A nice feature would be a ban all ips that get blocked by csf

Post Reply
Rickhunter
Junior Member
Posts: 1
Joined: 11 Jul 2016, 14:36

A nice feature would be a ban all ips that get blocked by csf

Post by Rickhunter »

It would be a nice feature if csf had a button that when your being attacked that would automatically ban all ip's that are blocked by csf. This would help with with those who are trying to attack a server then when you feel the attack is over you click another button to stop the auto ban when blocked...It would save us system admins a lot of time!
taber13
Junior Member
Posts: 4
Joined: 09 May 2016, 17:17

Re: A nice feature would be a ban all ips that get blocked by csf

Post by taber13 »

Can't you accomplish this by using "Profiles". if your being attacked, load a Paranoid Profile... Banning All Blocked.... when over, Load Default Profile back...
frontstreet
Junior Member
Posts: 1
Joined: 25 Jul 2016, 02:19

Re: A nice feature would be a ban all ips that get blocked by csf

Post by frontstreet »

Another possibility would be to just custom script this capability.

As many hosting server clients we have use CSF as the leading choice of firewall
among many of their servers, we have written quite a few standalone monitoring scripts
available to our clients to download which often monitor for specific types of attacks
and then make direct calls to interface CSF which is easy to do at the command line.

If you have a script that needs to temporarily ban an IP address:

Code: Select all

csf -td <IP or CIDR> <length of ban>
Or, more what I was referring to that better matches your question specifically
regarding issuing permanent bans instead of temporary bans where you can
choose when those should be unbanned at once would be to go ahead and
do a permanent ban but then put in a unique comment or keyword that
can be easily filtered out of csf.deny such as the following:

Code: Select all

TO BAN:     csf -d "<IP OR CIDR>" "ECLIPSE ban - do not delete"

TO UNBAN:    sed -i "/ECLIPSE/d" -- /etc/csf/csf.deny
(and then possibly restart CSF (csf -r) to make sure changes to effective)
In the example above, what I did is set a keyword that won't normally be found
anywhere else among the csf.deny file (IE: "ECLIPSE") and then I simply used
the SED editor to delete all lines containing that same word from the CSF.DENY
configuration file and in one single swoop unbanned all the IPs that were
permanently banned until I decided to unban all of them grouped with the
same keyword at once.

A more elegant way to do this however is to put an INCLUDE line in the csf.deny file
which points to your own separate deny file and then you can simply empty
out your own deny file when you are certain the attack is over.

Both of these options are useful in situations which you spoke regarding where
you don't want to set an arbitrary temporary ban time and would much rather a
ban be kept permanent until such time as you manually decide otherwise and
want to remove all those part of the same attack manually yourself but at the
same time don't want to have to pick through all the bans to figure out which
ones are part of that particular attack and which ones are not which could
be a headache if you have a lot of other banned IPs in your configuration
mixed in that you don't want to also unban as well.

Writing scripts to monitor activity by watching web server log files,
running processes, or parsing netstat output which in turn can then directly
call CSF operations via the command line is very trivial and easy to do in
almost any scripting language from simple BASH shell scripting, Perl, Python,
and even PHP and one of the great strengths to CSF outside it's own built in
capabilities is it's command line interface because it is really easy to extend
the functionality of CSF firewall in this way.

Instead of using SED to remove the banned lines from the csf.deny file as used
in the example above or keeping those in a separate file, yet another way you
could later unban those IPs specifically without the need for a firewall restart
would be to grep the csf.deny file for the IPs you wish to unban and then just
issue the appropriate unban command for each of those and then you would
not need to additionally issue a restart of CSF as was the simple example.

THE FOLLOWING IS JUST CONCEPT EXAMPLE, NOT MEANT FOR PRODUCTION
AND IS ONLY AN ILLUSTRATIONS TO SHOW HOW VERY SIMPLE IT WOULD BE TO
DO SOMETHING LIKE UNBANNING A GROUP OF IPS FROM THE COMMAND LINE
WHICH HAVE BEEN FLAGGED WITH A UNIQUE KEYWORD WHEN BANNED:

Code: Select all

#!/bin/bash
IFS="$"

grep "ECLIPSE" -- /etc/csf/csf.deny | awk '{print $1}' | while read BANIP; do
    csf -dr "${BANIP}"     # Simple read through deny file and unban the marked IPs
done
Post Reply