ConfigServer Community Forum

Just an update, based on my finding its not clear if every rule requires a CUSTOM_LOG, in my testing for EXIM, its possible to only use 1 of 9 custom log rules if they all scan the same file. Hence why the rules above all use CUSTOM1_LOG.

Added a new block for spammers that don't wait for greetings or old MS clients (removed due to standards with SSLv3 and removal of IE8 support on most systems) ciphers won't let it connect anyways so who cares at this point. # Exim_Sync if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.* SMTP p...

I've decided to re-start this project and here are my updated rules. This rules is for Exim, Invalid HELO http://rubular.com/r/i6qKKbmqSY # Exim_RFC if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^.* H=.* \[(\S+)\]:.* rejected MAIL <.*>: Access denied - Invalid HELO name \(See RFC2821 .*\)$/))...

Just to update this post; The only solution i came up with was every slave posts to master and master has a cron to copy the csf.deny every X minutes to /var/share/nginx/html/fw/csf.deny and have slaves update their GLOBAL_DENY rules and then have LFD fetch the files every 6 minutes. This seems to b...

i've found that the most common issue is that LFD doesn't restart as expected.
you can do a /etc/init.d/lfd restart or csf -ra on newer versions.

I've been working on something similar and my only solution so far was to have a master node, have everyone send their blocks to the master and then copy the blocks into a directory accessible from apache/nginx and serve them in the GLOBAL_DENY directive to the clients. This way when the master node...

I see the benefit of clustering the temp allow / temp deny.

+1

Updated post with the answer

-tr, --temprm ip
Remove an IP from the temporary IP ban or allow list

csf -tr ip

Downfall of this config is temp ban is not being honoured. It forces it as a perm ban in this config.

-- update

it was a false positive, temp bans are not being set into csf.deny

My only solution so far was to use the GLOBAL_DENY option on the master node. Master node copies its /etc/csf/csf.deny every minute to a public accessible directory and running nginx on that folder. Then allowing all slaves to download the GLOBAL_D/A lists from there. Also ideally force the GeoLite ...