CSF - WHM Not Blocking IP's

Goodie

Registered
Apr 26, 2013
2
0
1
cPanel Access Level
Root Administrator
Hello,

I have been struggling to understand whats going on with my server.

I have been getting attacked by IP's coming from Yahoo network in Washington State.

I have added the IP's to my CSF firewall but I still see them getting past.

I have tested my iptables and also done test block my own IPs. If I block my IP or some of my other IPs for testing they can not connect.

But I have blocked this IP 216.115.101.179 at two levels, Hardware node and VPS and they still get thru with 100's of connections.

I have tried rang blocks as well as each IP but results the same:

I run netstat and they still there and growing.

Any ideas or help would be greatly welcome!
:confused:
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,268
463
Hello :)

What logs or methods are you using to view the active connections to your server or services? Is it just netstat, or do you see the IP addresses in the access logs?

Thank you.
 

Goodie

Registered
Apr 26, 2013
2
0
1
cPanel Access Level
Root Administrator
Hello,

thanks for getting back to me..

I have been running a few commands to see what is going on.

I run netstat -tn --inet 2> /dev/null| grep ":80" | awk '/tcp[\ ]*[0-9]+[\ ]*[0-9]+[\ ]+[^\ ]+[\ ]*[^\ ]*/ { print $5; }' | cut -d":" -f1 | sort | uniq -c | sort -n

My results:
Im not listing what I would call normal IPs


75 216.115.101.178
100 98.138.81.82
144 216.115.110.119
207 98.136.145.152

which are all from: r2.ycpi.vip.dcb.yahoo.net

I have also ran:
netstat -n -A inet

example below

SENT
tcp 0 1290 72.55.183.224:80 216.197.229.166:3880 LAST


netstat -anp | grep :80 | grep ESTABLISHED | wc -l

I get 309 which is far less then netstat shows.

I do not find these IPs in our logs however which is really driving me crazy

I have CSF installed in VPS and its simple not stopping them.. If I stop Apache they all go away.. which they should.. Not sure if that tells you anything.

I have rebuilt Apache, I have reinstall CSF, I have scanned system with CXS and ClamAV, I just cant seem to stop this and of course its bring down my Apache server with too many max connections.

However my avg server load is only 1.4

Any advise would be wonderful!
thanks

- - - Updated - - -

Side note...

I also tried blocking them from the Hardware node.. Im sure they are spoofing IP or something? Im lost atm.

- - - Updated - - -

Oh one more thing.. I raise my max connections these ips will take them all... :(
 

kernow

Well-Known Member
Jul 23, 2004
1,031
62
178
cPanel Access Level
Root Administrator
Check on ESTABLISHED connections instead of all connections, and display the number of connections for each IP
Code:
netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
And a question for you, are all the connections aimed at just one domain name? is it your hosting domain or a clients domain?