is it possible to slow down a country

keat63

• December 21, 2015 09:42

About 75% of the port scans, failed logins etc seem to eminate from CN. I don't want to totally block CN in the firewall as we do have some legitmate business out there, but is there some way of maybe slowing them down. Even something like a timed firewall block, so CN traffic can only hit the server at given times. The only traffic i need to see from CN is email, nothing more.

• 

  cPanelMichael

  • December 21, 2015 14:46

  Hello :) You may find this thread helpful: apache speed limit shaper is possible? Thank you.

  0
• 

  Infopro

  • December 21, 2015 14:48

  New About 75% of the port scans, failed logins etc seem to eminate from CN.

  
  CSF should already be helping you here with this. What you might consider is, cutting back on the alerts you get. Out of site out of mind.

  0
• 

  keat63

  • December 23, 2015 09:36

  You might be right. Things like port scan, i could do without seeing. This is set for 3 scans and your'e out. Only trouble is, i'm afraid to turn this of in CSF as it gives the impression that it's required to work.

  0
• 

  keat63

  • December 29, 2015 09:26

  Any ideas how i disable port scan detected messages. After 4 days away from work, i've got a huge list of emails to catch up on, mostly which are port scan detected. I don't want to disable port scan detection, just the message generation.

  0
• 

  Infopro

  • December 29, 2015 09:38

  Sure, Port Scan Tracking section: Set the following to "1" to enable Port Scan Tracking email alerts, set to "0" to disable them
  

  0
• 

  Archmactrix

  • December 29, 2015 09:42

  Edit: I was too late to answer

  0
• 

  keat63

  • December 29, 2015 09:49

  I assumed it was that one, however, Its already set to zero, and i'm still recieving about 30 emails per day.

  0
• 

  Infopro

  • December 29, 2015 09:59

  Are you sure its this specific email? You restarted the firewall of course, right?

  0
• 

  keat63

  • December 29, 2015 10:18

  The ones i want to get rid of are the ones in the hourly log scanner report.
  /var/log/lfd.log: Dec 29 10:04:04 lfd[10295]: *Port Scan* detected from 171.8.30.244 (CN/China/-). 3 hits in the last 55 seconds - *Blocked in csf* [PS_LIMIT] Dec 29 10:10:10 lfd[10967]: *Port Scan* detected from 125.111.144.7 (CN/China/-). 3 hits in the last 120 seconds - *Blocked in csf* [PS_LIMIT] Dec 29 10:10:28 lfd[11028]: *Port Scan* detected from 113.251.194.63 (CN/China/-). 3 hits in the last 141 seconds - *Blocked in csf* [PS_LIMIT] Dec 29 10:23:01 lfd[12553]: *Port Scan* detected from 187.247.170.39 (MX/Mexico/customer-GDL-170-39.megared.net.mx). 3 hits in the last 140 seconds - *Blocked in csf* [PS_LIMIT]
  a large number of these hourly reports contain only port scans. If i could get rid of these, i could save myself a lot of hassle.

  0
• 

  Infopro

  • December 29, 2015 10:28

  Yea, that's a different email. Log Scanner settings is what you're looking for. You can change that from hourly, to something else, there. I prefer Daily, myself.

  0
• 

  keat63

  • December 29, 2015 10:54

  Might give daily a try for now. Thanks

  0

Please sign in to leave a comment.