Connection Tracking does not work!

Post Reply
AdminWonder
Junior Member
Posts: 19
Joined: 25 Feb 2014, 16:26

Connection Tracking does not work!

Post by AdminWonder »

Hello,

I have updated csf to 4.46.

I found that Connection Tracking does not work although those ips are noted in tempip file.

For a very strick connection tracking, I have the following:

CT_LIMIT = 2
CT_INTERVAL = 200
CT_PORTS = 25,137,445

On the above ports there is constant spamming. The third connection should be imposing a temporary block (perm=0). This occurs very rarely although there are several ips that gets registered by spamdyke and are searchable in maillog. They are connectted multiple times and, thus, should be blocked by csf.

Other than this, most of the configuration is working fine.

I have port scan values, as well as all other values, setup higher. hence CT_LIMIT must be activated and that connection must be blocked. Unfortunately, this does not work anymore after the update.

Any suggestions for further infos to be given by me?
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: Connection Tracking does not work!

Post by ForumAdmin »

Typically, connection tracking will not work on SMTP attacks as they are usually sequential, not concurrent which is what the feature it for. Nothing at all has changed in the connection tracking for a long time.
AdminWonder
Junior Member
Posts: 19
Joined: 25 Feb 2014, 16:26

Re: Connection Tracking does not work!

Post by AdminWonder »

Hi,

I totally disagree with you.

I need connection tracking for something like 10 CONNCERRANT CONNECTIONS or more.

Anyway, it did start to work, as well as Port Scan.

The reason why it began to work is - most likely - the internal recognition and logging of csf.

If there was a hint, that csf will not start blocking for a certain time, then I would have not placed this message.

Further, there are heaps of issues that must be developed. But for that discussion this thread is off topic.

If connection tracking is related with Port Scan, then one knows the relationship between the two.

I have ten connections to intercept.

What is better then, Connection Tracking or Port Scan? Both must trigger, theoretically, and block.

However, I use Port Scan as Connection Tracking does not get triggered, although both have similar values.

Thus Connection Tracking does not work properly and not as good as Port scan. Try yourself.
Post Reply