Join the community today
Become a Member

Security Why CSF doesn't block the ip's in the syslog (port scanning)

Discussion in 'System Administration' started by negative, Apr 27, 2019.

  1. negative

    negative Active Member

    286
    28
    28
    Apr 11, 2015
    Ratings:
    +62
    Local Time:
    10:45 AM
    1.9.10
    10.1.11
    Hello,

    I've configured the csf well and it is working. However, i shows that someone scanning the ports on my webserver.

    Also, i have configured the port scanning feature on csf and restarted the csf. I though something wrong on my webserver about csf.

    Code (Text):
    PS_INTERVAL = "300"
    PS_LIMIT = "15"


    I shows that logs via var/log/messages but csf doesn't do something about that. Same ip's scanning the all of my ports as you can see at the screenshot below.

    Ekran Resmi 2019-04-27 05.00.20.png

    Yes, you can say that firewall working and blocks the connections but, why that same attacker ip's scan my server continuously ? I see the same ips for all days. csf should block that ips which scan my webserver 15 times in 300 seconds (as my csf settings)
     
  2. eva2000

    eva2000 Administrator Staff Member

    40,183
    8,876
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,685
    Local Time:
    5:45 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    That is how firewalls work there's a difference between successful and unsuccessful connections.. Firewalls like CSF Firewall use by Centmin Mod prevent a successful connection to your server. The logs just show the failed attempts at connecting i.e. TCP_IN Blocked or UDP_IN Blocked etc. Firewalls can't stop IPs from attempting (unsuccessfully) to connect.
     
  3. negative

    negative Active Member

    286
    28
    28
    Apr 11, 2015
    Ratings:
    +62
    Local Time:
    10:45 AM
    1.9.10
    10.1.11
    So why port scanning function in the CSF then? Someone scanning my ports from same ip's even.
     
  4. eva2000

    eva2000 Administrator Staff Member

    40,183
    8,876
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,685
    Local Time:
    5:45 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Not sure I understand the question ? CSF Firewall is doing it's job. When an IP scans your ports after threshold it will block the IP from successfully connecting i.e. sshd port 22 and then it will log into server system message log whenever that blocked IP attempts to do another scan again and everytime it will block that IP from successfully connecting. If the IP comes back to scan and is still blocked, CSF will again log the unsuccessful attempt in your message log again.

    Everytime a blocked IP attempts a connection, it will be logged in /var/log/message log by CSF Firewall. That is how you know CSF Firewall is working by inspecting your system message log.
     
  5. Jimmy

    Jimmy Premium Member Premium Member

    1,553
    321
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +796
    Local Time:
    3:45 AM
    1.15.x
    MariaDB 10.3.x
    It's like kicking a rowdy patron from a bar/pub. You can prohibit him from re-entering the bar/pub, but you can't prevent him from waiting outside and knocking at the front door where the bouncer records every time he tries to re-enter the bar/pub.
     
    • Like Like x 1
  6. negative

    negative Active Member

    286
    28
    28
    Apr 11, 2015
    Ratings:
    +62
    Local Time:
    10:45 AM
    1.9.10
    10.1.11
    I got it, thanks! Anyway, i configured the port scanning feature in CSF but i don't see anything on csf.deny file or i didn't get email that ip blocked. I read articles for this feature, and if it work, csf adding the lines to csf.deny which ip blocked for port scanning. So, something may went wrong on my configuration. Confused.

    I Understood. Perfect example! :D
     
    • Like Like x 1
  7. eva2000

    eva2000 Administrator Staff Member

    40,183
    8,876
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,685
    Local Time:
    5:45 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    CSF Firewall as permanent and temporary IP blocks - more info at https://download.configserver.com/csf/readme.txt including the note about blocked IPs not showing in iptables as it is inspected via /proc/net/ipt_recent/* files

    and from /etc/csf/csf.conf CSF Firewall config file
     
  8. eva2000

    eva2000 Administrator Staff Member

    40,183
    8,876
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,685
    Local Time:
    5:45 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
..