The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CSF - WHM Not Blocking IP's

Discussion in 'Security' started by Goodie, Dec 18, 2013.

  1. Goodie

    Goodie Registered

    Joined:
    Apr 26, 2013
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    I have been struggling to understand whats going on with my server.

    I have been getting attacked by IP's coming from Yahoo network in Washington State.

    I have added the IP's to my CSF firewall but I still see them getting past.

    I have tested my iptables and also done test block my own IPs. If I block my IP or some of my other IPs for testing they can not connect.

    But I have blocked this IP 216.115.101.179 at two levels, Hardware node and VPS and they still get thru with 100's of connections.

    I have tried rang blocks as well as each IP but results the same:

    I run netstat and they still there and growing.

    Any ideas or help would be greatly welcome!
    :confused:
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    What logs or methods are you using to view the active connections to your server or services? Is it just netstat, or do you see the IP addresses in the access logs?

    Thank you.
     
  3. Goodie

    Goodie Registered

    Joined:
    Apr 26, 2013
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    thanks for getting back to me..

    I have been running a few commands to see what is going on.

    I run netstat -tn --inet 2> /dev/null| grep ":80" | awk '/tcp[\ ]*[0-9]+[\ ]*[0-9]+[\ ]+[^\ ]+[\ ]*[^\ ]*/ { print $5; }' | cut -d":" -f1 | sort | uniq -c | sort -n

    My results:
    Im not listing what I would call normal IPs


    75 216.115.101.178
    100 98.138.81.82
    144 216.115.110.119
    207 98.136.145.152

    which are all from: r2.ycpi.vip.dcb.yahoo.net

    I have also ran:
    netstat -n -A inet

    example below

    SENT
    tcp 0 1290 72.55.183.224:80 216.197.229.166:3880 LAST


    netstat -anp | grep :80 | grep ESTABLISHED | wc -l

    I get 309 which is far less then netstat shows.

    I do not find these IPs in our logs however which is really driving me crazy

    I have CSF installed in VPS and its simple not stopping them.. If I stop Apache they all go away.. which they should.. Not sure if that tells you anything.

    I have rebuilt Apache, I have reinstall CSF, I have scanned system with CXS and ClamAV, I just cant seem to stop this and of course its bring down my Apache server with too many max connections.

    However my avg server load is only 1.4

    Any advise would be wonderful!
    thanks

    - - - Updated - - -

    Side note...

    I also tried blocking them from the Hardware node.. Im sure they are spoofing IP or something? Im lost atm.

    - - - Updated - - -

    Oh one more thing.. I raise my max connections these ips will take them all... :(
     
  4. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Check on ESTABLISHED connections instead of all connections, and display the number of connections for each IP
    Code:
    netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
    And a question for you, are all the connections aimed at just one domain name? is it your hosting domain or a clients domain?
     
Loading...

Share This Page