/ Register

Welcome to Centmin Mod Community
Become a Member

Beta Branch revise CSF Firewall deny limits & add CSF tools/initial-csf-blocks.sh cronjob in 130.00beta01

Discussion in 'Centmin Mod Github Commits' started by eva2000, Oct 31, 2023.

Previous Thread Next Thread
Loading...
  1. Oct 31, 2023 #1
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    9:57 AM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    revise CSF Firewall deny limits & add CSF tools/initial-csf-blocks.sh cronjob in 130.00beta01

    - update to ensure CSF Firewall's initiall install's configured IP deny blocks for shodan, censys scanners etc are re-added to CSF Firewall deny IP list /etc/csf/csf.deny when it detects the number of IP denied entries is running within 100 entries of the preset CSF Firewall DENY_IP_LIMIT threshold in /etc/csf/csf.conf. Addresses the fact that these preset IP deny blocks will eventually get auto purged once reaching DENY_IP_LIMIT threshold https://community.centminmod.com/th...-range-list-in-123-09beta01.18710/#post-97617
    - existing 130.00beta01 users can run cmupdate to update to this commit, and then run and exit centmin.sh menu once to apply the change and setup the cronjob which runs every 2hrs. You can check it's setup running the command to list cronjobs

    crontab -l

    33 */2 * * * /usr/local/src/centminmod/tools/initial-csf-blocks.sh >/dev/null 2>&1

    Example when manually running the tool and when number of IPs denied hasn't reached the DENY_IP_LIMIT threshold

    /usr/local/src/centminmod/tools/initial-csf-blocks.sh

    Check /etc/csf/csf.conf
    DENY_IP_LIMIT: 600000
    DENY_TEMP_IP_LIMIT: 800000
    Number of CSF Firewall Blocked IPs: 8467

    DENY_IP_LIMIT & DENY_TEMP_IP_LIMIT IP limits not reached
    nothing to do

    Continue reading...

    130.00beta01 branch

    Support Centmin Mod


    If you find Centmin Mod useful, please help support Centmin Mod
     
  2. Nov 1, 2023 #2
    MaximilianKohler

    MaximilianKohler Member

    214
    9
    18
    Jun 23, 2023
    Ratings:
    +39
    Local Time:
    4:57 PM
    Seemed to work well, thanks!
     
  3. Nov 2, 2023 #3
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    9:57 AM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Thank you for the reminder to look into this (y)
     
  4. Dec 9, 2023 #4
    MaximilianKohler

    MaximilianKohler Member

    214
    9
    18
    Jun 23, 2023
    Ratings:
    +39
    Local Time:
    4:57 PM
    I just checked my /etc/csf/csf.deny file and I don't see the censys IPs there anymore. I ran "crontab -l" and I see the
    Code:
    33 */2 * * * /usr/local/src/centminmod/tools/initial-csf-blocks.sh >/dev/null 2>&1
     
  5. Dec 9, 2023 #5
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    9:57 AM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Could be cronjob hasn't ran yet to re-populate /etc/csf/csf.deny ?

    The script though only re-populates when it detects the number of IP denied entries is running within 100 entries of the preset CSF Firewall DENY_IP_LIMIT threshold in /etc/csf/csf.conf.

    Check how many deny IP entries are in /etc/csf/csf.deny using command
    Code (Text):
    grep -v '^#' /etc/csf/csf.deny | wc -l

    check the set DENY_IP_LIMIT in /etc/csf/csf.conf
    Code (Text):
    grep '^DENY_IP_LIMIT' /etc/csf/csf.conf


    If you manually run /usr/local/src/centminmod/tools/initial-csf-blocks.sh, what output do you get and do you see them in /etc/csf/csf.deny ?
     
  6. Dec 9, 2023 #6
    MaximilianKohler

    MaximilianKohler Member

    214
    9
    18
    Jun 23, 2023
    Ratings:
    +39
    Local Time:
    4:57 PM
    Code:
    grep -v '^#' /etc/csf/csf.deny | wc -l
2077

grep '^DENY_IP_LIMIT' /etc/csf/csf.conf
DENY_IP_LIMIT = "15000"
    That seemed odd, so I backed up my /etc/csf/ folder to have for reference before running /usr/local/src/centminmod/tools/initial-csf-blocks.sh.

    The entries in csf.deny are Nov 19 to Dec 9. So even though they were in the file on Oct 31, and the limit is now 15,000, somehow they were removed and not re-added, even though there are only 2k entries.

    It did work with one error:
    Code:
     /usr/local/src/centminmod/tools/initial-csf-blocks.sh

Check /etc/csf/csf.conf
DENY_IP_LIMIT: 15000
DENY_TEMP_IP_LIMIT: 10000
Number of CSF Firewall Blocked IPs: 2097
/usr/local/src/centminmod/tools/initial-csf-blocks.sh: line 48: /etc/centminmod/csf/csf-permaban.conf: No such file or directory

Re-apply initial CSF Firewall set of IP blocks once CSF Firewall
DENY_IP_LIMIT & DENY_TEMP_IP_LIMIT IP limits are reached
Creating backup...
‘/etc/csf/csf.conf’ -> ‘/var/lib/csf/backup/1702120444_cmm_b4_censys_block_tool’
    and I see the entries again in the csf.deny.

    I have gotten occasional Cron emails:
    Code:
    Cron <root@x> /usr/lib64/sa/sa1 1 1
(Cron Daemon) root@x via email.cloudflare.net
    12:00 AM (3 hours ago)
    Invalid system activity file: /var/log/sa/sa09


Cron <root@x> /usr/lib64/sa/sa1 1 1
(Cron Daemon) root@x via email.cloudflare.net
    Mon, Dec 4, 12:00 AM (5 days ago)
    Invalid system activity file: /var/log/sa/sa04


Cron <root@centos7test> /usr/lib64/sa/sa1 1 1
(Cron Daemon) root@centos7test.localdomain via email.cloudflare.net
    Sun, Dec 3, 12:56 AM (6 days ago)
    flock: Resource temporarily unavailable
    I did a search for those errors and the result I saw said to ignore them and let it fix itself.

    I checked my cron logs /var/log/cron, and everything seems to be running without errors. I do see a bunch of:
    Code:
    Dec  9 11:40:01 domain CROND[47522]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Dec  9 11:41:01 domain CROND[47603]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Dec  9 11:42:01 domain CROND[47669]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Dec  9 11:43:01 domain CROND[47743]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Dec  9 11:44:01 domain CROND[47817]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Dec  9 11:45:01 domain CROND[47892]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Dec  9 11:45:01 domain CROND[47893]: (root) CMD (/usr/lib64/sa/sa1 1 1)
    It says the block script ran earlier today, multiple times:
    Code:
    Dec  9 10:33:01 domain CROND[40871]: (root) CMD (/usr/local/src/centminmod/tools/initial-csf-blocks.sh >/dev/null 2>&1)
Dec  9 08:33:01 domain CROND[31269]: (root) CMD (/usr/local/src/centminmod/tools/initial-csf-blocks.sh >/dev/null 2>&1)
Dec  9 06:33:01 domain CROND[22162]: (root) CMD (/usr/local/src/centminmod/tools/initial-csf-blocks.sh >/dev/null 2>&1)
    And yesterday too.

    I did some searches for "cron log says the job ran but it didn't" and one of the suggestions was to check /var/spool/mail/root, and that file only has entries from June 28. 1500 lines.

    Another said to make sure the .sh is executable, which it is.

    This suggestion sounds useful:
    Code:
    00 00 * * * /var/www/html/(actual filepath)/backups/backup_extract.sh 2>&1 >> /path/to/log/file.txt
    I see it's currently outputting to /dev/null, which is a 0-byte file.
     
    Last edited: Dec 9, 2023
  7. Dec 10, 2023 #7
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    9:57 AM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    you can ignore this error for /etc/centminmod/csf/csf-permaban.conf as it's just a check to see if you created that custom file yourself /etc/centminmod/csf/csf-permaban.conf as outlined at https://community.centminmod.com/th...-csf-blocks-sh-cronjob-in-130-00beta01.24225/
    Checking that routines code, reaching within 100 entries of DENY_IP_LIMIT is only one possible criteria for the /usr/local/src/centminmod/tools/initial-csf-blocks.sh actually re-populating the csf.deny file. Other criteria is if those Shodan, Censys deny entries arenm't detected in csf.deny file. Which was your case and why the output for /usr/local/src/centminmod/tools/initial-csf-blocks.sh run is what you got and why it worked. So quite possibly you checked csf.deny at a time before /usr/local/src/centminmod/tools/initial-csf-blocks.sh actually ran.

    Each time the script runs to re-populate, it will do a CSF Firewall settings profile backup so you can see all the entries listed in date ascending order where latest is at the bottom/most recent entry
    Code (Text):
    ls -lAhrt /var/lib/csf/backup/ | grep 'cmm_b4_censys_block_tool'


    Lastly, make sure you're properly inspecting /etc/csf/csf.deny for missing shodan and censys commented entries
    Code (Text):
    # list entries matching keywords censys and shodan
egrep 'censys|shodan' /etc/csf/csf.deny
# count number of entries
egrep 'censys|shodan' /etc/csf/csf.deny | wc -l
     
  8. Dec 10, 2023 #8
    MaximilianKohler

    MaximilianKohler Member

    214
    9
    18
    Jun 23, 2023
    Ratings:
    +39
    Local Time:
    4:57 PM
    I made some edits to my previous comment. Not sure if you saw them. I think changing the cron job to output to a log file is the best troubleshooting option:
    Code:
    33 */2 * * * /usr/local/src/centminmod/tools/initial-csf-blocks.sh 2>&1 >> /var/log/cron.log
    I did that, and now I see this in that file:
    Code:
    Check /etc/csf/csf.conf
DENY_IP_LIMIT: 15000
DENY_TEMP_IP_LIMIT: 10000
Number of CSF Firewall Blocked IPs: 2187
/usr/local/src/centminmod/tools/initial-csf-blocks.sh: line 48: /etc/centminmod/csf/csf-permaban.conf: No such file or directory

DENY_IP_LIMIT & DENY_TEMP_IP_LIMIT IP limits not reached
nothing to do
    It would have been useful to see that info prior to running the script manually though. Perhaps I'll restore the old file and see what it outputs.

    I had edited my previous comment to highlight that the cron log showed that it had "run" multiple times earlier in the day and the previous days. But it seems it didn't actually run.
     
  9. Dec 10, 2023 #9
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    9:57 AM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Ok I found the bug in tools/initial-csf-block.sh it was missing PATH extension to tell cron to look for csf command in /usr/sbin path, as running cronjob showed this error for "csf: command not found"
    Code (Text):
    csf -d 198.20.70.113 census3.shodan.io
/usr/local/src/centminmod/tools/initial-csf-blocks.sh: line 126: csf: command not found

    Fixing it right now :) You'll be able to pull in update via cmupdate once done
     
  10. Dec 10, 2023 #10
    MaximilianKohler

    MaximilianKohler Member

    214
    9
    18
    Jun 23, 2023
    Ratings:
    +39
    Local Time:
    4:57 PM
    Ah, yep. I see a bunch of those in my /var/log/cron.log now after restoring the old
    csf.deny file. Thanks!

    EDIT:
    I was curious about the "auto-detect", so I removed some of the censys & census lines to see if it would trigger the replacement, but it didn't. I guess this is the part of the script that autodetects:
    Code:
        if [[ ! "$(grep 'shodan' /etc/csf/csf.deny)" ]] || [[ ! "$(grep 'censys' /etc/csf/csf.deny)" ]]
    So to trigger the replacement you'd have to remove all instances of "shodan" or "censys".
     
    Last edited: Dec 10, 2023
  11. Dec 11, 2023 #11
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    9:57 AM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Indeed that would be limitation of how I have the detection, all shodan and censys lines would need to have been removed for it to trigger re-population by /usr/local/src/centminmod/tools/initial-csf-blocks.sh. Guess I could update it to check for each shodan and censys entry individually instead
     
  12. Dec 11, 2023 #12
    MaximilianKohler

    MaximilianKohler Member

    214
    9
    18
    Jun 23, 2023
    Ratings:
    +39
    Local Time:
    4:57 PM
    I don't think that's necessary. I saw a unique line and thought it could be put at the top and only search for that one entry.
    Code:
    104.131.0.69 # hello.data.shodan.io - Sat Dec  9 03:14:11 2023
104.236.198.48 # blog.shodan.io - Sat Dec  9 03:14:11 2023
185.163.109.66 # goldfish.census.shodan.io - Sat Dec  9 03:14:12 2023
185.181.102.18 # turtle.census.shodan.io - Sat Dec  9 03:14:12 2023
    Hello, blog, goldfish, and turtle are all unique words that only occur once. Whereas there are 13 instances of "censys" at the top that would have to all be removed before the replacement is triggered.
     
Previous Thread Next Thread
Loading...

.