Page 1 of 1

Issue with the alert emails being send by csf

Posted: 30 Oct 2020, 11:57
by Linuxlover
Hello,

I have a cPanel / whm server with csf installed on it.I have csf configuerd to automatically report abusive ip addresses to abuseipdb blacklist it works fine however when i receive the email csf sends the blocked ip address has the wrong country for example csf just sends to me that

Code: Select all

194.87.138.228 (RU/Russia/-) is blocked for a portscan however in this case Russia should be Germany
this could be a bug it's not the first time i notice this or csf is innocent and my configuration is wrong somewhere.

Re: Issue with the alert emails being send by csf

Posted: 30 Oct 2020, 16:09
by ForumAdmin
Sounds like out of date country code data.
  • Which csf option are you using to send a report?
  • What is the full line in csf.deny and lfd.log for the block?
What are the following set to:
  • CC_LOOKUPS
  • CC_SRC
  • What are the dates on the files in /var/lib/csf/Geo/

Re: Issue with the alert emails being send by csf

Posted: 30 Oct 2020, 20:58
by Linuxlover
Hello,
  • PS_LIMIT
  • *Port Scan* detected from 194.87.138.228 (RU/Russia/-). 11 hits in the last 250 seconds.I use temp blocks
  • CC_LOOKUPS = 1
  • CC_SRC = 1
  • The dates in /var/lib/csf/Geo are reasonable recent oldest is 18 Oktober 2020
regarding CC_SRC i did read your notice maxmind now requires an apikey i got one also csf does retrieve that database
Oct 30 10:58:16 lfd[23861]: CCL: Retrieving MaxMind Country database [http://download.maxmind.com/app/geoip_d ... xxxxxxxxxx]
I also have a geoipupdate cron that runs everyday.

Re: Issue with the alert emails being send by csf

Posted: 03 Nov 2020, 11:42
by Linuxlover
problem is still there i forced a redownload of Maxmind databases by deleting the corrosponding files in /var/lib/csf/Geo but it didn't help it does download the databases but reports the wrong country sometimes not always.

Re: Issue with the alert emails being send by csf

Posted: 03 Nov 2020, 12:26
by ForumAdmin
I just checked the MaxMind database and it is a problem with their data:

This is their range match:
194.87.128.0/18,2017370,2017370,,0,0

This is their country match:
2017370,en,EU,Europe,RU,Russia,0

Which is why Country Code to IP address matching can be unreliable.

I'd suggest switching to:
CC_SRC = "2"

Then restart csf and then lfd and check the lfd.log for completion of the CCL files. They appear to report that IP correctly:

Code: Select all

# csf -i 194.87.138.228
194.87.138.228 (DE/Germany/North Rhine-Westphalia/Düsseldorf/-/[AS24961 MYLOC-AS])

Re: Issue with the alert emails being send by csf

Posted: 03 Nov 2020, 19:03
by Linuxlover
Hello,

Ok i'll change that csf setting and in the meantime i'll go complain to Maxmind :-) thank you.

Re: Issue with the alert emails being send by csf

Posted: 09 Nov 2020, 12:35
by Linuxlover
Hello,

Problem is still there even after setting CC_SRC = "2".Csf emails me that 194.26.25.126 is blocked it reports that ip as (US/United States/California/Los Angeles/-) however that should be (RU/Russia/Moscow/-).

Re: Issue with the alert emails being send by csf

Posted: 09 Nov 2020, 15:17
by ForumAdmin
That is again down to the source files. It is why there is a warning about relying on Country Codes in csf and the inherent inaccuracy of Geolocation by IP address. There is nothing at all that we can do to help with third party provided resources:

Code: Select all

194.26.25.0,194.26.25.255,NA,US,California,"Los Angeles",34.0522,-118.244