As you can see in the excerpted log file below (from /var/log/lfd.log
), lfd is prematurely removing temporary blocks that it imposes on IPs:
Apr 7 13:07:59 host lfd[32117]: (wordpressxmlrpc) Request of xmlrpc.php. None of our users legitimately use this file. 92.255.223.83 (RU/Russian Federation/92x255x223x83.dynamic.kirov.ertelecom.ru): 1 in the last 300 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER]
[...]
Apr 7 13:19:35 host lfd[7062]: Incoming IP 92.255.223.83:80 temporary block removed
Apr 7 13:19:35 host lfd[7062]: Incoming IP 92.255.223.83:443 temporary block removed
The first line shows that the IP will be blocked for 86400 seconds (one day). However, about 11 minutes later, lfd removes the temporary block. What's going on?
If it helps, the relevant portion of /etc/csf/regex.custom.pm
is:
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/xmlrpc\.php.*" 200/)) {
return ("Request of xmlrpc.php. None of our users legitimately use this file.",$1,"wordpressxmlrpc","1","80,443","86400");
}