正如你在下面摘录的日志文件中看到的那样(来自/var/log/lfd.log),lfd 过早地删除了它对 IP 施加的临时阻止:
Apr 7 13:07:59 host lfd[32117]: (wordpressxmlrpc) Request of xmlrpc.php. None of our users legitimately use this file. 92.255.223.83 (RU/Russian Federation/92x255x223x83.dynamic.kirov.ertelecom.ru): 1 in the last 300 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER]
[...]
Apr 7 13:19:35 host lfd[7062]: Incoming IP 92.255.223.83:80 temporary block removed
Apr 7 13:19:35 host lfd[7062]: Incoming IP 92.255.223.83:443 temporary block removed
第一行显示该 IP 将被封禁 86400 秒(一天)。但是,大约 11 分钟后,lfd 解除了临时封禁。这是怎么回事?
如果有帮助的话,相关部分/etc/csf/regex.custom.pm是:
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/xmlrpc\.php.*" 200/)) {
return ("Request of xmlrpc.php. None of our users legitimately use this file.",$1,"wordpressxmlrpc","1","80,443","86400");
}
答案1
我认为我已经找到问题所在。我猜是因为 导致 IP 被过早轮换DENY_TEMP_IP_LIMIT。一旦我们的临时封禁列表中的 IP 超过 100 个(我们肯定会有),最老的 IP 将被轮换,以便为新 IP 腾出空间。
