Why is lfd prematurely removing blocks?

Question

As you can see in the excerpted log file below (from /var/log/lfd.log), lfd is prematurely removing temporary blocks that it imposes on IPs:

Apr  7 13:07:59 host lfd[32117]: (wordpressxmlrpc) Request of xmlrpc.php.  None of our users legitimately use this file. 92.255.223.83 (RU/Russian Federation/92x255x223x83.dynamic.kirov.ertelecom.ru): 1 in the last 300 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER]
[...]
Apr  7 13:19:35 host lfd[7062]: Incoming IP 92.255.223.83:80 temporary block removed
Apr  7 13:19:35 host lfd[7062]: Incoming IP 92.255.223.83:443 temporary block removed

The first line shows that the IP will be blocked for 86400 seconds (one day). However, about 11 minutes later, lfd removes the temporary block. What's going on?

If it helps, the relevant portion of /etc/csf/regex.custom.pm is:

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/xmlrpc\.php.*" 200/)) {
    return ("Request of xmlrpc.php.  None of our users legitimately use this file.",$1,"wordpressxmlrpc","1","80,443","86400");
}

score 0 · Accepted Answer · answered Apr 08 '16 at 20:47

I believe I've found the problem. My guess is that the IPs are being rotated out prematurely due to DENY_TEMP_IP_LIMIT. Once we have more than 100 IPs in our temporary ban list (which we definitely do), the oldest IPs will be rotated out in order to make room for new IPs.

Why is lfd prematurely removing blocks?

1 Answers1