CSF & Country Code listing

TPerry

TPerry

Well-known member
Anybody using the country code in their CSF (yes, I'm playing with it now on my Debian install instead of Fail2ban)? Any problems with using stuff like CN and RU causing slowdowns or performance issues or just use the standard monitoring and have specific ones detected dropped. Only traffic I get from those to countries are strictly spam related or SSH hack attempts.
 
I use the CC_ALLOW_FILTER and added these countries rather than block one. This ensures (so I have read) no connection ot other ports will be done.

TR,DE,FR,BE,NL,GR,SP,PR,IT,US,CA,GB,AU,MX,AZ,BH,BA,BG,CY,EG,IR,IN,IQ,JO,RO,RS,TM,AE,VN,SA,LB,AL
 
Tracy Perry said:
Anybody using the country code in their CSF (yes, I'm playing with it now on my Debian install instead of Fail2ban)? Any problems with using stuff like CN and RU causing slowdowns or performance issues...
Click to expand...

Yes. That's a HUGE number of IP addresses when you start blocking entire countries, and your server has to process those rules for every single incoming request. Will you notice any slowdown? Just depends. When we start getting a large number of SSH attacks or forum spam or such, we start blocking entire countries until it subsides. It does seem like the server load goes up a bit, but I personally don't notice any slowdown. We're also using really powerful servers. Yours should be fine as well. If you start doing it on a VPS or such, I can see where it has the potential of really slowing things down.
 
WSWD said:
Yes. That's a HUGE number of IP addresses when you start blocking entire countries, and your server has to process those rules for every single incoming request. Will you notice any slowdown? Just depends. When we start getting a large number of SSH attacks or forum spam or such, we start blocking entire countries until it subsides. It does seem like the server load goes up a bit, but I personally don't notice any slowdown. We're also using really powerful servers. Yours should be fine as well. If you start doing it on a VPS or such, I can see where it has the potential of really slowing things down.
Click to expand...
Thanks for the response. That is one of the main reasons I was wanting to do it. I get on average now about 150 SSH attempts every couple of hours from mainly China. A few from Russia show up here and now. I figured by complete blocking of a country maybe after a week or two they would go elsewhere and pester somebody for a while.

Out of curiosity I ran iptables -L after engaging it... and after 5 minutes watching got tired and cancelled the process. :p
Should have mentioned - this is running (currently) on a dual L5639 - I know not to try it on a VPS.
 
yavuz said:
I use the CC_ALLOW_FILTER and added these countries rather than block one. This ensures (so I have read) no connection ot other ports will be done.

TR,DE,FR,BE,NL,GR,SP,PR,IT,US,CA,GB,AU,MX,AZ,BH,BA,BG,CY,EG,IR,IN,IQ,JO,RO,RS,TM,AE,VN,SA,LB,AL
Click to expand...
Thanks. I had seen that but I'm not looking at a permanent solution - just something to use for a few weeks since I'm getting hit so heavy from China/Russia.
 
Tracy Perry said:
Thanks for the response. That is one of the main reasons I was wanting to do it. I get on average now about 150 SSH attempts every couple of hours from mainly China. A few from Russia show up here and now. I figured by complete blocking of a country maybe after a week or two they would go elsewhere and pester somebody for a while.

Out of curiosity I ran iptables -L after engaging it... and after 5 minutes watching got tired and cancelled the process. :p
Should have mentioned - this is running (currently) on a dual L5639 - I know not to try it on a VPS.
Click to expand...


Yeah...I wouldn't be too worried about it with that server, especially if your site isn't pushing tons of traffic. The problem with doing it for a couple weeks (unfortunately) is that the SSH attacks don't normally attack your specific server. They will normally find an IP range of a host or datacenter, and just go right up the IP range. So blocking the countries temporarily might not have any effect at all. I've found that blocking countries temporarily for forum spam, however, does work really well.
 
I've blocked China and haven't seen any decrease in performance with my VPS.
About the SSH, I just choose a very non-common port, so I have very low random request to connect via SSH. It also bans them after x attempts (I think 3) for life.
 
Moshe1010 said:
I've blocked China and haven't seen any decrease in performance with my VPS.
About the SSH, I just choose a very non-common port, so I have very low random request to connect via SSH. It also bans them after x attempts (I think 3) for life.
Click to expand...
I haven't noticed any impact yet. I left mine at 6 until I can play enough with my netbook/Surface Pro 2/iPad/iPhone access from remote sites. :p
I do use Google Authenticator for logins in addition to keys.
 
On a related note, anybody got a clue on the UDP related stuff this is doing? UDP flood?

Code: 
Jan 23 19:13:00 centauri kernel: [139367.661252] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=29207 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:00 centauri kernel: [139367.701298] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=29261 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:05 centauri kernel: [139372.727148] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31461 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:05 centauri kernel: [139372.808408] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31493 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:05 centauri kernel: [139372.850547] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31499 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:05 centauri kernel: [139372.887013] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31527 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:05 centauri kernel: [139372.924937] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31551 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:07 centauri kernel: [139374.730133] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=32451 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:09 centauri kernel: [139376.749880] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=446 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:11 centauri kernel: [139378.738154] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=1174 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:13 centauri kernel: [139380.720187] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=1907 PROTO=UDP SPT=59153 DPT=48887 LEN=55
 
Tracy Perry said:
On a related note, anybody got a clue on the UDP related stuff this is doing? UDP flood?

Code: 
Jan 23 19:13:00 centauri kernel: [139367.661252] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=29207 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:00 centauri kernel: [139367.701298] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=29261 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:05 centauri kernel: [139372.727148] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31461 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:05 centauri kernel: [139372.808408] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31493 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:05 centauri kernel: [139372.850547] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31499 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:05 centauri kernel: [139372.887013] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31527 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:05 centauri kernel: [139372.924937] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31551 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:07 centauri kernel: [139374.730133] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=32451 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:09 centauri kernel: [139376.749880] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=446 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:11 centauri kernel: [139378.738154] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=1174 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:13 centauri kernel: [139380.720187] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=1907 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Click to expand...


That's exactly what it is. Pretty weak one at that...
 
Ooooh-boy.... be VERY careful if you install CSF on a ProxMox server and don't have IP KVM access. Just locked EVERYTHING out on it.
Thankfully Daniel Stephens at ServerComplete is hooking up an IP KVM for me to get into it to issue an iptables-restore to my known working iptables list.
 
Tracy Perry said:
Ooooh-boy.... be VERY careful if you install CSF on a ProxMox server and don't have IP KVM access. Just locked EVERYTHING out on it.
Thankfully Daniel Stephens at ServerComplete is hooking up an IP KVM for me to get into it to issue an iptables-restore to my known working iptables list.
Click to expand...

Oh no!! ha ha ha! That's not good at all.
 
You must log in or register to reply here.

Similar threads

VBX Co
Duplicate Emoji flags displaying when inserted in editor - but showing country code on post
Replies
2
Views
302
Old Nick
O
Jesepi
  • Suggestion Suggestion
Lack of interest Block user from registering based on country code
2
Replies
30
Views
5K
GOJA
GOJA
Back
Top Bottom