Help needed, Directadmin, CSF not blocking

H

hmniels

Verified User
Joined
Oct 26, 2019
Messages
17
Hello Forum,

I'm at my wit's end here and could really use some help—or at least a nudge in the right direction.

I'm running DirectAdmin on AlmaLinux 8.10 (DirectAdmin version 1.677, CSF v14.24, using the nginx_apache setup). It's a fairly standard DirectAdmin installation with minimal customizations.

The issue:
When CSF blocks an IP, it doesn't always seem to actually enforce the block. In some cases, I get a notification that an IP has been blocked, but the IP is still able to access the server as if nothing happened.

Here's the strange part:
If I trigger a block on my own IP (e.g., through failed login attempts), I get blocked immediately and completely—no access at all. So CSF is working, but seemingly not in all cases.

I'm honestly a bit confused, frustrated, and running out of ideas. Any insights or suggestions would be greatly appreciated.


Thanks,
 
hmniels said:
but the IP is still able to access the server as if nothing happened.
Click to expand...
In which way to you check this? Because this happens to me also but only when I'm checking the apache server-status. But in that case they can't access anymore, they are still connected and stay that way (even with ip block) in the status, until the timeout of their connection.

I don't use nGinx so I'm curious as tho on which way you check that they still can access as they like.
Couldn't it be similar to what I experience in the server-status?
 
Hello,

hmniels said:
When CSF blocks an IP, it doesn't always seem to actually enforce the block. In some cases, I get a notification that an IP has been blocked, but the IP is still able to access the server as if nothing happened.
Click to expand...

Possible reasons:

1. Spoofed IP
2. CloudFlare, other proxy is used to serve traffic to the site
3. CSF misconfiguration (for example in a relation to country allow/block lists)
 
I really appreciate you thinking along with me — thanks for that.

1) So, long story short: I’ve written a bot-scanning script that’s supposed to block malicious bots. But I’m running into a few issues:

2) When I block a bot, it doesn’t stop. Not immediately, not after a few seconds — it just continues its entire run as if nothing happened.
A few hours later, the same bot often comes back, targeting another site on the server and doing the same thing all over again.
This is a fresh CSF install. I even reinstalled it recently to rule out any config issues.

3) Cloudflare? Good point — yes, I’m using Cloudflare. But the IPs I’m seeing aren’t Cloudflare’s.

For example:
52.169.238.212 - - [05/Jun/2025:17:21:14 +0200] "GET /file5.php HTTP/2.0" 301 0 "-" "-"
52.169.238.212 - - [05/Jun/2025:17:21:16 +0200] "GET /file5.php HTTP/2.0" 404 18643 "-" "-"
52.169.238.212 - - [05/Jun/2025:17:21:17 +0200] "GET /adminfuns.php HTTP/2.0" 301 0 "-" "-"
52.169.238.212 - - [05/Jun/2025:17:21:19 +0200] "GET /adminfuns.php HTTP/2.0" 404 18643 "-" "-"
52.169.238.212 - - [05/Jun/2025:17:21:20 +0200] "GET /sitemaps.php HTTP/2.0" 301 0 "-" "-"

That IP is definitely in my csf.deny list, yet it still gets through.

Could it be the nginx_apache config, cloud it be cloudflare, any other hints or clue's ?
And despite al the things that i have mentioned above, when i trigegr the script - and get blocked - i simply get blocked.

Thanks
 
Whenever you use CloudFlare all connections arrive from CloudFlare's IPs, though you see another IPs in logs (that's the nginx's realip_module "magic"). It means you can not deny bots IP in the server's firewall. You will need to block the IP either in NGINX or at a CloudFlare's side.
 
So I do understand the whole Cloudflare concept, proxy addresses, and so on.
What I simply don’t get is this: if I block the IP manually via .htaccess, it actually works.
(deny from 52.169.238.212)
And the requests all get 403.
 
You must log in or register to reply here.
Back
Top