1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CSF & Country Code listing

Discussion in 'Server Configuration and Hosting' started by Tracy Perry, Jan 23, 2014.

  1. Tracy Perry

    Tracy Perry Well-Known Member

    Anybody using the country code in their CSF (yes, I'm playing with it now on my Debian install instead of Fail2ban)? Any problems with using stuff like CN and RU causing slowdowns or performance issues or just use the standard monitoring and have specific ones detected dropped. Only traffic I get from those to countries are strictly spam related or SSH hack attempts.
     
  2. yavuz

    yavuz Well-Known Member

    I use the CC_ALLOW_FILTER and added these countries rather than block one. This ensures (so I have read) no connection ot other ports will be done.

    TR,DE,FR,BE,NL,GR,SP,PR,IT,US,CA,GB,AU,MX,AZ,BH,BA,BG,CY,EG,IR,IN,IQ,JO,RO,RS,TM,AE,VN,SA,LB,AL
     
  3. WSWD

    WSWD Well-Known Member

    Yes. That's a HUGE number of IP addresses when you start blocking entire countries, and your server has to process those rules for every single incoming request. Will you notice any slowdown? Just depends. When we start getting a large number of SSH attacks or forum spam or such, we start blocking entire countries until it subsides. It does seem like the server load goes up a bit, but I personally don't notice any slowdown. We're also using really powerful servers. Yours should be fine as well. If you start doing it on a VPS or such, I can see where it has the potential of really slowing things down.
     
  4. Tracy Perry

    Tracy Perry Well-Known Member

    Thanks for the response. That is one of the main reasons I was wanting to do it. I get on average now about 150 SSH attempts every couple of hours from mainly China. A few from Russia show up here and now. I figured by complete blocking of a country maybe after a week or two they would go elsewhere and pester somebody for a while.

    Out of curiosity I ran iptables -L after engaging it... and after 5 minutes watching got tired and cancelled the process. :p
    Should have mentioned - this is running (currently) on a dual L5639 - I know not to try it on a VPS.
     
  5. Tracy Perry

    Tracy Perry Well-Known Member

    Thanks. I had seen that but I'm not looking at a permanent solution - just something to use for a few weeks since I'm getting hit so heavy from China/Russia.
     
  6. WSWD

    WSWD Well-Known Member


    Yeah...I wouldn't be too worried about it with that server, especially if your site isn't pushing tons of traffic. The problem with doing it for a couple weeks (unfortunately) is that the SSH attacks don't normally attack your specific server. They will normally find an IP range of a host or datacenter, and just go right up the IP range. So blocking the countries temporarily might not have any effect at all. I've found that blocking countries temporarily for forum spam, however, does work really well.
     
  7. Moshe1010

    Moshe1010 Well-Known Member

    I've blocked China and haven't seen any decrease in performance with my VPS.
    About the SSH, I just choose a very non-common port, so I have very low random request to connect via SSH. It also bans them after x attempts (I think 3) for life.
     
  8. Tracy Perry

    Tracy Perry Well-Known Member

    I haven't noticed any impact yet. I left mine at 6 until I can play enough with my netbook/Surface Pro 2/iPad/iPhone access from remote sites. :p
    I do use Google Authenticator for logins in addition to keys.
     
  9. Tracy Perry

    Tracy Perry Well-Known Member

    On a related note, anybody got a clue on the UDP related stuff this is doing? UDP flood?

    Code:
    Jan 23 19:13:00 centauri kernel: [139367.661252] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=29207 PROTO=UDP SPT=59153 DPT=48887 LEN=55
    Jan 23 19:13:00 centauri kernel: [139367.701298] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=29261 PROTO=UDP SPT=59153 DPT=48887 LEN=55
    Jan 23 19:13:05 centauri kernel: [139372.727148] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31461 PROTO=UDP SPT=59153 DPT=48887 LEN=55
    Jan 23 19:13:05 centauri kernel: [139372.808408] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31493 PROTO=UDP SPT=59153 DPT=48887 LEN=55
    Jan 23 19:13:05 centauri kernel: [139372.850547] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31499 PROTO=UDP SPT=59153 DPT=48887 LEN=55
    Jan 23 19:13:05 centauri kernel: [139372.887013] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31527 PROTO=UDP SPT=59153 DPT=48887 LEN=55
    Jan 23 19:13:05 centauri kernel: [139372.924937] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31551 PROTO=UDP SPT=59153 DPT=48887 LEN=55
    Jan 23 19:13:07 centauri kernel: [139374.730133] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=32451 PROTO=UDP SPT=59153 DPT=48887 LEN=55
    Jan 23 19:13:09 centauri kernel: [139376.749880] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=446 PROTO=UDP SPT=59153 DPT=48887 LEN=55
    Jan 23 19:13:11 centauri kernel: [139378.738154] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=1174 PROTO=UDP SPT=59153 DPT=48887 LEN=55
    Jan 23 19:13:13 centauri kernel: [139380.720187] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=1907 PROTO=UDP SPT=59153 DPT=48887 LEN=55
     
  10. WSWD

    WSWD Well-Known Member


    That's exactly what it is. Pretty weak one at that...
     
  11. Tracy Perry

    Tracy Perry Well-Known Member

    Kinda figured... that was just one of the IP's that was sending it. All resolve back to gametalk.com.br.
     
  12. Tracy Perry

    Tracy Perry Well-Known Member

    Ooooh-boy.... be VERY careful if you install CSF on a ProxMox server and don't have IP KVM access. Just locked EVERYTHING out on it.
    Thankfully Daniel Stephens at ServerComplete is hooking up an IP KVM for me to get into it to issue an iptables-restore to my known working iptables list.
     
  13. WSWD

    WSWD Well-Known Member

    Oh no!! ha ha ha! That's not good at all.
     

Share This Page