Linux
為什麼 lfd 過早地刪除塊?
正如您在下面摘錄的日誌文件(來自
/var/log/lfd.log
)中看到的那樣,lfd 過早地刪除了它對 IP 施加的臨時塊:Apr 7 13:07:59 host lfd[32117]: (wordpressxmlrpc) Request of xmlrpc.php. None of our users legitimately use this file. 92.255.223.83 (RU/Russian Federation/92x255x223x83.dynamic.kirov.ertelecom.ru): 1 in the last 300 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER] [...] Apr 7 13:19:35 host lfd[7062]: Incoming IP 92.255.223.83:80 temporary block removed Apr 7 13:19:35 host lfd[7062]: Incoming IP 92.255.223.83:443 temporary block removed
第一行顯示該 IP 將被封鎖 86400 秒(一天)。然而,大約 11 分鐘後,lfd 刪除了臨時塊。這是怎麼回事?
如果有幫助,相關部分
/etc/csf/regex.custom.pm
是:if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/xmlrpc\.php.*" 200/)) { return ("Request of xmlrpc.php. None of our users legitimately use this file.",$1,"wordpressxmlrpc","1","80,443","86400"); }
我相信我找到了問題所在。我的猜測是,由於
DENY_TEMP_IP_LIMIT
. 一旦我們的臨時禁止列表中有超過 100 個 IP(我們肯定會這樣做),最舊的 IP 將被輪換,以便為新 IP 騰出空間。