Question : Cpanel LFD firewall (linux LAMP server)

LFD firewall still allowing IP addresses thru that are blocked

I've noticed two separate instances recently.
1. i had manually added an IP address due to web form spam. Then we got several MORE from the same IP address that had been manually blocked. The web form uses the env var REMOTE_ADDR for capturing the IP address. I used
200.143.0.0/16
which format seems to have worked in the past.

2. Separately, blocked and then continued to get thru: In looking over server logs, i see that the firewall detector did its job in blocking the example below 81.208.30.34
However in the subsequent hours and days, there were hundreds MORE blocks issued (groups of five failures from dictionary attack).
(see the WHM> Deny list entry below, followed by two random excerpts from the log emails i receive). I thought once an IP was blocked, that was the end of it, that the firewall prevented from even getting that far again to be blocked again.

QUESTIONS:
A. Are IP env vars spoofable? (and thus it's blocking the wrong address)

B -- or-- the real question: how could subsequent accesses make it thru (and in the latter case, be blocked again)

C an aside question. My "landlord" says that using the CIDR mask syntax for the block deny list takes up an inordinate amount of CPU time to spin thru each of 2**16 IP addresses. I thought that a simple boolean bitwise logic equation was used to literally mask the needed part of the IP addr and just do a simple = compare for that part.
What's your take on using CIDR masks in the deny list?

THANKS!

(logs/summary attached below)

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:

           
           
          LOG 

___________________________________
Deny list entry:
81.208.30.34 # lfd: 5 (pop3d) login failures from 81.208.30.34 (IT/Italy/81-208-30-34.ip.fastwebnet.it) in the last 300 secs - Fri May 14 11:51:09 2010

____________________________________
two examples of emailed logs (SUBSEQUENT to the block list entry)
(it appears to be a dictionary attack)


Time: Fri May 14 11:54:20 2010 -0400
IP: 81.208.30.34 (IT/Italy/81-208-30-34.ip.fastwebnet.it)
Failures: 5 (pop3d)
Interval: 300 seconds
Blocked: Yes

Log entries:

May 14 11:54:15 server2 pop3d: LOGIN FAILED, user=tony, ip=[::ffff:81.208.30.34]
May 14 11:54:17 server2 pop3d: LOGIN FAILED, user=cyrus, ip=[::ffff:81.208.30.34]
May 14 11:54:18 server2 pop3d: LOGIN FAILED, user=pgsql, ip=[::ffff:81.208.30.34]
May 14 11:54:20 server2 pop3d: LOGIN FAILED, user=info, ip=[::ffff:81.208.30.34]
May 14 11:54:20 server2 pop3d: LOGIN FAILED, user=named, ip=[::ffff:81.208.30.34]

Time: Fri May 14 12:09:28 2010 -0400
IP: 81.208.30.34 (IT/Italy/81-208-30-34.ip.fastwebnet.it)
Failures: 5 (pop3d)
Interval: 300 seconds
Blocked: Yes

Log entries:

May 14 12:09:01 server2 pop3d: LOGIN FAILED, user=radiomail, ip=[::ffff:81.208.30.34]
May 14 12:09:07 server2 pop3d: LOGIN FAILED, user=harrypotter, ip=[::ffff:81.208.30.34]
May 14 12:09:15 server2 pop3d: LOGIN FAILED, user=divine, ip=[::ffff:81.208.30.34]
May 14 12:09:21 server2 pop3d: LOGIN FAILED, user=popa3d, ip=[::ffff:81.208.30.34]
May 14 12:09:26 server2 pop3d: LOGIN FAILED, user=aptproxy, ip=[::ffff:81.208.30.34]

           
         

Answer : Cpanel LFD firewall (linux LAMP server)

A: IP env vars can be spoofed, but as it is a TCP connection it can only be a "blind spoof" (http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=6394&mode=thread&order=0&thold=0) which means the client must guess some things and also won't receive any feedback (load any contents of the page). Of course the client must also be on a network that allows spoofing IP addresses.

B: How did you block the IP address. The block can be time limited (and thus removed some time in the future), or can be done on higher levels of security (not on the firewall). Also you can have limit to how many IPs are blocked (for example DENY_IP_LIMIT). When the limit is reached the oldest blocks are removed.

C: it depends on the block and the software making the block - it could put in a subrange or all individual addresses.