LOGDROPOUT Chain not Logging

[lucidsw]

Recently started using CSF/LFD on a new server (physical) and so far it has been a real gem. Using the latest version 6.37 in a WHM/cPanel environment. Got hit today by a number of sshd login attempts, nothing unusual, but when they eventually went away I noticed that one of the blocked IPs keeps hitting the DENYOUT chain. As per:

Code: Select all

# csf --grep 190.91.71.77
Chain            num   pkts bytes target     prot opt in     out     source               destination
DENYIN           27       0     0 DROP       all  --  !lo    *       190.91.71.77         0.0.0.0/0
DENYOUT          27       5   620 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            190.91.71.77

ip6tables:
Chain            num   pkts bytes target     prot opt in     out     source               destination
No matches found for 190.91.71.77 in ip6tables
csf.deny: 190.91.71.77 # lfd: 190.91.71.77 (CL/Chile/client-190-91-71-77 . imovil . entelpcs . cl), 3 distributed sshd attacks on account [root] in the last 3600 secs - Sun Nov 24 14:46:22 2013

This has been steadily incrementing for over an hour, 1 packet every two minutes. I ran csf -w 190.91.71.77 after putting CSF into watch mode but no other chains reported any hits at all. The other thing is that even though DENYOUT is supposed to log, nothing is showing up in the log.

Anyone seen anything like this before? I'm probably just not understanding what is going on, a push is the right direction would be appreciated.

[lucidsw]

Found an established TCP connection to that host:

Code: Select all

tcp        0     84 xxx.xxx.xxx.xxx:22           190.91.71.77:3559           ESTABLISHED

Killed the process and problem has gone. Must have been trying to login when the block was put in place. Would have timed out eventually. I'd still be interested to know why it wasn't logged though if anyone has any insights.