Csf keep blocking a lot of normal user's IP

[darkbear]

Everyday I got a lot of warning about "port scaning" , like:
lfd - *Port Scan* detected from xxx.xxx.xxx.xxx (CN/China/dns43.online.tj.cn). 21 hits in the last 452 seconds




and blocking IP, but... I find lot of them just a normal user, and they are not trying to scan my ports, here is my port scan tracking's setting:

PS_INTERVAL = 300
PS_LIMIT = 10

any suggestion about to fix it ? thank you so much

 

[ditto]

When I used it I also had a lot of false/positive. I have disabled it on all my servers. You can disable it by setting PS_INTERVAL to "0"

 

[Richard G]

I have exactly the same setting and only had a false positive once, a couple of years ago.
You have to have DROP_IP_LOGGING = "0" it says and DROP_LOGGING = "1".
You could also set the interval from 300 back to 120 for example.

If you have so many false positives there must be a reason for it. As I'm monitoring 3 DA servers and 1 Cpanel server with the same settings and no false positives.

 

[darkbear]

Thank you so much, I hope this can help a lot

 

[ditto]

Well, we was using PS_INTERVAL 60 and PS_LIMIT 20, and still had several false/positive every month. Also note that many tools to do traceroute commands on, always creates false/positive when doing traceroute against a domain or ip.

 

[darkbear]

Well, we was using PS_INTERVAL 60 and PS_LIMIT 20, and still had several false/positive every month. Also note that many tools to do traceroute commands on, always creates false/positive when doing traceroute against a domain or ip.

Agree, I got problem with PS_INTERVAL 60 and PS_LIMIT 20 too, are you just disalbe PS_INTERVAL ? thanks

 

[Richard G]

Still find it odd.

If you want to disable, yes you can.
PS_INTERVAL = "0"
will disable the thing.

 

[darkbear]

Still find it odd.

If you want to disable, yes you can.
PS_INTERVAL = "0"
will disable the thing.

Thank you so much, but for security reasons I think I will not disable it, I just want to find a better setting to let it don't block normal users again.

 

[Richard G]

Do you have this one or have you added things like "open" or "invalid" or something?

PS_PORTS = "0:65535,ICMP"

If you want you can also specify a set of ports or a port range you want monitored.

Maybe you can ask the users what they were doing. Some do like to see if the server is safe. Others use crap software which generates opening of a lot of ports. There was a Filezilla version causing something like that.
Also Mac users with newer Mac's and mail. An older mac email client is connecting to all mail ports instead of only that one from the configuration.
I don't understand what Ditto means by the tools to do traceroute commands to, and why customers should use traceroute commands.

Anyway, there are some options to play with and test. And if you don't want the customers to be blocked for a long time. Just use a short block period (for example 10 minutes) in the test period.
However this means the really "bad guys" also are only blocked 10 minutes.
We hardly get real portscans anymore, mostly it's scriptkiddies using that method.