ConfigServer Community Forum

ah okay I see the perm deny does already use IPSET so any includes would go into that block and the ip limit can be raised very high the temp ban still uses conventional method and 1000 is recommended max I can live with that, works great a truncation warning for too many in csf.deny +includes on st...

That usually happens if you are using a proxy service such as Cloudflare which will effectively remove the source IP from the OS. no reverse proxies in use but I finally figured this out, I think, still monitoring for results but the logic seems right I stupidly forgot that using "Include"...

okay I've eliminated nginx and php as any possible source of a spoofing problem

bad behavior is back with new IP

and new IP is still punching right though the firewall rule block

this makes zero sense to me how this is happening and why I cannot see that IP in netstat

starting to wonder if this is a security bug/hole with an older nginx version that is allowing IPs to be spoofed because I've been watching netstat and never saw the reported IP appear on the server

will monitor further and report if this is my fault (or not)

csf --grep x.x.x.x does show that the ip ends up with a permanent block from csf.deny yet they are still on the server csf --grep 12.34.56.78 Chain num pkts bytes target prot opt in out source destination DENYIN 2 0 0 DROP all -- !lo * 12.34.56.78 0.0.0.0/0 DENYOUT 1 0 0 LOGDROPOUT all -- * !lo 0.0....

so I am currently watching an IP address in the middle of a csf.deny CIDR block access the webserver newest csf (10.24 upgraded to 10.25, no change) restarted csf control panel reports everything is fine how is this even possible and where do I even begin to diagnose what has gone very wrong? the ma...

ForumAdmin wrote:This was implemented in csf v8.12

"Additional Feature: Added support for listing ASNs in all Country Code (CC_*) options"

actually, could you give an example of how this should be formatted?

is it simply

CC_ALLOW = "AS1234"

???

Oh wow I completely missed that. Awesome, thanks.

The downside of simply copying a csf.conf from one install to another.

I was thinking how the limit port access by CC was useful but so large it might be more dangerous than it needs to be (on systems where port knocking just doesn't seem to work) But maxmind also has an ASN database (GeoLite ASN) that is updated monthly, so should be accurate enough So could it be pos...

It would be nice if CSF didn't have to be restarted to load a new set.

Even with the fast restart feature, with very large sets it can take awhile and leaves the server vulnerable (and causes a heavy load).

Maybe a future feature for LFD would be to create the set if it fails to swap?