Firewall - csf bruteforce not working properly and high CPU use

micheld

micheld

Verified User
Joined
Apr 5, 2006
Messages
55
Location
NL
I don't have full confidence in how bruteforce blocking to the firewall works.
I use: csf v14.17 and directadmin Version 1.642 on Centos 7 64bitt.

In the brute force i see In Failed Logins on the webinterface:
212.70.x.x 4168 2022-09-16 17:59 2022-09-17 08:08 (block yes)
5.34.x.x 3085 2022-09-15 18:11 2022-09-18 16:28 (block yes)

So the ip 212.70.x.x. have login wrong for 4168 times. I like to stop this on 150 times and block.

In the block list on brute force list i see 364 items.
When i check the firewall i see on csf.deny, the IP address deny file (Currently: 17 permanent IP bans)
Only what i do by hand..17 times. This must be the same items so 364 or?

Also i see a other problem the log file is 85mb big.. and see some high CPU use
dataskq is using sometimes 175% CPU.

In the past i use the arno-firewall so i remove it and delete own scripts like:
rm /usr/local/directadmin/scripts/custom/block_ip.sh
rm /usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh
rm /usr/local/directadmin/scripts/custom/show_blocked_ips.sh
rm /usr/local/directadmin/scripts/custom/unblock_ip.sh
rm /root/blocked_ips.txt
rm /root/exempt_ips.txt

And then i install:

wget -O csf-bfm-install.sh https://raw.githubusercontent.com/poralix/directadmin-bfm-csf/master/install.sh
chmod 700 csf-bfm-install.sh
./csf-bfm-install.sh

I'm not very confident this will work. Since I use the csf I have 4 times as much high load. And I see too many x wrong logged in..
I hope someone can help me to do a few checks or give some tips
 
I try again.. I see a high CPU use -> 172.4% directadmin in top.
I think this is from the firewall csf

In the brute force i see: 18728 ip block and the brute_log_entries.list is 74.89 MB
And have 203864 items in the Failed Logins. Is there a way to change the log size?
 
you must use ipset to block IPs, by default it blocked with iptables and can cause high load.
in csf gui configuration page set LF_IPSET to ON
also ipset must be installed in your system
 
Thank you for the fast replay, ipset is already install.
I found on the csf config LF_IPSET and set this in ON, and restart the firewall.
I actually expected that the the ip blocks from the bruteforce i see it back in the firewall example in csf.deny. But i use iptables, i understand so i can not check only on the IPtables.
 
normally BFM and CSF working together, BFM detects and block ips with CSF.
 
That doesn't seem to work, see previous post, only when this will be added manually using the bruceforce web interface.

Any idea how to fix this? So that the block ip goes into the csf.deny file.

I see 4277 block ips in the brute force. But on iptables (iptables -S) i see 80 items.
Look like it do not work.

The LF_IPSET do not help for lower CPU use. I have restart directadmin and lfd.
 
I use top, and i see 173,8 CPU use for directadmin:
25261 root 20 0 1008632 12556 6624 S 173.8 0.1 0:02.22 directadmin

I check tail -n 10 /var/log/directadmin/errortaskq.log
and look like the scan works...

2022:12:19-11:35:13: Brute Force (xx.xx.xx.xx, 'exim2=663&first_entry=1671109086&last_entry=1671446051&last_notify=1671446112'): Script output: [OK] The IP 46.148.40.114 was blocked with CSF, BLOCK_PORTS= 25 465 587
2022:12:19-11:38:29: UnBlock IP 'x.xx.xx.xx': Script output: [OK] The IP 5.34.207.134 was unblocked Reason: when=1670582278 + (60 * unblock_brute_ip_time=14400) <= now=1671446309
2022:12:19-11:39:13: Brute Force (xx.xx.xxx.xx, 'exim2=27827&first_entry=1671020704&last_entry=1671446351&last_notify=1671446352'): Script output: [OK] The IP xx.x.x.x was blocked with CSF, BLOCK_PORTS= 25 465 587
2022:12:19-11:39:14: Brute Force (xx.xx.xx.xx, 'exim2=606&first_entry=1671109326&last_entry=1671446351&last_notify=1671446353'): Script output: [OK] The IP xx.xx.x.xx was blocked with CSF, BLOCK_PORTS= 25 465 587
When i check the log i see same ip blocks in one hour. So it look like the block do not work.
I was already afraid of that. So the scan continues but does not block, so costs CPU.
 
was unblocked Reason: when=1670582278 + (60 * unblock_brute_ip_time=14400) <= now=1671446309
I'm using don't unlock, you can use any.
Also sometimes i go to BFM and mark what IPs to ban and ban them manually, don't wait till it collect more attempts. Also change SSH port to different than 22, and configure it in CSF too. Also you can set more hard limit to email attempts in csf, from 10 per hour -> to 5 per 8 hours or what fits you better.
 
Okay i hope someone can first to help me fix the problem for the block ip's. I already write this problem in september. :-)
I see there is
ls -l /root/blocked_ips.txt
-rw-r--r-- 1 root root 150636 Dec 19 12:01 /root/blocked_ips.txt

So i hope we find out where to change a script or setting and change from /root/blocked_ips.txt to
/etc/csf/csf.deny or /usr/local/src/csf/csf.deny
 
Look like it works
ls -l csf.deny
-rw------- 1 root root 3157 Dec 19 12:51 csf.deny
See some new items: xx.xx.xx.xx# BFM: exim2=52217 (IR/Iran/-) - Mon Dec 19 12:51:16 2022

i remove this items:
/usr/local/directadmin/scripts/custom/block_ip.sh
/usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh
/usr/local/directadmin/scripts/custom/show_blocked_ips.sh
/usr/local/directadmin/scripts/custom/unblock_ip.sh
/root/blocked_ips.txt
/root/exempt_ips.txt

But i do not understand. i remove this file before.
 
if you not serve your product to China, I recommended to block country from China (CN) with csf firewall. this can reduce bot/spam. Mostly spam come from China.

for mine, I blocked China, Iran. Due I not serve to these country. because mostly spammer come from these country.
 
You must log in or register to reply here.
Back
Top