CSF - WHM Not Blocking IP's

[Goodie]

Hello,

I have been struggling to understand whats going on with my server.

I have been getting attacked by IP's coming from Yahoo network in Washington State.

I have added the IP's to my CSF firewall but I still see them getting past.

I have tested my iptables and also done test block my own IPs. If I block my IP or some of my other IPs for testing they can not connect.

But I have blocked this IP 216.115.101.179 at two levels, Hardware node and VPS and they still get thru with 100's of connections.

I have tried rang blocks as well as each IP but results the same:

I run netstat and they still there and growing.

Any ideas or help would be greatly welcome!

 

[cPanelMichael]

Hello

What logs or methods are you using to view the active connections to your server or services? Is it just netstat, or do you see the IP addresses in the access logs?

Thank you.

 

[Goodie]

Hello,

thanks for getting back to me..

I have been running a few commands to see what is going on.

I run netstat -tn --inet 2> /dev/null| grep ":80" | awk '/tcp[\ ]*[0-9]+[\ ]*[0-9]+[\ ]+[^\ ]+[\ ]*[^\ ]*/ { print $5; }' | cut -d":" -f1 | sort | uniq -c | sort -n

My results:
Im not listing what I would call normal IPs


75 216.115.101.178
100 98.138.81.82
144 216.115.110.119
207 98.136.145.152

which are all from: r2.ycpi.vip.dcb.yahoo.net

I have also ran:
netstat -n -A inet

example below

SENT
tcp 0 1290 72.55.183.224:80 216.197.229.166:3880 LAST


netstat -anp | grep :80 | grep ESTABLISHED | wc -l

I get 309 which is far less then netstat shows.

I do not find these IPs in our logs however which is really driving me crazy

I have CSF installed in VPS and its simple not stopping them.. If I stop Apache they all go away.. which they should.. Not sure if that tells you anything.

I have rebuilt Apache, I have reinstall CSF, I have scanned system with CXS and ClamAV, I just cant seem to stop this and of course its bring down my Apache server with too many max connections.

However my avg server load is only 1.4

Any advise would be wonderful!
thanks

- - - Updated - - -

Side note...

I also tried blocking them from the Hardware node.. Im sure they are spoofing IP or something? Im lost atm.

- - - Updated - - -

Oh one more thing.. I raise my max connections these ips will take them all...

 

[kernow]

Check on ESTABLISHED connections instead of all connections, and display the number of connections for each IP

netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr

And a question for you, are all the connections aimed at just one domain name? is it your hosting domain or a clients domain?