SOLVED CSF Chain CC_ALLOW (1 references)

Operating System & Version
cents 7 CSF latest version 14.09
cPanel & WHM Version
94.02

Spirogg

Well-Known Member
Feb 21, 2018
136
28
28
chicago
cPanel Access Level
Root Administrator
in CSF I see Chain CC_ALLOW (1 references)
with 20,000 plus lines of IP and IP blocks?

I checked some of the ups and they are to flooring website, another is att.com another is noop.net

why so many IP's have I been hacked or is this a CSF IP thing where they added all this in the chain CC_ALLOW

im not to good at this so just want to make sure its not bogus and someone added this to my server CSF CC_ALLOW or this is normal?

example : 45.0.0.0/15

belongs to:
NetRange: 45.0.0.0 - 45.1.255.255
CIDR: 45.0.0.0/15
NetName: SHOWNET
NetHandle: NET-45-0-0-0-1
Parent: NET45 (NET-45-0-0-0-0)
NetType: Direct Assignment
OriginAS: AS290
Organization: Interop Show Network (ISN-4)
RegDate: 1991-09-09
Updated: 2011-10-02
Ref: https://rdap.arin.net/registry/ip/45.0.0.0

why is that in allow

here is more

800 0 0 ACCEPT all -- * * 40.120.0.0/14 0.0.0.0/0
801 0 0 ACCEPT all -- * * 40.124.0.0/16 0.0.0.0/0
802 0 0 ACCEPT all -- * * 40.125.0.0/17 0.0.0.0/0
803 0 0 ACCEPT all -- * * 40.126.0.0/18 0.0.0.0/0
804 0 0 ACCEPT all -- * * 40.126.128.0/17 0.0.0.0/0
805 0 0 ACCEPT all -- * * 40.127.0.0/16 0.0.0.0/0
806 0 0 ACCEPT all -- * * 40.128.0.0/9 0.0.0.0/0
807 0 0 ACCEPT all -- * * 43.226.24.0/22 0.0.0.0/0
808 0 0 ACCEPT all -- * * 43.231.12.0/22 0.0.0.0/0
809 0 0 ACCEPT all -- * * 43.245.48.0/22 0.0.0.0/0
810 0 0 ACCEPT all -- * * 43.251.180.0/22 0.0.0.0/0
811 0 0 ACCEPT all -- * * 44.0.0.0/8 0.0.0.0/0
812 0 0 ACCEPT all -- * * 45.0.0.0/15 0.0.0.0/0
813 0 0 ACCEPT all -- * * 45.3.32.0/19 0.0.0.0/0
814 0 0 ACCEPT all -- * * 45.3.64.0/18 0.0.0.0/0
815 0 0 ACCEPT all -- * * 45.3.128.0/17 0.0.0.0/0
816 0 0 ACCEPT all -- * * 45.11.0.0/22 0.0.0.0/0
817 0 0 ACCEPT all -- * * 45.16.0.0/12 0.0.0.0/0
818 0 0 ACCEPT all -- * * 45.32.0.0/16 0.0.0.0/0
819 0 0 ACCEPT all -- * * 45.33.0.0/17 0.0.0.0/0
820 0 0 ACCEPT all -- * * 45.33.128.0/18 0.0.0.0/0
821 0 0 ACCEPT all -- * * 45.33.194.0/23 0.0.0.0/0
why are these in Chain CC_ALLOW ?

please if someone can tell me I have 20,000 plus IP and IP ranges in CC_ALLOW

thanks

Spiro
 
Last edited by a moderator:

Spirogg

Well-Known Member
Feb 21, 2018
136
28
28
chicago
cPanel Access Level
Root Administrator
Code:
Chain CC_ALLOW (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  *      *       2.57.164.0/22        0.0.0.0/0           
2       53  3857 ACCEPT     all  --  *      *       3.0.0.0/8            0.0.0.0/0           
3        0     0 ACCEPT     all  --  *      *       4.0.0.0/8            0.0.0.0/0           
4        0     0 ACCEPT     all  --  *      *       5.35.192.0/21        0.0.0.0/0           
5        0     0 ACCEPT     all  --  *      *       5.150.156.0/22       0.0.0.0/0           
6        0     0 ACCEPT     all  --  *      *       5.152.184.0/21       0.0.0.0/0           
7        0     0 ACCEPT     all  --  *      *       5.188.0.0/21         0.0.0.0/0           
8        0     0 ACCEPT     all  --  *      *       5.188.120.0/21       0.0.0.0/0           
9        0     0 ACCEPT     all  --  *      *       5.252.164.0/22       0.0.0.0/0           
10       0     0 ACCEPT     all  --  *      *       6.0.0.0/7            0.0.0.0/0           
11       0     0 ACCEPT     all  --  *      *       8.0.0.0/9            0.0.0.0/0           
12       0     0 ACCEPT     all  --  *      *       8.192.0.0/12         0.0.0.0/0           
13       0     0 ACCEPT     all  --  *      *       8.224.0.0/11         0.0.0.0/0           
14       0     0 ACCEPT     all  --  *      *       9.0.0.0/8            0.0.0.0/0           
15       0     0 ACCEPT     all  --  *      *       11.0.0.0/8           0.0.0.0/0           
16      16  1867 ACCEPT     all  --  *      *       12.0.0.0/7           0.0.0.0/0           
17       0     0 ACCEPT     all  --  *      *       14.102.172.0/22      0.0.0.0/0           
18       0     0 ACCEPT     all  --  *      *       15.0.0.0/8           0.0.0.0/0           
19       7   570 ACCEPT     all  --  *      *       16.0.0.0/6           0.0.0.0/0           
20       0     0 ACCEPT     all  --  *      *       20.0.0.0/7           0.0.0.0/0           
21       0     0 ACCEPT     all  --  *      *       22.0.0.0/8           0.0.0.0/0
 

Spirogg

Well-Known Member
Feb 21, 2018
136
28
28
chicago
cPanel Access Level
Root Administrator
this is under view IPtable rules > Display the active iptables rules

if you have an Idea if CSF adds these or is there something fishy going on

thanks

Spiro
 

Spirogg

Well-Known Member
Feb 21, 2018
136
28
28
chicago
cPanel Access Level
Root Administrator
ok I think I got it figured out. my partner logged in earlier and added to CC_ALLOW US,CA,UK
so I removed that from CC_ALLOW and ADD to CC_ALLOW_FILTER instead and added US,CA,UK,GB
now it populated more IP's so I guess that is what happened and I had a panic attack, arggggg

- so now I understand what happened and where those IP's came from.

so a quick question is what is the difference between:

ALLOW all
when using CC_ALLOW with country codes
vs
RETURN all
when using CC_ALLOW_FILTER with country codes


Code:
Chain CC_ALLOWF (1 references)
num   pkts bytes target     prot opt in     out     source               destination        
1      862  124K ACCEPT     all  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
2        0     0 RETURN     all  --  *      *       2.57.164.0/22        0.0.0.0/0          
3      106  7757 RETURN     all  --  *      *       3.0.0.0/8            0.0.0.0/0          
4        0     0 RETURN     all  --  *      *       4.0.0.0/8            0.0.0.0/0          
5        0     0 RETURN     all  --  *      *       5.35.192.0/21        0.0.0.0/0

PS ok It was that anything I added to CC_ALLOW or CC_ALLOW_FILTER would add those countries to the allow list and based on the database that will download to your server, So I opted after reading more to signup for Maxmind which you need to signup to and generate a code, also need to accept the agreement or signup here Sign up for GeoLite2 its free and then generate a lic code.. then you can enter the code in CSF> Firewall Configuration > Country Code Lists and Settings
- in the first section on that page you will see MM_LICENSE_KEY = enter your lic key here

- then the next section below that you set to the CC_SRC =1

- then save and restart CSF LFD

and you should see the database has downloaded
# cd /var/lib/csf/Geo
then type dir
you will then see the Geo database in this directory

Code:
[[email protected] ~]# cd /var/lib/csf/Geo
[[email protected] Geo]# dir
COPYRIGHT.txt          GeoLite2-ASN-Blocks-IPv4.csv      GeoLite2-Country-Blocks-IPv6.csv   LICENSE.txt
countryInfo.txt        GeoLite2-ASN-Blocks-IPv6.csv      GeoLite2-Country-Locations-en.csv  README.txt
dbip-country-lite.csv  GeoLite2-Country-Blocks-IPv4.csv  ip2asn-combined.tsv

and any country code you add in CC_ALLOW_FILTER or CC_DENY will work and block or allow those countries..

correct me if Im wrong but did more homework and seems this is a working options. here.
I believe I got it correct now and know what all those IP are now.. whew. thought I got hacked earlier, but its only CSF and country codes.. :)
Thanks again

Spiro
 
Last edited:

Spirogg

Well-Known Member
Feb 21, 2018
136
28
28
chicago
cPanel Access Level
Root Administrator
Hey hey! If I'm reading this correctly, you found there were country code blocks, and those in turn blocked a large number of IPs on the system. Is that correct?
Hello. Well sort of. I had thought I was hacked. And someone added all these IP blocks to the allow. Then after a couple hours of reading more. I found out these are added because we add country codes to those areas. Then it populates in the CC_ALLOW in CSF. So sorry for the long winded posts. And I got it figured out now :)
 
  • Like
Reactions: cPRex