Blocking a range of IPs in CSF?

[247forever]

Hi

Seeking opinions on the advisability of blocking some countries by range on a webserver in the csf deny. The server itself is high-powered with lots of resources.

We are setting up a new server specifically for domestic sites. We have config server installed, and have some tight rules in cphulk as well.

But of course we can see that the logs are filling up with blocks from some of the usual suspects.

We use project honeypot and several of the lfd blocklists already, although the benefits are hard to quantify (one can only hope....).

We were thus thinking to just block some ranges in csf deny, and one question that immediately comes to mind is impact on serving sites, and server resources although as noted this server is well allocated in that respect. Obviously as looking to block foreign ranges such traffic is not an issue for the sites that will be placed on this server.

Just wanted to canvass for opinions and we thank in advance all who respond.

 

[Muhammed Fasal]

Hi,

If you need to whitelist or block a range of IP addresses using CSF, it can be done, but you need to use the CIDR format.

For example, to block 192.168.0.0 to 192.168.0.255 you would add 192.168.0.0/24 to the blocked list.

If you are unsure how to convert a range of IP’s to CIDR, I find the following site helpful. You enter the starting IP, and ending IP, and it will create the CIDR entries for you.

IP to CIDR online converter

You will likely receive better support on the CSF application from their support forums found at:

ConfigServer Community Forum - Index page

 

[Tearabite]

We block thousands of individual IPs and ranges (CIDRs) and even several countries using CC_DENY which adds thousands of more ranges, with virtually 0 impact on resource usage.

 

[247forever]

We block thousands of individual IPs and ranges (CIDRs) and even several countries using CC_DENY which adds thousands of more ranges, with virtually 0 impact on resource usage.

This is one of the matters we were concerned about - resource usage. We thought there would be minimal impact but its great to get some third party thoughts and your input is appreciated. The other issue we potentially foresee is site loading time as the deny files are parsed but we will do some a/b testing and if we find anything notable we will advise.

You know, we forgot about CC_Deny option in the config serv setting as we have not had past occasion to use it or custom lists at the server level (LF_GLOBAL) as all our servers had a mixed bag of customers (so we did such blocks at the .htaccess level typically, or guided them to use the cpanel options for simple blocks). So this was a great reminder that the option(s) is there and we are feeling a little silly for not remembering it given how many thousands of times we have been through the configserv settings panel.....

Hi,

If you need to whitelist or block a range of IP addresses using CSF, it can be done, but you need to use the CIDR format.

For example, to block 192.168.0.0 to 192.168.0.255 you would add 192.168.0.0/24 to the blocked list.

If you are unsure how to convert a range of IP’s to CIDR, I find the following site helpful. You enter the starting IP, and ending IP, and it will create the CIDR entries for you.

IP to CIDR online converter

You will likely receive better support on the CSF application from their support forums found at:

ConfigServer Community Forum - Index page

Thank you for your responses although this info we already knew - its simply that in the past we typically blocked at the website level via .htaccess files and wanted a better global solution. In respect of the ConfServ form we did think about posting at it but thought why not here first as these forums are very active.

In the spirit of contributing, for anyone reading some sites we find handy for determining range blocks and other useful info:

CIPB - Create Country ACL
IP Address Ranges by Country
https://dev.maxmind.com/geoip/geoip2/geolite2/

Sometimes they will produce different results for the same query, which one can compare.

 

[MickFlorence]

CSF should be efficient enough to filter the traffics by IP address range. You could give it a try.

If you need IP address list by country in multiple firewall formats, you can export it free from Block Visitors by Country | IP2Location

Good luck!

 

[kitmancraig]

I have the following in my CSF file:

114.119.0.0/16 #Manual Subnet Block CW 16/01/2020. Massive hots from China and Singapore. Look lit bad bots.

Yet I have seen visitors:

	Unknown	28/01/2020	114.119.157.106
	Unknown	28/01/2020	114.119.165.34
	Unknown	28/01/2020	114.119.137.41
	Unknown	28/01/2020	114.119.149.139
	Unknown	28/01/2020	114.119.164.121
	Unknown	28/01/2020	114.119.142.158
	Unknown	28/01/2020	114.119.165.171
	Unknown	28/01/2020	114.119.133.50

Any help or advice would be gratefully received.

 

[Ernesto Dionisio]

Is there a way a bulk IP POP3 or imap will IP's will be allowed? I tried IP like this (for example only)
123.45.0.0/24 # csf.allow

then I saw some IP IN csf.deny
123.45.111.222 # lfd: (pop3d) Failed POP3 login from 123.45.111.222

• can somebody explain to me why is this happening?
• how can I make this work?
• May I know if my bulk IP allow is correct declared?

 

[cPRex]

CSF does support CIDR notation, so I would expect that to work well. The csf.deny file could still be processing IPs that are brute forcing the server though, whch would be my guess as to what is happening here especially if you have cPHulk enabled.