<?xml version="1.0"?>
<rss xmlns:dc="http://purl.org/dc/elements/1.1/" version="2.0">
  <channel>
    <title>Transition Technology: Ticket #544: CSF / LDF false positive blocks on Puffin</title>
    <link>http://localhost:8080/trac/ticket/544</link>
    <description>&lt;p&gt;
Ticket to keep track of CSF /LDF issues on Puffin, see &lt;a class="wiki" href="http://localhost:8080/trac/wiki/PuffinServer#CSFLDF"&gt;wiki:PuffinServer#CSFLDF&lt;/a&gt;
&lt;/p&gt;
</description>
    <language>en-us</language>
    <image>
      <title>Transition Technology</title>
      <url>/trac/chrome/site/TransitionNetwork-Logo-Web-Small.jpg</url>
      <link>http://localhost:8080/trac/ticket/544</link>
    </image>
    <generator>Trac 0.12.5</generator>
    <item>
      
        <dc:creator>chris</dc:creator>

      <pubDate>Sat, 04 May 2013 11:04:45 GMT</pubDate>
      <title>hours, totalhours changed</title>
      <link>http://localhost:8080/trac/ticket/544#comment:1</link>
      <guid isPermaLink="false">http://localhost:8080/trac/ticket/544#comment:1</guid>
      <description>
          &lt;ul&gt;
            &lt;li&gt;&lt;strong&gt;hours&lt;/strong&gt;
                changed from &lt;em&gt;0.0&lt;/em&gt; to &lt;em&gt;0.25&lt;/em&gt;
            &lt;/li&gt;
            &lt;li&gt;&lt;strong&gt;totalhours&lt;/strong&gt;
                changed from &lt;em&gt;0.0&lt;/em&gt; to &lt;em&gt;0.25&lt;/em&gt;
            &lt;/li&gt;
          &lt;/ul&gt;
        &lt;p&gt;
Our server monitoring if puffin is up or down was blocked:
&lt;/p&gt;
&lt;pre class="wiki"&gt;csf -g 81.95.52.66
Chain            num   pkts bytes target     prot opt in     out     source               destination
DENYIN           99     247 19164 DROP       all  --  !lo    *       81.95.52.66          0.0.0.0/0
DENYOUT          99       0     0 DROP       all  --  *      !lo     0.0.0.0/0            81.95.52.66
csf.deny: 81.95.52.66 # lfd: (sshd) Failed SSH login from 81.95.52.66 (GB/United Kingdom/nsa.rat.burntout.org): 5 in the last 300 secs - Fri May  3 21:30:38 2013
&lt;/pre&gt;&lt;p&gt;
I have unblocked it:
&lt;/p&gt;
&lt;pre class="wiki"&gt;csf -dr 81.95.52.66
Removing rule...
DROP  all opt -- in !lo out *  81.95.52.66  -&amp;gt; 0.0.0.0/0
DROP  all opt -- in * out !lo  0.0.0.0/0  -&amp;gt; 81.95.52.66
&lt;/pre&gt;
      </description>
      <category>Ticket</category>
    </item><item>
      
        <dc:creator>ed</dc:creator>

      <pubDate>Thu, 09 May 2013 09:41:01 GMT</pubDate>
      <title>milestone set</title>
      <link>http://localhost:8080/trac/ticket/544#comment:2</link>
      <guid isPermaLink="false">http://localhost:8080/trac/ticket/544#comment:2</guid>
      <description>
          &lt;ul&gt;
            &lt;li&gt;&lt;strong&gt;milestone&lt;/strong&gt;
                set to &lt;em&gt;Maintenance&lt;/em&gt;
            &lt;/li&gt;
          &lt;/ul&gt;
      </description>
      <category>Ticket</category>
    </item><item>
      
        <dc:creator>chris</dc:creator>

      <pubDate>Fri, 24 May 2013 10:21:35 GMT</pubDate>
      <title>hours, totalhours changed</title>
      <link>http://localhost:8080/trac/ticket/544#comment:3</link>
      <guid isPermaLink="false">http://localhost:8080/trac/ticket/544#comment:3</guid>
      <description>
          &lt;ul&gt;
            &lt;li&gt;&lt;strong&gt;hours&lt;/strong&gt;
                changed from &lt;em&gt;0.0&lt;/em&gt; to &lt;em&gt;0.15&lt;/em&gt;
            &lt;/li&gt;
            &lt;li&gt;&lt;strong&gt;totalhours&lt;/strong&gt;
                changed from &lt;em&gt;0.25&lt;/em&gt; to &lt;em&gt;0.4&lt;/em&gt;
            &lt;/li&gt;
          &lt;/ul&gt;
        &lt;p&gt;
Our monitoring server was blocked again:
&lt;/p&gt;
&lt;pre class="wiki"&gt;csf -g 81.95.52.66
  Chain            num   pkts bytes target     prot opt in     out     source               destination
  DENYIN           95      50  3768 DROP       all  --  !lo    *       81.95.52.66          0.0.0.0/0
  DENYOUT          95       0     0 DROP       all  --  *      !lo     0.0.0.0/0            81.95.52.66
  csf.deny: 81.95.52.66 # lfd: (sshd) Failed SSH login from 81.95.52.66 (GB/United Kingdom/nsa.rat.burntout.org): 5 in the last 300 secs - Thu May 23 12:43:04 2013
&lt;/pre&gt;&lt;p&gt;
So I have unblocked it again:
&lt;/p&gt;
&lt;pre class="wiki"&gt;csf -dr 81.95.52.66
  Removing rule...
  DROP  all opt -- in !lo out *  81.95.52.66  -&amp;gt; 0.0.0.0/0
  DROP  all opt -- in * out !lo  0.0.0.0/0  -&amp;gt; 81.95.52.66
csf -g 81.95.52.66
  Chain            num   pkts bytes target     prot opt in     out     source               destination
  No matches found for 81.95.52.66 in iptables
&lt;/pre&gt;&lt;p&gt;
I need to work out how to permanently whitelist this server.
&lt;/p&gt;
&lt;p&gt;
I have added a link from &lt;a class="wiki" href="http://localhost:8080/trac/wiki/PuffinServer#CSFLDF"&gt;wiki:PuffinServer#CSFLDF&lt;/a&gt; to this ticket.
&lt;/p&gt;
      </description>
      <category>Ticket</category>
    </item><item>
      
        <dc:creator>chris</dc:creator>

      <pubDate>Wed, 07 Aug 2013 10:14:10 GMT</pubDate>
      <title>hours, totalhours changed</title>
      <link>http://localhost:8080/trac/ticket/544#comment:4</link>
      <guid isPermaLink="false">http://localhost:8080/trac/ticket/544#comment:4</guid>
      <description>
          &lt;ul&gt;
            &lt;li&gt;&lt;strong&gt;hours&lt;/strong&gt;
                changed from &lt;em&gt;0.0&lt;/em&gt; to &lt;em&gt;0.25&lt;/em&gt;
            &lt;/li&gt;
            &lt;li&gt;&lt;strong&gt;totalhours&lt;/strong&gt;
                changed from &lt;em&gt;0.4&lt;/em&gt; to &lt;em&gt;0.65&lt;/em&gt;
            &lt;/li&gt;
          &lt;/ul&gt;
        &lt;p&gt;
The firewall blocking the webarch monitoring server has been an ongoing issues resulting in lots of false positive emails, following the notes here: &lt;a class="ext-link" href="http://hostinghints.co.uk/2012/05/notes-on-csf-and-lfd-whitelisting-and-blacklisting/"&gt;&lt;span class="icon"&gt;​&lt;/span&gt;http://hostinghints.co.uk/2012/05/notes-on-csf-and-lfd-whitelisting-and-blacklisting/&lt;/a&gt;
&lt;/p&gt;
&lt;pre class="wiki"&gt;csf -a 81.95.52.66
  Adding 81.95.52.66 to csf.allow and iptables ACCEPT...
  ACCEPT  all opt -- in !lo out *  81.95.52.66  -&amp;gt; 0.0.0.0/0
  ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -&amp;gt; 81.95.52.66
csf -g 81.95.52.66
  Chain            num   pkts bytes target     prot opt in     out     source           destination
  ALLOWIN          1        5   387 ACCEPT     all  --  !lo    *       81.95.52.66          0.0.0.0/0
  ALLOWOUT         1        4   908 ACCEPT     all  --  *      !lo     0.0.0.0/0            81.95.52.66
&lt;/pre&gt;&lt;p&gt;
In &lt;tt&gt;/etc/csf/csf.conf&lt;/tt&gt; already had &lt;tt&gt;IGNORE_ALLOW = "0"&lt;/tt&gt;.
&lt;/p&gt;
      </description>
      <category>Ticket</category>
    </item><item>
      
        <dc:creator>chris</dc:creator>

      <pubDate>Fri, 15 Nov 2013 13:28:29 GMT</pubDate>
      <title>hours, status, totalhours changed; resolution set</title>
      <link>http://localhost:8080/trac/ticket/544#comment:5</link>
      <guid isPermaLink="false">http://localhost:8080/trac/ticket/544#comment:5</guid>
      <description>
          &lt;ul&gt;
            &lt;li&gt;&lt;strong&gt;hours&lt;/strong&gt;
                changed from &lt;em&gt;0.0&lt;/em&gt; to &lt;em&gt;0.1&lt;/em&gt;
            &lt;/li&gt;
            &lt;li&gt;&lt;strong&gt;status&lt;/strong&gt;
                changed from &lt;em&gt;new&lt;/em&gt; to &lt;em&gt;closed&lt;/em&gt;
            &lt;/li&gt;
            &lt;li&gt;&lt;strong&gt;resolution&lt;/strong&gt;
                set to &lt;em&gt;fixed&lt;/em&gt;
            &lt;/li&gt;
            &lt;li&gt;&lt;strong&gt;totalhours&lt;/strong&gt;
                changed from &lt;em&gt;0.65&lt;/em&gt; to &lt;em&gt;0.75&lt;/em&gt;
            &lt;/li&gt;
          &lt;/ul&gt;
        &lt;p&gt;
We have this in &lt;tt&gt;/root/.barracuda.cnf&lt;/tt&gt; to ensure that the variables we change are not clobbered by BOA:
&lt;/p&gt;
&lt;pre class="wiki"&gt;_CUSTOM_CONFIG_CSF=YES
&lt;/pre&gt;&lt;p&gt;
This has been added to &lt;a class="wiki" href="http://localhost:8080/trac/wiki/PuffinServer#CSFLDF"&gt;wiki:PuffinServer#CSFLDF&lt;/a&gt; so now closing this ticket.
&lt;/p&gt;
      </description>
      <category>Ticket</category>
    </item><item>
      
        <dc:creator>chris</dc:creator>

      <pubDate>Thu, 16 Jan 2014 13:45:17 GMT</pubDate>
      <title>hours, totalhours changed</title>
      <link>http://localhost:8080/trac/ticket/544#comment:6</link>
      <guid isPermaLink="false">http://localhost:8080/trac/ticket/544#comment:6</guid>
      <description>
          &lt;ul&gt;
            &lt;li&gt;&lt;strong&gt;hours&lt;/strong&gt;
                changed from &lt;em&gt;0.0&lt;/em&gt; to &lt;em&gt;0.17&lt;/em&gt;
            &lt;/li&gt;
            &lt;li&gt;&lt;strong&gt;totalhours&lt;/strong&gt;
                changed from &lt;em&gt;0.75&lt;/em&gt; to &lt;em&gt;0.92&lt;/em&gt;
            &lt;/li&gt;
          &lt;/ul&gt;
        &lt;p&gt;
The CSF firewall tried to block the Webarchitects monitoring server again:
&lt;/p&gt;
&lt;pre class="wiki"&gt;From: root@puffin.webarch.net
Date: Thu, 16 Jan 2014 13:16:50 +0000 (GMT)
To: chris@webarchitects.co.uk
Subject: lfd on puffin.webarch.net: blocked 81.95.52.66 (GB/United Kingdom/nsa.rat.burntout.org)
Time:     Thu Jan 16 13:16:50 2014 +0000
IP:       81.95.52.66 (GB/United Kingdom/nsa.rat.burntout.org)
Failures: 5 (sshd)
Interval: 300 seconds
Blocked:  Permanent Block (IP match in csf.allow, block may not work)
Log entries:
Jan 16 13:08:18 puffin sshd[19375]: Did not receive identification string from 81.95.52.66
Jan 16 13:09:33 puffin sshd[19440]: Did not receive identification string from 81.95.52.66
Jan 16 13:11:15 puffin sshd[19522]: Did not receive identification string from 81.95.52.66
Jan 16 13:12:32 puffin sshd[19580]: Did not receive identification string from 81.95.52.66
Jan 16 13:16:13 puffin sshd[20671]: Did not receive identification string from 81.95.52.66
&lt;/pre&gt;&lt;p&gt;
This happened at the same time as a load spike:
&lt;/p&gt;
&lt;pre class="wiki"&gt;From: root@puffin.webarch.net
Date: Thu, 16 Jan 2014 13:16:55 +0000 (GMT)
To: chris@webarchitects.co.uk
Subject: lfd on puffin.webarch.net: High 5 minute load average alert - 73.53
[-- Attachment #1 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.2K --]
Time:                    Thu Jan 16 13:16:55 2014 +0000
1 Min Load Avg:          59.08
5 Min Load Avg:          73.53
15 Min Load Avg:         41.10
Running/Total Processes: 5/430
&lt;/pre&gt;&lt;p&gt;
The block doesn't appear to have actually been added:
&lt;/p&gt;
&lt;pre class="wiki"&gt;csf -g 81.95.52.66
Chain            num   pkts bytes target     prot opt in     out     source               destination
ALLOWIN          1       48  3220 ACCEPT     all  --  !lo    *       81.95.52.66          0.0.0.0/0
ALLOWOUT         1       36  8708 ACCEPT     all  --  *      !lo     0.0.0.0/0            81.95.52.66
&lt;/pre&gt;&lt;p&gt;
So I don't think there isn't anything to do here apart from note what happened.
&lt;/p&gt;
      </description>
      <category>Ticket</category>
    </item>
 </channel>
</rss>