execute usr/sbin/csf -d within a php script

[Karel]

I'm trying to figure out a way to add ip addresses to the csf.deny list by means of a php script.
My first approach was to directly write to csf.deny from my php script. But figured that it was better to use usr/sbin/csf -d x.x.x.x because the ip is then directly blocked.

Code: Select all

<?php
// some code to retrieve an abusing IP address.
 exec("/usr/sbin/csf -d x.x.x.x");
?>

But the above is not working.
Tried with shell_exec and some other commands too.

My php file has ownership root 4711

Any suggestions?

[Grindlay]

I know this is a fairly old post but I've been looking for the answer to the same question.
The difficulty (I think) is that you need to be root to call the command-line CSF configuration utility e.g.

Code: Select all

csf -d 11.22.33.44 Added because I don't like them

Most PHP scripts will run either as Apache, Nobody or the owner of the site.
If you use

Code: Select all

exec()

or

Code: Select all

shell_exec()

in your script, you just get a permission error.
An option is to put the script in a cron job and run every 15 mins but what if you are being attacked and want to block the offending IP(s) immediately ?

[Grindlay]

Okay, here's my solution, hopefully someone can sanity-check it.
I should say my server uses suPHP so my sites run with permissions of their owners.
The best approach seems to be to allow your web user to sudo the command.
Step 1 : I create a file /etc/sudoers.d/webuser with one line :

webuser ALL=NOPASSWD: /usr/sbin/csf

Please note (a) this requires /etc/sudoers to have the line :

#includedir /etc/sudoers.d

and (b) recommend using [font=courier]visudo[/font] to make sure you don't break your sudoers file.

This allows my webuser to do stuff like

Code: Select all

shell_exec("sudo /usr/sbin/csf -d");

Step 2 create a function to add an IP and comment :

Code: Select all

function AddIPToCSF($ip,$comment) {
    $cmd = "sudo /usr/sbin/csf -d";
    $s = $cmd . " " . $ip . " " . $comment;
    $output = shell_exec($s);
    return "<p>" . $output . "</p>";
}

Step 3 : Call this function when needed e.g.

Code: Select all

<?php
  require_once("../path_to_function");
  $ip = "112.215.66.76";
  $comment = "Added, random hacker/injection attempt etc";
  $res = AddIPToCSF($ip,$comment);
  echo $res;
?>

The implication for security is that in theory, any malicious web script can use the CSF command line options which are very powerful and could disable CSF completely - am I right ?

[Karel]

Thanks for posting your solution. I certainly will try it out.

The implication for security is that in theory, any malicious web script can use the CSF command line options which are very powerful and could disable CSF completely - am I right ?

You're right about that. But you can minimize risk if your not using this on shared servers.

[theozsnowman]

I know this is a few years old but will this still work with current CSF setup etc?

Ineed to send IP's to the firewall from a shopping cart when a Honeypot or Brute Force is triggered

[Sergio]

Hi.
The best way is to add your own rule to /usr/local/csf/bin/regex.custom.pm

Per CSF readme file:
You can also add your own login failure tracking using regular expression
matching. Please read /usr/local/csf/bin/regex.custom.pm for more information

If you know what is the log output of the Honeypot or Brute Force, then you can create your own rule using that info.