 DST=MYIPADRESS LEN=52 TOS=0x02 PREC=0x00 TTL=113 ID=31026 DF PROTO=TCP SPT=53261 DPT=3389 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0
    Apr  6 11:53:54 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=185.209.0.143 DST=MYIPADRESS LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=31035 DF PROTO=TCP SPT=53261 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0
    Apr  6 11:54:00 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=45.79.200.61 DST=MYIPADRESS LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=36079 DF PROTO=TCP SPT=34816 DPT=25 WINDOW=29200 RES=0x00 CWR ECE SYN URGP=0
    Apr  6 11:54:01 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=45.79.200.61 DST=MYIPADRESS LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=36080 DF PROTO=TCP SPT=34816 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
    Apr  6 11:54:03 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=45.79.200.61 DST=MYIPADRESS LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=36081 DF PROTO=TCP SPT=34816 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0
    Apr  6 11:55:10 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=185.209.0.81 DST=MYIPADRESS LEN=52 TOS=0x02 PREC=0x00 TTL=112 ID=30547 DF PROTO=TCP SPT=52715 DPT=3389 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0
    Apr  6 11:55:13 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=185.209.0.81 DST=MYIPADRESS LEN=52 TOS=0x02 PREC=0x00 TTL=112 ID=30554 DF PROTO=TCP SPT=52715 DPT=3389 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0
    Apr  6 11:55:19 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=185.209.0.81 DST=MYIPADRESS LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=30593 DF PROTO=TCP SPT=52715 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0
    Apr  6 11:55:25 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=185.176.27.6 DST=MYIPADRESS LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=43934 PROTO=TCP SPT=46643 DPT=9032 WINDOW=1024 RES=0x00 SYN URGP=0
    Apr  6 11:55:33 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=162.243.150.95 DST=MYIPADRESS LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=54321 PROTO=TCP SPT=56638 DPT=465 WINDOW=65535 RES=0x00 SYN URGP=0
    Apr  6 11:55:42 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=81.22.45.231 DST=MYIPADRESS LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=7792 PROTO=TCP SPT=52633 DPT=55589 WINDOW=1024 RES=0x00 SYN URGP=0
    Apr  6 11:56:21 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=185.209.0.143 DST=MYIPADRESS LEN=52 TOS=0x02 PREC=0x00 TTL=108 ID=31350 DF PROTO=TCP SPT=59332 DPT=3389 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0
    Apr  6 11:56:24 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=185.209.0.143 DST=MYIPADRESS LEN=52 TOS=0x02 PREC=0x00 TTL=108 ID=31368 DF PROTO=TCP SPT=59332 DPT=3389 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0
    Apr  6 11:56:30 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=185.209.0.143 DST=MYIPADRESS LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=31386 DF PROTO=TCP SPT=59332 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0
    Apr  6 11:57:04 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=185.176.27.118 DST=MYIPADRESS LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=57578 PROTO=TCP SPT=58031 DPT=40900 WINDOW=1024 RES=0x00 SYN URGP=0
    Apr  6 11:57:06 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=46.232.112.18 DST=MYIPADRESS LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=40677 PROTO=TCP SPT=49090 DPT=32532 WINDOW=1024 RES=0x00 SYN URGP=0
    Apr  6 11:58:37 principal kernel: Firewall: *UDP_OUT Blocked* IN= OUT=eth0 SRC=MYIPADRESS DST=184.105.182.15 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=20996 DF PROTO=UDP SPT=123 DPT=123 LEN=56 UID=38 GID=38
    Apr  6 11:58:53 principal kernel: Firewall: *UDP_OUT Blocked* IN= OUT=eth0 SRC=MYIPADRESS DST=64.6.144.6 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=42661 DF PROTO=UDP SPT=123 DPT=123 LEN=56 UID=38 GID=38
    Apr  6 11:58:56 principal kernel: Firewall: *UDP_OUT Blocked* IN= OUT=eth0 SRC=MYIPADRESS DST=216.229.4.66 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=13118 DF PROTO=UDP SPT=123 DPT=123 LEN=56 UID=38 GID=38
    Apr  6 11:58:58 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=157.119.71.174 DST=MYIPADRESS LEN=40 TOS=0x00 PREC=0x00 TTL=102 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
    Apr  6 11:59:34 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=207.244.86.222 DST=MYIPADRESS LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=35213 PROTO=TCP SPT=55084 DPT=9737 WINDOW=1024 RES=0x00 SYN URGP=0
    Apr  6 11:59:42 principal kernel: Firewall: *UDP_OUT Blocked* IN= OUT=eth0 SRC=MYIPADRESS DST=184.105.182.15 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=37593 DF PROTO=UDP SPT=123 DPT=123 LEN=56 UID=38 GID=38
    Apr  6 11:59:44 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=81.22.45.254 DST=MYIPADRESS LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=56226 PROTO=TCP SPT=52715 DPT=7014 WINDOW=1024 RES=0x00 SYN URGP=0
    Apr  6 11:59:50 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=185.176.27.242 DST=MYIPADRESS LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=56861 PROTO=TCP SPT=45079 DPT=3333 WINDOW=1024 RES=0x00 SYN URGP=0
    Apr  6 11:59:57 principal kernel: Firewall: *UDP_OUT Blocked* IN= OUT=eth0 SRC=MYIPADRESS DST=64.6.144.6 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=6908 DF PROTO=UDP SPT=123 DPT=123 LEN=56 UID=38 GID=38
    Apr  6 12:00:01 principal kernel: Firewall: *UDP_OUT Blocked* IN= OUT=eth0 SRC=MYIPADRESS DST=216.229.4.66 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=33793 DF PROTO=UDP SPT=123 DPT=123 LEN=56 UID=38 GID=38
    Apr  6 12:00:13 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=81.22.45.254 DST=MYIPADRESS LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=17649 PROTO=TCP SPT=52715 DPT=9125 WINDOW=1024 RES=0x00 SYN URGP=0
    Apr  6 12:00:49 principal kernel: Firewall: *UDP_OUT Blocked* IN= OUT=eth0 SRC=MYIPADRESS DST=184.105.182.15 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=351 DF PROTO=UDP SPT=123 DPT=123 LEN=56 UID=38 GID=38
    Apr  6 12:01:03 principal kernel: Firewall: *UDP_OUT Blocked* IN= OUT=eth0 SRC=MYIPADRESS DST=64.6.144.6 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=25443 DF PROTO=UDP SPT=123 DPT=123 LEN=56 UID=38 GID=38
    Apr  6 12:01:07 principal kernel: Firewall: *UDP_OUT Blocked* IN= OUT=eth0 SRC=MYIPADRESS DST=216.229.4.66 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=39240 DF PROTO=UDP SPT=123 DPT=123 LEN=56 UID=38 GID=38
    Apr  6 12:01:39 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=185.176.26.100 DST=MYIPADRESS LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=19444 PROTO=TCP SPT=55155 DPT=14102 WINDOW=1024 RES=0x00 SYN URGP=0
    Apr  6 12:01:56 principal kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=46:f8:82:e7:55:4d:74:83:ef:37:9b:ab:08:00 SRC=45.227.254.26 DST=MYIPADRESS LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=60766 PROTO=TCP SPT=8080 DPT=3319 WINDOW=1024 RES=0x00 SYN URGP=0
    

    The file already has more than 45 thousand lines, because every second I receive these messages ...
    Today just before 11:00 AM I was not able to access my wordpress website or SSH and had to restart the VPS through the UpCloud panel.
    I have some ips released in the csf.allow file for nixstats.
     
  2. eva2000

    eva2000 Administrator Staff Member

    39,155
    8,647
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,296
    Local Time:
    2:47 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    that means CSF Firewall is doing it's job blocking unwanted/invalid access

    CSF Firewall port requirements are outlined at https://community.centminmod.com/th...stack-csf-firewall-default-port-listing.5670/ so if you removed some ports CSF Firewall uses, it could also be blocking legit traffic i.e. pure-ftpd virtual ftp requires port 21 and passive port range and 9418 required for git and centmin mod updates

    I'd restore CSF Firewall's default port listing and see if the activity decreases noting the actual entries being logged before vs after port restoration.
     
  3. fabianski

    fabianski New Member

    24
    0
    1
    Feb 20, 2019
    Ratings:
    +4
    Local Time:
    1:47 PM
    Looking os logs the viii the was blocked the service of the ntp, addei os ips a lista csf.allow

    #ntp
    udp|out|d=123|s=192.138.210.214
    udp|out|d=123|s=173.255.206.154

    I also added the git adn php-fpm e memcache.
    I do not use ftp, so port 21 has been closed. Just like the others ...

    But the records of TCP_IN Blocked keep coming. I do not have the original file csf.conf, I did not do the backup, if you can send me I'll test this.

    A good example is this ip 185.209.0.143
    There are 2108 actions blocked. Should not this be enough for this IP to have been temporarily blocked? Is the firewall not configured for this?

    thanks for listening
     
  4. eva2000

    eva2000 Administrator Staff Member

    39,155
    8,647
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,296
    Local Time:
    2:47 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    That is how CSF Firewall and any firewall work, when you block an ip an entry in /var/log/message is made, so all the TCP_IN blocked entries mean CSF Firewall is working as it should blocking the IP everytime it attempts to connect to your server.

    That is how it works, all the blocked entries mean, the IP is blocked everytime it tries to attempt to connect to your server. You can't stop the IP from attempting to connect, but a firewall is there to prevent the actual connection and then alert you via such blocked alerts in your logs.

    How to backup/restore CSF Firewall configuration instructions have been added to https://centminmod.com/csf_firewall.html#backuprestore

    To backup CSF Firewall's current configuration profile run command where backup-name is name of your back which will have auto appended a date timestamp prefix in front when running csf --profile list command
    Code (Text):
    csf --profile backup-name


    To restore original CSF firewall backup profile, run commands to list backup profiles, then restore specific named backup profile, restart CSF Firewall+LFD services, and finally update CSF Firewall
    Code (Text):
    csf --profile list
    csf --profile restore 1547784956_cmm_after_whitelist
    csf -ra
    csf -u
    

    profile list will list csf profile backups look for listing name containing
    cmm_after_whitelist with date timestamp prefix in front i.e. for me date timestamp prefix is 1547784956_cmm_after_whitelist

    example csf --profile list output
    Code (Text):
    csf --profile list
    
    Configuration Profiles
    ======================
    block_all_perm
    block_all_temp
    disable_alerts
    protection_high
    protection_low
    protection_medium
    reset_to_defaults
    
    Configuration Backups
    =====================
    1547784956_cmm_after_whitelist (Fri Jan 18 04:15:56 2019)
    1547784954_cmm_b4_whitelist (Fri Jan 18 04:15:54 2019)
    1547784920_cmm_b4_shodan_block (Fri Jan 18 04:15:20 2019)
    1547784919_cmm_b4_censys_block (Fri Jan 18 04:15:19 2019)
    1547784918_cmm_default_tweaked (Fri Jan 18 04:15:18 2019)
    1547784917_cmm_before_ptload_action (Fri Jan 18 04:15:17 2019)
    1547784915_initial_default (Fri Jan 18 04:15:15 2019)
    1547784914_pre_v12_09_upgrade (Fri Jan 18 04:15:14 2019)
    
     
    • Like Like x 1
  5. fabianski

    fabianski New Member

    24
    0
    1
    Feb 20, 2019
    Ratings:
    +4
    Local Time:
    1:47 PM
    Thanks for the help, I'll test this.

    csf --profile backup BACKUPNAME
     
..