Why does CSF not block brute-force IP address connections?

[patrickkasie]

Dear DirectAdmin forums,

I'm not entirely sure how CSF works. Is it supposed to still let incoming connections through and then block requests? I am not sure how to best ask my question, which is probably what I need help with the most. Anyway, I've written down an entire range of IP addresses to block access to our server, but it's still adding new IP addresses to the list within said range. Did I make a syntactically correct record or did I make a user error? Why are there still new records coming in and mails being sent to my inbox that these brute-force attacks are still happening?

The following records are in my /etc/csf/csf.deny file

# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24)
46.148.40.0/24 # do not delete
46.148.40.186 # BFM: exim2=123 (IR/Iran/-) - Wed Sep 27 22:08:56 2023
46.148.40.185 # BFM: exim2=123 (IR/Iran/-) - Wed Sep 27 22:10:56 2023

 

[Zhenyapan]

In my case when I add IP(range) directly to file and restart CSF -it show that it has IP in blocklist and don't block it (because it already in list) but don't block connections too.
So when I remove IP(range) from file and block it via GUI or from console - it works as it must.
So just remove it from file and block with:
csf -d 46.148.40.0/24

 

[Active8]

block ASN or Country then (use IPSET)

 

[patrickkasie]

In my case when I add IP(range) directly to file and restart CSF -it show that it has IP in blocklist and don't block it (because it already in list) but don't block connections too.
So when I remove IP(range) from file and block it via GUI or from console - it works as it must.
So just remove it from file and block with:
csf -d 46.148.40.0/24

csf -d 46.148.40.0/24
deny failed: 46.148.40.0/24 is in already in the deny file /etc/csf/csf.deny 1 times

block ASN or Country then (use IPSET)

iptables -L | grep "46.148.40"
DROP all -- 46.148.40.0/24 anywhere
DROP all -- 46.148.40.186 anywhere
DROP all -- 46.148.40.185 anywhere
DROP all -- 46.148.40.58 anywhere

It's already in those lists, most likely provided there by CSF

 

[Zhenyapan]

that's why I told you to remove IP first, also activate IPSET - because IPtables will work slower and use more resources.

 

[patrickkasie]

I've removed the IP address from CSF in the GUI in CustomBuild 2
csf -r
csf -d 46.148.40.0/24
Adding 46.148.40.0/24 to csf.deny and iptables DROP...
DROP all opt -- in !lo out * 46.148.40.0/24 -> 0.0.0.0/0
LOGDROPOUT all opt -- in * out !lo 0.0.0.0/0 -> 46.148.40.0/24
csf -r

I don't know anything about IPSET, so I've used the following configuration: https://wiki.archlinux.org/title/Ipset
ipset create myset hash:net
ipset add myset 46.148.40.0/24
iptables -I INPUT -m set --match-set myset src -j DROP
csf -r | grep 46.148.40
-no results-

There was no output or anything. Now we wait

 

[Richard G]

ipset add myset 46.148.40.0/24

You don't need to do that, csf will do that for you.
Just install ipset and activate in the /etc/csf.conf file.
LF_IPSET = "1"

You then can also raise the amount of block ip's:
DENY_IP_LIMIT = "10000"
for example.

Then what the others ment was:
csf -dr 46.148.40.0/24
csf -dr 46.148.40.186
csf -dr 46.148.40.185

and then:
csf -d 46.148.40.0/24 # do not delete

So remove your ipset stuff, your myset and clear your ipset.
Then make the changes to csf.conf as needed and then restart csf and lfd and ipset will work automatically.

 

[patrickkasie]

I had already set the limit to 600, up from 200, on the DENY_IP_LIMIT, but by then, on that specific server where I tested this on, this network stopped attacking that server, and instead hopped to another server that's currently getting that same treatment.
I've set LF_IPSET = 1 now and I've saved the changes in the GUI
csf -r
csf -dr 46.148.40.0/24
Removing rule...
csf: IPSET deleting [46.148.40.0/24] from set [chain_DENY]
csf -d 46.148.40.0/24
Adding 46.148.40.0/24 to csf.deny and iptables DROP...
csf: IPSET adding [46.148.40.0/24] to set [chain_DENY]
csf -r | grep 46.148.40
-no results-

 

[BillyS]

What is the size of the server? Setting at 600 seems pretty low. With IPSET you should be able to go much higher without much lag.

 

[Richard G]

What @BillyS says. I always started with 2000 even on 32 G ram servers. You can easily go to 10K there, it doesn't even use 1 MB.

And csf -r is the restart command. Try like this:
csf -g 46.148.40

There is also a command to check the ipset block list.

 

[patrickkasie]

To answer your question Billy, it's not a half-decent server, it's actually a pretty beefy one. But still. That's just a temporary solution to make sure that all IP addresses in the network will be logged, I just want to have the permanent solution by CSF to work, but it just refuses to put a wall between the network and our servers. Not because I want to limit the server in any way, shape or form, I just want the structural solution to do its work. Needing more than 200 just for 1 network to not get in seems like moving the problem to a later moment

And csf -r is the restart command. Try like this:

csf -g 46.148.40.0/24

Table  Chain            num   pkts bytes target     prot opt in     out     source               destination
No matches found for 46.148.40.0/24 in iptables


IPSET: Set:chain_DENY Match:46.148.40.0/24 Setting: File:/etc/csf/csf.deny


ip6tables:

Table  Chain            num   pkts bytes target     prot opt in     out     source               destination
No matches found for 46.148.40.0/24 in ip6tables

csf.deny: 46.148.40.0/24 # Manually denied: 46.148.40.0/24 (IR/Iran/-) - Thu Sep 28 13:52:08 2023

My assumption was that it'd show the rules during the restart, I was wrong about that, thank you for correcting me

 

[Richard G]

My assumption was that it'd show the rules during the restart,

It often does, but not everything, especially if ipset is enabled. Suppose you have 10K on blacklist and it had to show all of them during restart, then restarting would take too much time.
You're welcome.

 

[BillyS]

Here is a similar situation (I think). CSF is a very well tested solution.

Blocking a range of IPs in CSF?

Hi Seeking opinions on the advisability of blocking some countries by range on a webserver in the csf deny. The server itself is high-powered with lots of resources. We are setting up a new server specifically for domestic sites. We have config server installed, and have some tight rules in...

forums.cpanel.net

 

[patrickkasie]

Thank you guys for the responses, however, after activating LF_IPSET, increasing the DENY_IP_LIMIT to 2000 and restarting all services, then performing the following command

csf -dr 46.148.40.0/24 || echo "IP niet gevonden" ; csf -d 46.148.40.0/24 # do not delete || echo "IP niet toegevoegd" ; csf -g 46.148.40.0/24

(I'm a fan of inline-commands so I don't have to tap the up-key multiple times)

This seems to have blocked all incoming connections from said IP range.

P.s. the # do not delete part in the command `csf -d 46.148.40.0/24 # do not delete` even when used seperately does not get added at the end

 

[Richard G]

does not get added at the end

Yes, because you are commenting the comment with a # character, and csf will add that itself. The correct command is:
csf -d, --deny ip [comment]
as it says in the docs.

So try like this, remove first:
csf -dr 46.148.40.0/24
and then add again with the comment like this:
csf -d 46.148.40.0/24 do not delete

After that the "do not delete" part will be visible in the csf.deny file, I tested it for you to be sure.