CSF blocks Apple Mac users

beroop · 07-25-2015, 04:21 PM

Hi,

I use CSF/LFD on a CentOS 6.6 server and have constant problems with legitimate Apple Mac users being blocked for port scanning when trying to access their email accounts.

A sample log entry looks like this (IPs redacted for privacy):

lfd on xxx.xxx.xxx: xxx.xxx.xxx.xxx (.....) blocked for port scanning

Time: Sat Jul 25 15:19:02 2015 +0200
IP: xxx.xxx.xxx.xxx (.....)
Hits: 11
Blocked: Temporary Block

Sample of block hits:
Jul 25 15:17:58 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=10:bf:48:4f:8d:ee:78:fe:3d:43:4f:a2:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=33465 DF PROTO=TCP SPT=62183 DPT=585 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 25 15:18:02 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=10:bf:48:4f:8d:ee:78:fe:3d:43:4f:a2:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=48 ID=4940 DF PROTO=TCP SPT=62183 DPT=585 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 25 15:18:10 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=10:bf:48:4f:8d:ee:78:fe:3d:43:4f:a2:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=48 ID=58047 DF PROTO=TCP SPT=62183 DPT=585 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 25 15:18:26 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=10:bf:48:4f:8d:ee:78:fe:3d:43:4f:a2:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=48 ID=5325 DF PROTO=TCP SPT=62183 DPT=585 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 25 15:18:53 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=10:bf:48:4f:8d:ee:78:fe:3d:43:4f:a2:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=5091 DF PROTO=TCP SPT=62188 DPT=585 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 25 15:18:54 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=10:bf:48:4f:8d:ee:78:fe:3d:43:4f:a2:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=49629 DF PROTO=TCP SPT=62188 DPT=585 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 25 15:18:55 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=10:bf:48:4f:8d:ee:78:fe:3d:43:4f:a2:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=62389 DF PROTO=TCP SPT=62188 DPT=585 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 25 15:18:56 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=10:bf:48:4f:8d:ee:78:fe:3d:43:4f:a2:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=58086 DF PROTO=TCP SPT=62188 DPT=585 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 25 15:18:57 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=10:bf:48:4f:8d:ee:78:fe:3d:43:4f:a2:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=42130 DF PROTO=TCP SPT=62188 DPT=585 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 25 15:18:58 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=10:bf:48:4f:8d:ee:78:fe:3d:43:4f:a2:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=3335 DF PROTO=TCP SPT=62188 DPT=585 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 25 15:19:00 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=10:bf:48:4f:8d:ee:78:fe:3d:43:4f:a2:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=40859 DF PROTO=TCP SPT=62188 DPT=585 WINDOW=65535 RES=0x00 SYN URGP=0

After 5 temporary blocks, they are permanently blocked and I get an angry phone call!

This only occurs with Mac users, but is a constant irritant for them. Is the cause likely to be misconfiguration on my part, malware on their computers, or some other phenomenon?

If anyone has come across the same problem, or has any ideas what might be causing it I (and they!) would be very grateful.

Thanks a lot.

273 · 07-27-2015, 02:57 AM

Since you've not had a reply yet I decided to google it and it seems that "Notes" might be the culprit:
https://discussions.apple.com/thread/4366664?tstart=0
Sorry I can't be of more help though.