Blocked IPs still turns up in access logs

Post Reply
JosKlever
Junior Member
Posts: 2
Joined: 12 Oct 2021, 13:55

Blocked IPs still turns up in access logs

Post by JosKlever »

I'm using a file with IP addresses and ranges as a permanent block list. When I search for an abusive IP address (5.188.62.76) in CSF I see that it's blocked by 5.188.62.0/24 resulting in the following output:

Code: Select all

Table  Chain            num   pkts bytes target     prot opt in     out     source               destination         

filter DENYIN           37291     0     0 DROP       all  --  !lo    *       5.188.62.0/24        0.0.0.0/0

filter DENYOUT          37291     0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            5.188.62.0/24


ip6tables:

Table  Chain            num   pkts bytes target     prot opt in     out     source               destination         
No matches found for 5.188.62.76 in ip6tables

Permanent Blocks (csf.deny): 5.188.62.0/24
However, this IP is still showing up in access logs attempting to do malicious things. This IP is just an example and it's happening with many more. And not just in the access logs, but also in Exim or other logs. Can someone explain this to me and help figure out how this can happen?

I'm using a dedicated server with Almalinux 8.4, DirectAdmin 1.62.9, OpenLiteSpeed 1.7.14, CSF 14.11
Sergio
Junior Member
Posts: 1486
Joined: 12 Dec 2006, 14:56

Re: Blocked IPs still turns up in access logs

Post by Sergio »

Remember that CSF is a software firewall, so, any IP blocked or not will connect to the server and depending if it is black listed it will be denied any access but the log will save that connection.

With a Hardware FireWall is a different thing, blocked IPs will never get to your server as the IP will be blocked before it enters into your server.
JosKlever
Junior Member
Posts: 2
Joined: 12 Oct 2021, 13:55

Re: Blocked IPs still turns up in access logs

Post by JosKlever »

What route does a request take? Is OLS accepting the request, then calling CSF to check it and block the request if applicable? Or does CSF check the request first before it reaches OLS? Same for others services of course...
Sergio
Junior Member
Posts: 1486
Joined: 12 Dec 2006, 14:56

Re: Blocked IPs still turns up in access logs

Post by Sergio »

On the different OS that CSF works, the OP receives the IP connection and logs it, then the IP is passed to CSF then CSF checks if it is blocked or not.

If the IP is granted to continue, then the other suits of CSF software will be checking what the IP does and triggers any option that CSF is configured to block.
Post Reply