Hello,
I use scanmyserver.com to do an audit of my server. I was looking through the ModSec logs and saw an IP address that was there more than five times, performing a scan. I was curious as to why csf hadn't blocked them. So I went into the GUI and searched for the IP and then realized the IP belonged to scanmyserver, however, the IP address is also listed in the GreenSnow blocklist.
How does CSF / LFD normally handle something like this? Where I list an IP address in the csf.ignore and csf.allow configuration files, but a blocklist also has the IP address listed? Will it sometimes block the connection, or will it always let it through or is it undefined behaviour?
Thank you.
IP address in csf.blocklist and csf.allow
-
Spork Schivago
- Junior Member
- Posts: 18
- Joined: 24 Jan 2016, 20:22
-
ForumAdmin
- Moderator
- Posts: 1524
- Joined: 01 Oct 2008, 09:24
Re: IP address in csf.blocklist and csf.allow
iptables rules are processed sequentially with csf configuring the allows before the denies in most cases.
-
Spork Schivago
- Junior Member
- Posts: 18
- Joined: 24 Jan 2016, 20:22
Re: IP address in csf.blocklist and csf.allow
So in this case, the addresses will be allowed through? I can use iptables -L, in the future, to check, couldn't I? Maybe something like:
And if the IP address in the ALLOW section is first, then we should be good.
Thanks!
Code: Select all
iptables -L | grep <ip address I'm looking for>
Thanks!