为什么 lfd 会过早地移除块?

为什么 lfd 会过早地移除块?

正如你在下面摘录的日志文件中看到的那样(来自/var/log/lfd.log),lfd 过早地删除了它对 IP 施加的临时阻止:

Apr  7 13:07:59 host lfd[32117]: (wordpressxmlrpc) Request of xmlrpc.php.  None of our users legitimately use this file. 92.255.223.83 (RU/Russian Federation/92x255x223x83.dynamic.kirov.ertelecom.ru): 1 in the last 300 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER]
[...]
Apr  7 13:19:35 host lfd[7062]: Incoming IP 92.255.223.83:80 temporary block removed
Apr  7 13:19:35 host lfd[7062]: Incoming IP 92.255.223.83:443 temporary block removed

第一行显示该 IP 将被封禁 86400 秒(一天)。但是,大约 11 分钟后,lfd 解除了临时封禁。这是怎么回事?

如果有帮助的话,相关部分/etc/csf/regex.custom.pm是:

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/xmlrpc\.php.*" 200/)) {
    return ("Request of xmlrpc.php.  None of our users legitimately use this file.",$1,"wordpressxmlrpc","1","80,443","86400");
}

答案1

我认为我已经找到问题所在。我猜是因为 导致 IP 被过早轮换DENY_TEMP_IP_LIMIT。一旦我们的临时封禁列表中的 IP 超过 100 个(我们肯定会有),最老的 IP 将被轮换,以便为新 IP 腾出空间。

在此处输入图片描述

相关内容