• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

CSF & Country Code listing

Tracy Perry

Well-known member
#1
Anybody using the country code in their CSF (yes, I'm playing with it now on my Debian install instead of Fail2ban)? Any problems with using stuff like CN and RU causing slowdowns or performance issues or just use the standard monitoring and have specific ones detected dropped. Only traffic I get from those to countries are strictly spam related or SSH hack attempts.
 

yavuz

Well-known member
#2
I use the CC_ALLOW_FILTER and added these countries rather than block one. This ensures (so I have read) no connection ot other ports will be done.

TR,DE,FR,BE,NL,GR,SP,PR,IT,US,CA,GB,AU,MX,AZ,BH,BA,BG,CY,EG,IR,IN,IQ,JO,RO,RS,TM,AE,VN,SA,LB,AL
 

WSWD

Well-known member
#3
Anybody using the country code in their CSF (yes, I'm playing with it now on my Debian install instead of Fail2ban)? Any problems with using stuff like CN and RU causing slowdowns or performance issues...
Yes. That's a HUGE number of IP addresses when you start blocking entire countries, and your server has to process those rules for every single incoming request. Will you notice any slowdown? Just depends. When we start getting a large number of SSH attacks or forum spam or such, we start blocking entire countries until it subsides. It does seem like the server load goes up a bit, but I personally don't notice any slowdown. We're also using really powerful servers. Yours should be fine as well. If you start doing it on a VPS or such, I can see where it has the potential of really slowing things down.
 

Tracy Perry

Well-known member
#4
Yes. That's a HUGE number of IP addresses when you start blocking entire countries, and your server has to process those rules for every single incoming request. Will you notice any slowdown? Just depends. When we start getting a large number of SSH attacks or forum spam or such, we start blocking entire countries until it subsides. It does seem like the server load goes up a bit, but I personally don't notice any slowdown. We're also using really powerful servers. Yours should be fine as well. If you start doing it on a VPS or such, I can see where it has the potential of really slowing things down.
Thanks for the response. That is one of the main reasons I was wanting to do it. I get on average now about 150 SSH attempts every couple of hours from mainly China. A few from Russia show up here and now. I figured by complete blocking of a country maybe after a week or two they would go elsewhere and pester somebody for a while.

Out of curiosity I ran iptables -L after engaging it... and after 5 minutes watching got tired and cancelled the process. :p
Should have mentioned - this is running (currently) on a dual L5639 - I know not to try it on a VPS.
 

Tracy Perry

Well-known member
#5
I use the CC_ALLOW_FILTER and added these countries rather than block one. This ensures (so I have read) no connection ot other ports will be done.

TR,DE,FR,BE,NL,GR,SP,PR,IT,US,CA,GB,AU,MX,AZ,BH,BA,BG,CY,EG,IR,IN,IQ,JO,RO,RS,TM,AE,VN,SA,LB,AL
Thanks. I had seen that but I'm not looking at a permanent solution - just something to use for a few weeks since I'm getting hit so heavy from China/Russia.
 

WSWD

Well-known member
#6
Thanks for the response. That is one of the main reasons I was wanting to do it. I get on average now about 150 SSH attempts every couple of hours from mainly China. A few from Russia show up here and now. I figured by complete blocking of a country maybe after a week or two they would go elsewhere and pester somebody for a while.

Out of curiosity I ran iptables -L after engaging it... and after 5 minutes watching got tired and cancelled the process. :p
Should have mentioned - this is running (currently) on a dual L5639 - I know not to try it on a VPS.

Yeah...I wouldn't be too worried about it with that server, especially if your site isn't pushing tons of traffic. The problem with doing it for a couple weeks (unfortunately) is that the SSH attacks don't normally attack your specific server. They will normally find an IP range of a host or datacenter, and just go right up the IP range. So blocking the countries temporarily might not have any effect at all. I've found that blocking countries temporarily for forum spam, however, does work really well.
 

Moshe1010

Well-known member
#7
I've blocked China and haven't seen any decrease in performance with my VPS.
About the SSH, I just choose a very non-common port, so I have very low random request to connect via SSH. It also bans them after x attempts (I think 3) for life.
 

Tracy Perry

Well-known member
#8
I've blocked China and haven't seen any decrease in performance with my VPS.
About the SSH, I just choose a very non-common port, so I have very low random request to connect via SSH. It also bans them after x attempts (I think 3) for life.
I haven't noticed any impact yet. I left mine at 6 until I can play enough with my netbook/Surface Pro 2/iPad/iPhone access from remote sites. :p
I do use Google Authenticator for logins in addition to keys.
 

Tracy Perry

Well-known member
#9
On a related note, anybody got a clue on the UDP related stuff this is doing? UDP flood?

Code:
Jan 23 19:13:00 centauri kernel: [139367.661252] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=29207 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:00 centauri kernel: [139367.701298] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=29261 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:05 centauri kernel: [139372.727148] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31461 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:05 centauri kernel: [139372.808408] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31493 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:05 centauri kernel: [139372.850547] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31499 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:05 centauri kernel: [139372.887013] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31527 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:05 centauri kernel: [139372.924937] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31551 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:07 centauri kernel: [139374.730133] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=32451 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:09 centauri kernel: [139376.749880] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=446 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:11 centauri kernel: [139378.738154] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=1174 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:13 centauri kernel: [139380.720187] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=1907 PROTO=UDP SPT=59153 DPT=48887 LEN=55
 

WSWD

Well-known member
#10
On a related note, anybody got a clue on the UDP related stuff this is doing? UDP flood?

Code:
Jan 23 19:13:00 centauri kernel: [139367.661252] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=29207 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:00 centauri kernel: [139367.701298] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=29261 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:05 centauri kernel: [139372.727148] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31461 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:05 centauri kernel: [139372.808408] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31493 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:05 centauri kernel: [139372.850547] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31499 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:05 centauri kernel: [139372.887013] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31527 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:05 centauri kernel: [139372.924937] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=31551 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:07 centauri kernel: [139374.730133] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=32451 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:09 centauri kernel: [139376.749880] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=446 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:11 centauri kernel: [139378.738154] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=1174 PROTO=UDP SPT=59153 DPT=48887 LEN=55
Jan 23 19:13:13 centauri kernel: [139380.720187] Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:87:34:25:08:00 SRC=23.92.83.157 DST=255.255.255.255 LEN=75 TOS=0x00 PREC=0x00 TTL=128 ID=1907 PROTO=UDP SPT=59153 DPT=48887 LEN=55

That's exactly what it is. Pretty weak one at that...
 

Tracy Perry

Well-known member
#12
Ooooh-boy.... be VERY careful if you install CSF on a ProxMox server and don't have IP KVM access. Just locked EVERYTHING out on it.
Thankfully Daniel Stephens at ServerComplete is hooking up an IP KVM for me to get into it to issue an iptables-restore to my known working iptables list.
 

WSWD

Well-known member
#13
Ooooh-boy.... be VERY careful if you install CSF on a ProxMox server and don't have IP KVM access. Just locked EVERYTHING out on it.
Thankfully Daniel Stephens at ServerComplete is hooking up an IP KVM for me to get into it to issue an iptables-restore to my known working iptables list.
Oh no!! ha ha ha! That's not good at all.