I have the following question on how the IP Reputation files all.txt, etc get populated.
If an IP address triggers a BLOCK on one of my servers, does this automatically get reported to CXS? The reason I am asking, if a user enters their password wrong and gets blocked on our server, does CSF report that to the IP Reputation respiratory?
If it does report it, then if I unblock the IP address from CSF must I also run the command line --Rremove to remove that IP from the list or does CSF report it as unblocked to CXS lists?
I think I had a user where this happened and I had to also disable CSX IP Reputation because they were still being blocked.
I hope I explained this well enough. Thank you for any responses.
IP Reputation Poopulation
Re: IP Reputation Poopulation
I've had a similar problem. I've a user who persistently gets her IMAP login wrong. She has a phone with the wrong password. When she arrives at work, they get a temp ban.
The temp ban then gets sent to ConfigServer's IP reputation server and they end up on the CXS_ALL list.
In the meantime the temp ban has lapsed. If they log in to my support (WHMCS with a plugin that lets them unblock), it tells them there is no ban as that only looks at the csf deny & temp deny lists, not directly at iptables.
To fix it, I have to manually cxs --Rremove the IP and wait 10 minutes. Or remove it from iptables directly.
I repeat this every few months as the user is incapable of changing the IMAP password on their iPhone and the router holds on to a dynamic IP for that long. I add their IP to the ignore list.
It would be great if a) removing a ban on csf also removed it from cxs and b) cxs was cluster aware as you can only remove an address from the server that reported it.
The temp ban then gets sent to ConfigServer's IP reputation server and they end up on the CXS_ALL list.
In the meantime the temp ban has lapsed. If they log in to my support (WHMCS with a plugin that lets them unblock), it tells them there is no ban as that only looks at the csf deny & temp deny lists, not directly at iptables.
To fix it, I have to manually cxs --Rremove the IP and wait 10 minutes. Or remove it from iptables directly.
I repeat this every few months as the user is incapable of changing the IMAP password on their iPhone and the router holds on to a dynamic IP for that long. I add their IP to the ignore list.
It would be great if a) removing a ban on csf also removed it from cxs and b) cxs was cluster aware as you can only remove an address from the server that reported it.
-
- Junior Member
- Posts: 45
- Joined: 29 May 2013, 19:07
- Location: Cape Town, South Africa
- Contact:
Re: IP Reputation Poopulation
I've had the same issue but we notice enabling the individual lists like LF_SMTP seem to block very nicely
So we enabled the following:
CXS_LF_SSHD
CXS_LF_FTPD
CXS_LF_SMTPAUTH
CXS_LF_CXS
Works quiet well for us atleast and load has gone down ALOT.
So we enabled the following:
CXS_LF_SSHD
CXS_LF_FTPD
CXS_LF_SMTPAUTH
CXS_LF_CXS
Works quiet well for us atleast and load has gone down ALOT.
Re: IP Reputation Poopulation
> It would be great if a) removing a ban on csf also removed it from cxs
I've submitted a feature request for this here:
viewtopic.php?f=27&t=12156
Please add your support.
I've submitted a feature request for this here:
viewtopic.php?f=27&t=12156
Please add your support.