CLUSTER cli -ctd -cta -ctrm

[oderland_david]

Would it be possible to add temporary denies / allows and removal of those to CLUSTER cli as well?
Or just let us specify TTL and comments like: csf -cd 157.55.39.107 300 'msn bot mischief'

[oderland_david]

I've added a patch to /usr/sbin/csf so that we can send in tempdeny to the cluster through CLI with a timeout value if provided.
Should be working as expected. Patched against CSF v9.27.

Would be great if you could add it to the next version!

edit: changed code to fit into the way csf -td works with arguments and added change to help file.

/usr/sbin/csf

Code: Select all

--- /usr/sbin/csf.original	2016-11-07 23:10:04.788715998 +0100
+++ /usr/sbin/csf	2016-11-08 09:18:41.686159702 +0100
@@ -110,6 +110,7 @@
 elsif (($input{command} eq "--tempf") or ($input{command} eq "-tf")) {&dotempf}
 elsif (($input{command} eq "--mail") or ($input{command} eq "-m")) {&domail}
 elsif (($input{command} eq "--cdeny") or ($input{command} eq "-cd")) {&doclusterdeny}
+elsif (($input{command} eq "--ctempdeny") or ($input{command} eq "-ctd")) {&doclustertempdeny}
 elsif (($input{command} eq "--callow") or ($input{command} eq "-ca")) {&doclusterallow}
 elsif (($input{command} eq "--crm") or ($input{command} eq "-cr")) {&doclusterrm}
 elsif (($input{command} eq "--carm") or ($input{command} eq "-car")) {&doclusterarm}
@@ -470,6 +471,47 @@
 }
 # end doclusterdeny
 ###############################################################################
+# start doclustertempdeny
+sub doclustertempdeny {
+        my ($ip,$timeout,$portdir) = split(/\s/,$input{argument},3);
+        my $inout = "in";
+        my $port = "";
+        my $perm = 0;
+        if ($timeout =~ /^(\d*)(m|h|d)/i) {
+                my $secs = $1;
+                my $dur = $2;
+                if ($dur eq "m") {$timeout = $secs * 60}
+                elsif ($dur eq "h") {$timeout = $secs * 60 * 60}
+                elsif ($dur eq "d") {$timeout = $secs * 60 * 60 * 24}
+                else {$timeout = $secs}
+        }
+
+        if (!checkip(\$ip)) {
+                print "[$ip] is not a valid IP/CIDR\n";
+                return;
+        }
+
+        if ($timeout =~ /\D/) {
+                $portdir = join(" ",$timeout,$portdir);
+                $timeout = 0;
+        }
+
+        if ($portdir =~ /\-d\s*out/i) {$inout = "out"}
+        if ($portdir =~ /\-d\s*inout/i) {$inout = "inout"}
+        if ($portdir =~ /\-p\s*([\w\,\*\;]+)/) {$port = $1}
+        my $comment = $portdir;
+        $comment =~ s/\-d\s*out//ig;
+        $comment =~ s/\-d\s*inout//ig;
+        $comment =~ s/\-d\s*in//ig;
+        $comment =~ s/\-p\s*[\w\,\*\;]+//ig;
+        $comment =~ s/^\s*|\s*$//g;
+        if ($comment eq "") {$comment = "Manually added: ".iplookup($ip)}
+
+        &clustersend("D $ip $perm $port $inout $timeout");
+        return;
+}
+# end doclustertempdeny
+###############################################################################
 # start doclusterrm
 sub doclusterrm {
 	my ($ip,$comment) = split (/\s/,$input{argument},2);

/usr/local/csf/lib/csf.help

Code: Select all

--- /usr/local/csf/lib/csf.help.original	2016-02-06 13:24:19.000000000 +0100
+++ /usr/local/csf/lib/csf.help	2016-11-08 09:23:21.775822348 +0100
@@ -94,6 +94,12 @@
        -cd, --cdeny ip
 	      Deny an IP in a Cluster and add to each remote /etc/csf/csf.deny

+       -ctd, --ctempdeny ip ttl [-p port] [-d direction] [comment]
+              Add an IP to the cluster temp IP ban list. ttl is how long to
+              block for (default:seconds, can use one suffix of h/m/d).
+              Optional port. Optional  direction  of  block  can  be one of:
+              in, out or inout. (default:in)
+
        -ca, --callow ip
 	      Allow   an   IP	in   a	 Cluster   and	 add  to  each	remote
 	      /etc/csf/csf.allow

[oderland_david]

Any chance you guys work off a git repo that you can host on github or your own gitlab install so we could do pull requests?

[ForumAdmin]

We do not use git and do not have a public repository as our script products are released under a commercial license.

Thank you for the suggestion and code, we will look into incorporating it in the future.

[oderland_david]

Ok - thank you for the help and time spent on CSF/LFD

[ForumAdmin]

A feature that addresses this has been added to csf v9.29 which we have just released:
http://blog.configserver.com/