The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Blocked 2 x /16 subnets, new spam users keep registering

Discussion in 'Security' started by Bashed, Jul 28, 2015.

  1. Bashed

    Bashed Well-Known Member

    Joined:
    Dec 18, 2013
    Messages:
    78
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I blocked 2 large /16 subnets via CSF from Pakistan for dozens of new spam users coming to my Xenforo forum. Even after 10 minutes, new ones kept registering from the same ranges I already blocked prior. How is this even possible?

    I had at least 5 new spam users that just registered over 10 minutes after I blocked these below.

    182.186.0.0/16 # Manually denied: 182.186.0.0/16 (-/-/-) - Tue Jul 28 08:19:52 2015
    39.36.0.0/16 # Manually denied: 39.36.0.0/16 (-/-/-) - Tue Jul 28 08:22:14 2015

    Is my setup wrong?
     
    vdraq likes this.
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,466
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You can watch the LFD log live from CSF. Have you checked that for clues?
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    941
    Likes Received:
    56
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Forum spam signups are always tough to secure. You need to add additional security like captchas and security questions to your registration form, and make sure that your software is current in case a hack exists to bypass those securities.

    Blocking IPs from signing up is a never ending battle that you will never win... I learned that the hard way myself. You have to secure the form itself against the bots, otherwise they will just keep coming at you from new IP addreses and countries.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,466
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Lots of spam suggestions on xenforo forums, here's a fine idea, suggested to me by @eva2000 :)
    xenforo.com/community/resources/tpu-detect-and-block-spam-registrations.2973/
     
    eva2000 likes this.
  5. Bashed

    Bashed Well-Known Member

    Joined:
    Dec 18, 2013
    Messages:
    78
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Thanks. I got more registrations today, this morning from IPs that came from Pakistan, specifically from the 2 x /16 sunbets I already blocked yesterday in CSF. How is that even possible? Apparently CSF isn't doing it's job.
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,466
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Then something might be incorrectly configured somewhere. CSF does its job quite well in my experience.
    You might consider creating a proper CIDR list of your own to add to CSF (or .htaccess to use for the xenforo account itself);
    https://www.countryipblocks.net/country_selection.php
     
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    941
    Likes Received:
    56
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    A couple things...

    First, CSF has a setting in the conf that limits the number of deny entries. It will rotate out the old blocks as new IPs or ranges are blocked. Check your csf.deny and see if 182.186.0.0/16 is actually still in there. If a few hundred new IPs were blocked it could have rotated out.

    If you need to make sure the block never rotates out you must add "do not delete" to the comment in csf.deny, such as:
    Code:
    182.186.0.0/16 # Manually denied do not delete
    39.36.0.0/16 # Manually denied do not delete
    
    second, do a good hard restart of csf/lfd;

    Code:
    csf -x ; csf -e
    
    This fully disables and immediately re-enables csf and lfd, ensuring your configs and settings are actually active. Then check iptables for the rules using csf's grep flag:
    Code:
    [root@new ~]# csf -g 182.186.0
    
    Chain  num  pkts bytes target  prot opt in  out  source  destination   
    
    DENYIN  499  0  0 DROP  all  --  !lo  *  182.186.0.0/16  0.0.0.0/0
    
    DENYOUT  499  0  0 DROP  all  --  *  !lo  0.0.0.0/0  182.186.0.0/16
    
     
    Bashed likes this.
  8. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Is CSF taken out of test mode ?
     
  9. Bashed

    Bashed Well-Known Member

    Joined:
    Dec 18, 2013
    Messages:
    78
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Thanks.

    Code:
    root@server [~]# csf -g 182.186.0
    
    Chain            num   pkts bytes target     prot opt in     out     source               destination        
    
    DENYIN           139      0     0 DROP       all  --  !lo    *       182.186.0.0/16       0.0.0.0/0          
    
    DENYOUT          139      0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            182.186.0.0/16
    
    
    ip6tables:
    
    Chain            num   pkts bytes target     prot opt in     out     source               destination        
    No matches found for 182.186.0 in ip6tables
    CSF is not in "test" mode either.

    Also updated csf.deny to

    Code:
    182.186.0.0/16 # Manually denied do not delete: 182.186.0.0/16 (-/-/-) - Tue Jul 28 08:19:52 2015
    39.36.0.0/16 # Manually denied do not delete: 39.36.0.0/16 (-/-/-) - Tue Jul 28 08:22:14 2015
     
Loading...

Share This Page