CSF and Maxmind generate wrong CDIR lists

Post Reply
Ves
Junior Member
Posts: 5
Joined: 13 Apr 2012, 00:35

CSF and Maxmind generate wrong CDIR lists

Post by Ves »

# csf --version
csf: v14.16 (cPanel)

Because excessive attacks against the SMTP port, I was forced to activate the SMTPAUTH_RESTRICT to filter sending countries.

However, it shows a wrong (and worrying) behavior by blocking legitimate users from authorized countries

Steps:
/etc/csf/csf.conf

Code: Select all

SMTPAUTH_RESTRICT = "1"
CC_ALLOW_SMTPAUTH = "DE,NL"
exim needed mods, rebuild exim & restart. All working.

Then I found the last day a complaint because the ip 37.24.194.82 (DE) don't have access to the STMP port.

I have checked the file /etc/exim.smtpauth and it is populated with all the [DE] network prefixes. Although no range belonging to that IP:

Code: Select all

# grepcidr 37.24.194.82 /etc/exim.smtpauth
no result
Then I go to know the IP related prefix:

Code: Select all

#  whois -h whois.cymru.com " -v 37.24.194.82"
AS      | IP               | BGP Prefix          | CC | Registry | Allocated  | AS Name
3209    | 37.24.194.26     | 37.24.128.0/17      | DE | ripencc  | 2011-12-22 | VODANET International IP-Backbone of Vodafone, DE
and then confirm if the prefix is inside the generated DE country list:

Code: Select all

# grepcidr 37.24.128.0/17 /etc/exim.smtpauth
no result
However, when I do a whois query to know all the network prefixes belonging to its ISP route, then yes, it show the right prefix:
grep:

Code: Select all

# IP=37.24.194.82; whois -h whois.radb.net -i origin -T route $(whois -h whois.radb.net ${IP} | grep origin: | awk '{print $NF}' | head -1) | grep -w "route:" | awk '{print $NF}' | sort -n | grep '37.24.128.0/17'
the whole prefixes list:

Code: Select all

# IP=37.24.194.82; whois -h whois.radb.net -i origin -T route $(whois -h whois.radb.net ${IP} | grep origin: | awk '{print $NF}' | head -1) | grepan"route:" | awk '{print $NF}' | sort ment 
CSF is not generating the right CDIR prefixes list for the countries. I don't know how CSF generate these lists, although I suspect the cause is in the Maxmind databases

According Maxmind, that ip 37.24.194.82 belongs to the asn AS6830

Code: Select all

# geoiplookup 37.24.194.82
GeoIP Country Edition: DE, Germany
GeoIP City Edition, Rev 1: DE, 07, Nordrhein-Westfalen, Gladbeck, 45968, 51.556599, 7.002500, 0, 0
GeoIP ASNum Edition: AS6830 Liberty Global Operations B.V.
however, according a Whois query, it belongs to the asn AS3209

Code: Select all

#  whois -h whois.cymru.com " -v 37.24.194.82"
AS      | IP               | BGP Prefix          | CC | Registry | Allocated  | AS Name
3209    | 37.24.194.26     | 37.24.128.0/17      | DE | ripencc  | 2011-12-22 | VODANET International IP-Backbone of Vodafone, DE
Interesting thing, the maxmind web don't show the ASN in the web queries (?):
https://www.maxmind.com/en/geoip2-preci ... .24.194.82

I have download an updated GeoLite2-ASN.mmdb, and no difference. It shows a wrong ASN:

Code: Select all

# geoiplookup /usr/share/GeoIP/GeoLite2-ASN.mmdb 37.24.194.82 
GeoIP Country Edition: DE, Germany
GeoIP City Edition, Rev 1: DE, 07, Nordrhein-Westfalen, Gladbeck, 45968, 51.556599, 7.002500, 0, 0
GeoIP ASNum Edition: AS6830 Liberty Global Operations B.V.

I have checked whois.ripe.net, whois.radb.net, whois.cymru.com, and all them shows the right asn AS3209

Also, a direct query for the right prefix it shows asn AS3209;

Code: Select all

# whois -h whois.cymru.com " -v 37.24.128.0/17"
AS      | IP               | BGP Prefix          | CC | Registry | Allocated  | AS Name
3209    | 37.24.128.0      | 37.24.128.0/17      | DE | ripencc  | 2011-12-22 | VODANET International IP-Backbone of Vodafone, DE

With geoiplookup utility and the Maxmind databases, the queries for *one ip* will return the right country.
However, in case of using the maxmind ASNs database to extract the CDIR prefixes for blocking purposes, it can cause serious security problems. Not only because the false positives, who are absent in the allowed ASN or CDIR countries lists. Also because the huge networks segments which remain invisible for the firewalls. No only CSF, I imagine

I wonder about attackers and spammers who could collate and extract all these invisible network segments from the Maxmind databases to bypass the ASN's and Countries in the firewalls
Post Reply