CSF Firewall-Module LFD: Unable to retrieve blocklist MAXMIND
Posted: October 30th, 2024, 4:59 am
Hello Everyone,
Recently My sever got many errors within my ConfigServer Filrewall module:
Tried to DiG more closer the problems and found it...
Looks Like maxmind.com and abuseipdb.com were changed their network and using frame Content Delivery Network from CloudFlare Inc. which are : 104.17.27.25 and 24.4.237.19
While JavaScript Object Notation (JSON - a standard text-based format for representing structured data based on JavaScript object syntax) is working fine, I have to change Perl module with HTTP::Tiny and Perl module LWP::UserAgent too in /path/to/abuseipdb_report.pl script which is also needs the LWP::Protocol::https perl module to Integrating AbuseIPDB with CSF - Automatically Report and Block Bad IPs that attempted intrusions server sources.
I've added IP4:104.17.27.25 and 24.4.237.19 to csf - Quick allow Actions and the problems solved:
I've also added : The Autonomous System Numbers (ASN) to Blocking Country code within csf.conf to CC_DENY and CC_DENY_PORTS with the same country code blocked.
As far as MaxMind GeoIP purpose is to block all of Anonymous Proxies...
This will reduce the minFraud service (fraud detection) for a transactional risk analysis service.
CSF can use these option below. These otpion can be set to use:
1. Perl module HTTP::Tiny
2. Perl module LWP::UserAgent
3. CURL/WGET (set location at the bottom of csf.conf if installed)
HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf distribution.
LWP::UserAgent may have to be installed manually, but it can better support https:// URL's which also needs the LWP::Protocol::https perl module
CURL/WGET uses the system binaries if installed but does not always provide good feedback when it fails. The script will first look for CURL, if that does not exist at the configured location it will then look for WGET
Additionally, 1 or 2 are used and if the retrieval fails, then if either CURL or WGET are available, an additional attempt will be using CURL/WGET. This is useful if the perl distribution has outdated modules that do not support modern SSL/TLS implementations.
CSF recommend to setting this set... to "2" or "3" as upgrades to csf will be performed over SSL as well as other URLs used when retrieving external data.
To install the LWP perl modules required:
On rpm based systems: (RedHat and CloudLinux)
Looks like everything working fine with my server so far...
Recently My sever got many errors within my ConfigServer Filrewall module:
Code: Select all
Oct 30 04:21:37 srv8 lfd[974616]: Unable to retrieve blocklist MAXMIND - Unable to download: Can't connect to www.maxmind.com:443 (Network is unreachable)
Oct 30 04:26:37 srv8 lfd[975527]: Unable to retrieve blocklist MAXMIND - Unable to download: Can't connect to www.maxmind.com:443 (Network is unreachable)
Oct 30 04:31:38 srv8 lfd[976765]: Unable to retrieve blocklist MAXMIND - Unable to download: Can't connect to www.maxmind.com:443 (Network is unreachable)
Looks Like maxmind.com and abuseipdb.com were changed their network and using frame Content Delivery Network from CloudFlare Inc. which are : 104.17.27.25 and 24.4.237.19
While JavaScript Object Notation (JSON - a standard text-based format for representing structured data based on JavaScript object syntax) is working fine, I have to change Perl module with HTTP::Tiny and Perl module LWP::UserAgent too in /path/to/abuseipdb_report.pl script which is also needs the LWP::Protocol::https perl module to Integrating AbuseIPDB with CSF - Automatically Report and Block Bad IPs that attempted intrusions server sources.
I've added IP4:104.17.27.25 and 24.4.237.19 to csf - Quick allow Actions and the problems solved:
Code: Select all
Nov 10 04:19:34 srv8 lfd[1091202]: Retrieved and blocking blocklist MAXMIND IP address ranges
Nov 10 04:19:35 srv8 lfd[1091202]: IPSET: loading set new_MAXMIND with 334 entries
Nov 10 04:19:35 srv8 lfd[1091202]: IPSET: switching set new_MAXMIND to bl_MAXMIND
Nov 10 04:19:35 srv8 lfd[1091202]: IPSET: loading set new_6_MAXMIND with 2 entries
Nov 10 04:19:35 srv8 lfd[1091202]: IPSET: switching set new_6_MAXMIND to bl_6_MAXMIND
Nov 10 12:34:21 srv8 lfd[1268350]: CC: Processing MaxMind Country/ASN database
Nov 10 12:34:26 srv8 lfd[1268350]: CC: Extracting zone from MaxMind Country/ASN database for [CN]
Nov 10 12:34:26 srv8 lfd[1268350]: CC: Extracting zone from MaxMind Country/ASN database for [HK]
Nov 10 12:34:26 srv8 lfd[1268350]: CC: Extracting zone from MaxMind Country/ASN database for [KR]
Nov 10 12:34:26 srv8 lfd[1268350]: CC: Extracting zone from MaxMind Country/ASN database for [TW]
Nov 10 12:34:26 srv8 lfd[1268350]: CC: Extracting zone from MaxMind Country/ASN database for [BR]
Nov 10 12:34:26 srv8 lfd[1268350]: CC: Extracting zone from MaxMind Country/ASN database for [AR]
Nov 10 12:34:26 srv8 lfd[1268350]: CC: Extracting zone from MaxMind Country/ASN database for [IN]
As far as MaxMind GeoIP purpose is to block all of Anonymous Proxies...
This will reduce the minFraud service (fraud detection) for a transactional risk analysis service.
CSF can use these option below. These otpion can be set to use:
1. Perl module HTTP::Tiny
2. Perl module LWP::UserAgent
3. CURL/WGET (set location at the bottom of csf.conf if installed)
HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf distribution.
LWP::UserAgent may have to be installed manually, but it can better support https:// URL's which also needs the LWP::Protocol::https perl module
CURL/WGET uses the system binaries if installed but does not always provide good feedback when it fails. The script will first look for CURL, if that does not exist at the configured location it will then look for WGET
Additionally, 1 or 2 are used and if the retrieval fails, then if either CURL or WGET are available, an additional attempt will be using CURL/WGET. This is useful if the perl distribution has outdated modules that do not support modern SSL/TLS implementations.
CSF recommend to setting this set... to "2" or "3" as upgrades to csf will be performed over SSL as well as other URLs used when retrieving external data.
To install the LWP perl modules required:
On rpm based systems: (RedHat and CloudLinux)
Code: Select all
yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch