Author Topic: CSF - IP tables rules  (Read 2531 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
CSF - IP tables rules
« on: April 11, 2021, 02:56:26 PM »
Situation - i have set custom rules for Wordpress XMLRPC attack - csf deny rule was triggered and IP come to 24 h ban in CSF deny list but ... acces log for domain show

119.29.93.25 - - [11/Apr/2021:15:47:51 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.93.25 - - [11/Apr/2021:15:47:52 +0200] "POST /xmlrpc.php HTTP/2.0" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.93.25 - - [11/Apr/2021:15:47:52 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.93.25 - - [11/Apr/2021:15:47:53 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.93.25 - - [11/Apr/2021:15:47:53 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.93.25 - - [11/Apr/2021:15:47:53 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.93.25 - - [11/Apr/2021:15:47:54 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.93.25 - - [11/Apr/2021:15:47:54 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.93.25 - - [11/Apr/2021:15:47:55 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.93.25 - - [11/Apr/2021:15:47:55 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.93.25 - - [11/Apr/2021:15:47:56 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.93.25 - - [11/Apr/2021:15:47:56 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.93.25 - - [11/Apr/2021:15:47:56 +0200] "POST /xmlrpc.php HTTP/2.0" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.93.25 - - [11/Apr/2021:15:47:57 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.93.25 - - [11/Apr/2021:15:47:57 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"

- yeah webserver return 403 but i want to execute blok rule before it even hit nginx proxy or apache

i did  itables -A INPUT -s 119.29.93.25 -j DROP which added IP to drop chain and stopped the flood ( got 3 MB / munute log size )  - is there a rule / way to make it auto seems that CSF drop rule make server to respond with 403 but traffic still hit it and make log spam

Offline
*
Re: CSF - IP tables rules
« Reply #1 on: April 12, 2021, 06:23:33 PM »
119.45.95.69 - - [12/Apr/2021:20:20:58 +0200] "POST /xmlrpc.php HTTP/2.0" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.95.69 - - [12/Apr/2021:20:20:59 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.95.69 - - [12/Apr/2021:20:21:00 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.95.69 - - [12/Apr/2021:20:21:03 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.95.69 - - [12/Apr/2021:20:21:04 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.95.69 - - [12/Apr/2021:20:21:05 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.95.69 - - [12/Apr/2021:20:21:06 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.95.69 - - [12/Apr/2021:20:21:06 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.95.69 - - [12/Apr/2021:20:21:08 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.95.69 - - [12/Apr/2021:20:21:16 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.95.69 - - [12/Apr/2021:20:21:23 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.95.69 - - [12/Apr/2021:20:21:24 +0200] "POST /xmlrpc.php HTTP/2.0" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.95.69 - - [12/Apr/2021:20:21:27 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.95.69 - - [12/Apr/2021:20:21:28 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.95.69 - - [12/Apr/2021:20:21:29 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.95.69 - - [12/Apr/2021:20:21:30 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.95.69 - - [12/Apr/2021:20:21:31 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.95.69 - - [12/Apr/2021:20:21:33 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.95.69 - - [12/Apr/2021:20:21:34 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.95.69 - - [12/Apr/2021:20:21:38 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.95.69 - - [12/Apr/2021:20:21:39 +0200] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"


aaaand another :)