Linux

為什麼 lfd 過早地刪除塊?

  • April 8, 2016

正如您在下面摘錄的日誌文件(來自/var/log/lfd.log)中看到的那樣,lfd 過早地刪除了它對 IP 施加的臨時塊:

Apr  7 13:07:59 host lfd[32117]: (wordpressxmlrpc) Request of xmlrpc.php.  None of our users legitimately use this file. 92.255.223.83 (RU/Russian Federation/92x255x223x83.dynamic.kirov.ertelecom.ru): 1 in the last 300 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER]
[...]
Apr  7 13:19:35 host lfd[7062]: Incoming IP 92.255.223.83:80 temporary block removed
Apr  7 13:19:35 host lfd[7062]: Incoming IP 92.255.223.83:443 temporary block removed

第一行顯示該 IP 將被封鎖 86400 秒(一天)。然而,大約 11 分鐘後,lfd 刪除了臨時塊。這是怎麼回事?

如果有幫助,相關部分/etc/csf/regex.custom.pm是:

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/xmlrpc\.php.*" 200/)) {
   return ("Request of xmlrpc.php.  None of our users legitimately use this file.",$1,"wordpressxmlrpc","1","80,443","86400");
}

我相信我找到了問題所在。我的猜測是,由於DENY_TEMP_IP_LIMIT. 一旦我們的臨時禁止列表中有超過 100 個 IP(我們肯定會這樣做),最舊的 IP 將被輪換,以便為新 IP 騰出空間。

在此處輸入圖像描述

引用自:https://serverfault.com/questions/768881