IP listed in CSF blocklist, but isn't blocked at all.

[BBM]

I have an persistent hackserver hammering the wordpress-installs on my server.
The IP (93.174.93.61) is listed in CSF, I even made it 'do not delete', but the IP is not blocked at all, as since 1 day I've noticed in BFM this IP has made over 10k+ hackattempts.

in CSF deny;

93.174.93.61 # do not delete

in BFM (various entry's);

A brute force attack has been detected in one of your service logs.

IP 93.174.93.61 has 1930 failed login attempts: wordpress2=1930

I also noticed BFM has tried to add the IP to CSF, but it was already there, bit CSF doesn't seem to block it at all.

2015:01:18-03:54:07: Brute Force error (93.174.93.61, 'first_entry=1421538421&last_entry=1421549642&last_notify=1421549646&wordpress2=511'): Script output: [WARNING] The IP 93.174.93.61 is already blocked:csf.deny: 93.174.93.61 # WP
2015:01:18-04:54:07: Brute Force error (93.174.93.61, 'first_entry=1421538421&last_entry=1421553241&last_notify=1421553246&wordpress2=691'): Script output: [WARNING] The IP 93.174.93.61 is already blocked:csf.deny: 93.174.93.61 # WP
2015:01:18-05:54:07: Brute Force error (93.174.93.61, 'first_entry=1421538421&last_entry=1421556841&last_notify=1421556847&wordpress2=863'): Script output: [WARNING] The IP 93.174.93.61 is already blocked:csf.deny: 93.174.93.61 # WP
2015:01:18-06:55:08: Brute Force error (93.174.93.61, 'first_entry=1421538421&last_entry=1421560501&last_notify=1421560507&wordpress2=1003'): Script output: [WARNING] The IP 93.174.93.61 is already blocked:csf.deny: 93.174.93.61 # WP
2015:01:18-07:55:08: Brute Force error (93.174.93.61, 'first_entry=1421538421&last_entry=1421564101&last_notify=1421564108&wordpress2=1168'): Script output: [WARNING] The IP 93.174.93.61 is already blocked:csf.deny: 93.174.93.61 # WP
2015:01:18-08:57:08: Brute Force error (93.174.93.61, 'first_entry=1421538421&last_entry=1421567821&last_notify=1421567827&wordpress2=1342'): Script output: [WARNING] The IP 93.174.93.61 is already blocked:csf.deny: 93.174.93.61 # WP
2015:01:18-09:57:08: Brute Force error (93.174.93.61, 'first_entry=1421538421&last_entry=1421571421&last_notify=1421571427&wordpress2=1508'): Script output: [WARNING] The IP 93.174.93.61 is already blocked:csf.deny: 93.174.93.61 # WP
2015:01:18-10:57:09: Brute Force error (93.174.93.61, 'first_entry=1421538421&last_entry=1421575021&last_notify=1421575028&wordpress2=1664'): Script output: [WARNING] The IP 93.174.93.61 is already blocked:csf.deny: 93.174.93.61 # WP
2015:01:18-11:57:10: Brute Force error (93.174.93.61, 'first_entry=1421538421&last_entry=1421578621&last_notify=1421578629&wordpress2=1801'): Script output: [WARNING] The IP 93.174.93.61 is already blocked:csf.deny: 93.174.93.61 # WP
2015:01:18-12:57:22: Brute Force error (93.174.93.61, 'first_entry=1421538421&last_entry=1421582221&last_notify=1421582242&wordpress2=1930'): Script output: [WARNING] The IP 93.174.93.61 is already blocked:csf.deny: 93.174.93.61 # WP

Anyone have a clue why CSF doesn't block it? Is my CSF not working properly (maybe since I coupled BFM to CSF)?
Haven't checked much further yet if other IP's are blocked or not, but I'm doubtful now.

 

[zEitEr]

Hello,

What do you see with

csf -g [COLOR=#333333]93.174.93.61

?[/COLOR]

 

[BBM]

Thanks for your quick reply Zeiter.

# csf -g 93.174.93.61

Chain            num   pkts bytes target     prot opt in     out     source               destination         
DENYIN           284      8   480 DROP       all  --  !lo    *       93.174.93.61         0.0.0.0/0
DENYOUT          284      0     0 DROP       all  --  *      !lo     0.0.0.0/0            93.174.93.61

ip6tables:
Chain            num   pkts bytes target     prot opt in     out     source               destination         
No matches found for 93.174.93.61 in ip6tables

csf.deny: 93.174.93.61 # do not delete

I *think* I have broken CSF when I 'coupled' BFM with CSF yesterday, as I'm now also seeing countries in the accesslogs I had blocked long before, but I can't find any errors about this.

 

[zEitEr]

I see 8 incoming packets from 93.174.93.61 were blocked.
Is FAST RESTART enabled in CSF on your server?

I see one attempt is logged every hour. As if your rules are reset/reloaded every hour. Probably the attempts were done during a firewall restart. What do you have in cron? What are BFM settings?

 

[BBM]

FASTSTART=1 in CSF, is that what you mean?

I have 2 cronjob present under Admin; One runs once every day for hosting and the other runs every 2 days creating a VPS snapshot.
Root cron has 2 hourly jobs; 0anacron and mcelog.
I didn't notice that certain IP is noted everyhour indeed, but I just grepped the IP from the log. There are other IP's in between as well.

Added screenshot of BFM admin-settings.

 

[BBM]

It seems like iptables has 'taken' over the firewall, or atleast a part of it. Although I'm still getting mailmessages that CSF is blocking portscans and ftp-attempts.

I noticed this post from Richard in another topic, which might be what happened in my case.

 

[zEitEr]

What do you see with

chkconfig iptables --list
ls -la /etc/init.d/ip*tables*

?

try to disable it:

chkconfig iptables off
chkconfig ip6tables off

You could even run this to disable iptables init script:

mv /etc/init.d/iptables /etc/init.d/iptables~moved
echo -e '#!/bin/bash\nexit 0;' > /etc/init.d/iptables
chmod 755 /etc/init.d/iptables

 

[BBM]

# ls -la /etc/init.d/ip*tables*
-rwxr-xr-x 1 root root 10804 Oct 15 16:30 /etc/init.d/ip6tables
-rwxr-xr-x 1 root root  9898 Jan 17 23:49 /etc/init.d/iptables
-rwxr-xr-x 1 root root 10688 Oct 15 16:30 /etc/init.d/iptables.backup

I'm not quite sure yet, but I think the problem is already solved as I don't see the above IP anymore in BFM messages.

Earlier, the command

# iptables -L

gave a very short list of items. But now it shows all the rules that are also in CSF.
I followed Richard's tip in the other topic by re-restarting csf with csf -r, this seemed to do the trick.
Also don't see any attemps from denied countries anymore.

 

[zEitEr]

You probably still should disable iptables. I'm just wondering how iptables was reset on your server?

What do you see with

grep iptables /usr/local/directadmin/scripts/custom/* -c

?

 

[BBM]

EDIT:
I noticed I forgot an earlier command you asked for;

chkconfig iptables --list
iptables       	0:off	1:off	2:on	3:on	4:on	5:on	6:off

--

# grep iptables /usr/local/directadmin/scripts/custom/* -c
/usr/local/directadmin/scripts/custom/block_ip.sh:0
/usr/local/directadmin/scripts/custom/brute_force_notice_ip.sh:0
/usr/local/directadmin/scripts/custom/README:0
/usr/local/directadmin/scripts/custom/show_blocked_ips.sh:0
/usr/local/directadmin/scripts/custom/unblock_ip.sh:0

(block_ip.sh is Version: 0.1.2)

 

[zEitEr]

OK, scripts seem to be fine and do not have calls for raw iptables.
Try to disable raw iptables like it was already suggested in http://forum.directadmin.com/showthread.php?t=50780&p=261500#post261500
Disabling raw iptables do not affect CSF/LFD.

 

[BBM]

I disabled iptables after my previous posting and checked what happened and all seemed fine so I left it disabled.
BFM still blocks IP's in CSF so all seems fine here too.
Thanks for the help!