Nightly ip ban

Discussion in 'Linux VPS/Dedicated - cPanel' started by gameutopia, Jul 24, 2007.

  1. gameutopia

    gameutopia New Member

    Ok I have whm/cpanel, I have apf, ddos deflate, and I believe brute force installed.

    Every night at the exact same time for the last 3 nights I get an automated email from the ddos deflate script that this same ip was banned. Which is odd same ip same time.

    I did add it to apf deny host rules with this command:
    /usr/local/sbin/apf -d "multiple repeat connections"

    I also added it to iptables with the following command:
    iptables -A INPUT -s ip ip.address -j REJECT

    But every night it comes back for like I said the last 3 nights, and happens at 12:18 pm pacific time so I have to wait and see for tonight.

    Anyway since I added it to the deny host rules and iptables it shouldn't have even been allowed to access anything right? or am I missing something?

    Do I have to restart apf after adding a deny rule? or does it take effect right away?

    Any thoughts or suggestions?
  2. Dan

    Dan Moderator

    Howdy Gameutopia,

    No you do not have to restart apf after adding a rule. Only thing I can think of is that you may still have devel_mode set to a 1. If that is the case then all rules would be cleared out every 5 minutes. Check your config file and if it is then set it to a 0. You can also check to make sure that the IP is actually being added by looking at the file /etc/apf/deny_hosts.rules.
  3. gameutopia

    gameutopia New Member

    Thanks Dan,

    I did have the devel_mode set right. After checking the deny_hosts for some reason the banned ip wasn't on the list. Either I didn't enter the right command to ban the ip or something. I was pretty sure I did, but that's what I get for not checking. I'll see what happens tonight now.

    I just thought that it was totally weird to have the same ip making the same amount of conects every night, at the exact same time. Any idea what that would indicate? Some kind of script? Because I find it hard to believe that this person would wait until exactally 12:18 pm every night, no earlier no later.

    Anyway Thanks again
  4. ppc

    ppc Moderator

    If I would to bet you are correct that their is some script on some server executing a brute force at the same time. Probably like a cron which triggers this script on some rogue server to run through a list every night of IP addresses to try to hack into.

    Let us know if adding the "banned ip" worked. If it does, it could simply mean their might be a mistake in the BFD config file.

  5. gameutopia

    gameutopia New Member

    Well it happened again tonight, same ip, same time, same amount of connections and ddos deflate blocked it. I can't figure out why apf isn't preventing it from access to begin with. I added it to apf deny hosts rules. Double checked apf configs. I just don't get it.

    One odd thing was when I look at /etc/apf/deny_hosts.rules later it's like the ip isn't there anymore, and I have to re-add it again. I certainly didn't remove it. My other ones I have added are there yet, and this one was I know for certain this time, but when I checked it again it's gone and I have to re-add it.

    I'm just a little stumped and confused. I'm somewhat of a newbie, but I haven't touched squat other than adding a couple of ips to the deny list.
  6. Dan

    Dan Moderator

    I'm not understanding why APF would remove it from the block list to begin with. Can you post here for us the report that DDoS Deflate sends you?

    More info, APF does an automatic daily restart and flush. But it should not remove IPs from the deny file so far as I know. In /var/log will be your APF log file which is apf_log. Take a look in there and search for that particular IP to see if it shows up and what it says.
  7. gameutopia

    gameutopia New Member

    Every night dos deflate bans this ip and sends me this exact same email, I know it's not a lot of connections but I have dos deflate set pretty low for now.

    Banned the following ip addresses on Thu Jul 26 00:18:38 PDT 2007 with 105 connections

    Banned the following ip addresses on Wed Jul 25 00:18:38 PDT 2007 with 105 connections

    Banned the following ip addresses on Tue Jul 24 00:18:39 PDT 2007 with 105 connections

    Banned the following ip addresses on Mon Jul 23 00:18:38 PDT 2007 with 105 connections

    Banned the following ip addresses on Sun Jul 22 00:18:38 PDT 2007 with 105 connections

    Notice same time, same ip, same number of connections. That is the actual ip by the way.

    Part of apf log:
    Jul 23 00:18:39 host apf(3608): (trust) added deny all to/from
    Jul 23 00:28:40 host apf(16205): {trust} removed deny all to/from
    Jul 23 17:53:18 host apf(10009): (trust) added deny all to/from
    Jul 24 00:28:40 host apf(32429): {trust} removed deny all to/from
    Jul 25 00:18:39 host apf(32196): (trust) added deny all to/from
    Jul 25 00:28:40 host apf(13338): {trust} removed deny all to/from
    Jul 25 15:39:28 host apf(18118): (trust) added deny all to/from
    Jul 26 00:28:42 host apf(17638): {trust} removed deny all to/from
    Jul 26 00:38:28 host apf(18218): (trust) added deny all to/from
    Jul 26 01:34:51 host apf(13594): {trust} deny all to/from

    There is some flushing, zeroing, restarting and other stuff some of which is probably older data. I haven't touched anything but added the ip with the following command:
    /usr/local/sbin/apf -d "nightly connections"

    Also apf is set to:

    So I'm not sure what is up with this. I see the different numbers apf(16205), apf(10009) guessing those are ports?
    Any additional input, suggestions, or help would be great.

  8. Dan

    Dan Moderator

    Hiya Gameutopia,

    With lines like "Jul 23 00:28:40 host apf(16205): {trust} removed deny all to/from" in there it looks to me like the IP in question has been added to a trust file. There are two to take a look at and they are /etc/apf/allow_hosts.rules and /etc/apf/glob_allow.rules.

    Hope that helps!
  9. gameutopia

    gameutopia New Member

    I don't have a clue how this ip got on there, but I found it on

    Which as far as I know of is a list of ips to allow for ddos deflate. However that being the case, dos deflate shouldn't have blocked it to begin with which it did. I did remove it from this list.

    Not sure how it got there to begin with unless I typed the wrong command somehow, and just wasn't paying attention or something.

    The other files and locations you mentioned seemed all ok. I guess I'll have to wait until 12:18 tonight and see what happens.

    I'm going to do a little more checking to see if I can find it anywhere else it shouldn't be.

    Thanks for all the help and suggestions. This one has just bugging the heck out of me.
  10. gameutopia

    gameutopia New Member

    Hate to reply to myself, but as soon as dos deflate bans this ip it gets added to my /usr/local/ddos/ignore.ip.list file. I don't put it there so I guess ddos deflate does or something. Now how do I prevent this or do away with this? Any ideas this is really annoying.

    On a side note, just out of curiousity...I have a cron to update fantastico almost the same time like 1 minute before this. Does anyone happen to know if this ip is associated with fantastico updates? Either way ddos deflate or apf is messed up for me, I'm just curious and wondering if I shouldn't worry about that ip so much, but still want to get to the bottom of the ip ban thing.

  11. Dan

    Dan Moderator

    Sorry Gameutopia, I have no more ideas.

    I ran a tracert on the IP you gave and it resolves to a NOC in Florida. I wouldn't think it had anything to do with Fantastico as if it did it would have resolved to one of their IPs.

    Maybe you can take a look around DOS Deflate's forum to see if there are others there having the same problem.
  12. gameutopia

    gameutopia New Member

    I feel like such an airhead. Simple test, change fantasticos update cron time, and bam...banned ip within 1 minute after the cron runs.

    To make this story short...this ip has to be associated with fantastico. Just didn't think there would be so many connections involved.

    Still it's odd that apf didn't block it to begin with.

    Thanks for all the input and suggestions!!

Share This Page