¿Por qué ldd está eliminando prematuramente bloques?

Como se puede ver en el file de logging extraído a continuación (desde /var/log/lfd.log ), lfd está eliminando prematuramente los bloques temporales que impone a los IPs:

 Apr 7 13:07:59 host lfd[32117]: (wordpressxmlrpc) Request of xmlrpc.php. None of our users legitimately use this file. 92.255.223.83 (RU/Russian Federation/92x255x223x83.dynamic.kirov.ertelecom.ru): 1 in the last 300 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER] [...] Apr 7 13:19:35 host lfd[7062]: Incoming IP 92.255.223.83:80 temporary block removed Apr 7 13:19:35 host lfd[7062]: Incoming IP 92.255.223.83:443 temporary block removed Apr 7 13:07:59 host lfd [32117]: (wordpressxmlrpc) Solicitud de xmlrpc.php. Apr 7 13:07:59 host lfd[32117]: (wordpressxmlrpc) Request of xmlrpc.php. None of our users legitimately use this file. 92.255.223.83 (RU/Russian Federation/92x255x223x83.dynamic.kirov.ertelecom.ru): 1 in the last 300 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER] [...] Apr 7 13:19:35 host lfd[7062]: Incoming IP 92.255.223.83:80 temporary block removed Apr 7 13:19:35 host lfd[7062]: Incoming IP 92.255.223.83:443 temporary block removed Ninguno de nuestros usuarios utiliza legítimamente este file. Apr 7 13:07:59 host lfd[32117]: (wordpressxmlrpc) Request of xmlrpc.php. None of our users legitimately use this file. 92.255.223.83 (RU/Russian Federation/92x255x223x83.dynamic.kirov.ertelecom.ru): 1 in the last 300 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER] [...] Apr 7 13:19:35 host lfd[7062]: Incoming IP 92.255.223.83:80 temporary block removed Apr 7 13:19:35 host lfd[7062]: Incoming IP 92.255.223.83:443 temporary block removed 92.255.223.83 (RU / Federación de Rusia / 92x255x223x83.dynamic.kirov.ertelecom.ru): 1 en los últimos 300 segundos - * Bloqueado en csf * durante 86400 segundos [LF_CUSTOMTRIGGER] Apr 7 13:07:59 host lfd[32117]: (wordpressxmlrpc) Request of xmlrpc.php. None of our users legitimately use this file. 92.255.223.83 (RU/Russian Federation/92x255x223x83.dynamic.kirov.ertelecom.ru): 1 in the last 300 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER] [...] Apr 7 13:19:35 host lfd[7062]: Incoming IP 92.255.223.83:80 temporary block removed Apr 7 13:19:35 host lfd[7062]: Incoming IP 92.255.223.83:443 temporary block removed Abr 7 13:19:35 host lfd [7062]: Incoming IP 92.255.223.83:80 locking temporal eliminado Apr 7 13:07:59 host lfd[32117]: (wordpressxmlrpc) Request of xmlrpc.php. None of our users legitimately use this file. 92.255.223.83 (RU/Russian Federation/92x255x223x83.dynamic.kirov.ertelecom.ru): 1 in the last 300 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER] [...] Apr 7 13:19:35 host lfd[7062]: Incoming IP 92.255.223.83:80 temporary block removed Apr 7 13:19:35 host lfd[7062]: Incoming IP 92.255.223.83:443 temporary block removed 

La primera línea muestra que la IP se bloqueará durante 86400 segundos (un día). Sin embargo, unos 11 minutos después, lfd elimina el locking temporal. ¿Que esta pasando?

Si ayuda, la parte relevante de /etc/csf/regex.custom.pm es:

 if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/xmlrpc\.php.*" 200/)) { return ("Request of xmlrpc.php. None of our users legitimately use this file.",$1,"wordpressxmlrpc","1","80,443","86400"); } si (($ globlogs {CUSTOM1_LOG} {$ lgfile}) y ($ line = ~ /(\S+).*] "POST \ / xmlrpc \ .php. *" 200 /)) { if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/xmlrpc\.php.*" 200/)) { return ("Request of xmlrpc.php. None of our users legitimately use this file.",$1,"wordpressxmlrpc","1","80,443","86400"); } return "(" Solicitud de xmlrpc.php.) Ninguno de nuestros usuarios usa legítimamente este file. ", $ 1," wordpressxmlrpc "," 1 "," 80.443 "," 86400 "); if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/xmlrpc\.php.*" 200/)) { return ("Request of xmlrpc.php. None of our users legitimately use this file.",$1,"wordpressxmlrpc","1","80,443","86400"); } 

Creo que he encontrado el problema. Mi suposition es que los IPs se están girando prematuramente debido a DENY_TEMP_IP_LIMIT . Una vez que tengamos más de 100 IPs en nuestra list de prohibición temporal (lo que definitivamente hacemos), los IPs más antiguos serán rotados para dar cabida a nuevos IPs.

introduzca la descripción de la imagen aquí