How to block IP at the first attack detected in CXS?

[Sergio]

Hello Sarah,
Season greetings.

Sarah, is there a way to block on CSF Firewall an IP that trigers an MD5SUM at the first attempt?

If not, How may I can implement this?

Merry X'mas,
Sergio

[Sarah]

It is only possible to block cxs modsecurity hits in csf because otherwise cxs does not have the IP address of the attacker. You can use LF_CXS to configure this.

[Sergio]

Thank you, Sarah.

I was writing about MD5SUM generated by CXS.

ModSecurity rules, yes, I have that implemented on my servers and are working very well.

But I thought there might be a way to block IPs that triggers MD5SUMs that are already defined in CXS.XTRA, so, next time that the same file is uploaded and quarantined/deleted by CXS, the ofending IP could be blocked as well.

Best regards,
Sergio

[Sarah]

Unless the file is detected via cxs modsecurity scanning, cxs has no information about the IP address of the attacker. I'm not sure what type of scan you are referring to.

[Sergio]

Got it.

I thought that CXS when a file is blocked because the file matches an MD5SUM code defined on the CXS.XTRA it could got the IP that tried to upload the malicious file.

I managed to get the IP that tried to upload a bad file using the user's cPanel logs but it takes a long time to do it and thought that maybe CXS could have that info when an uploaded file matches an MD5SUM defined.

[Sarah]

It makes no difference what type of match it is, MD5SUM or fingerprint or virus, unless it was detected via cxs modsecurity scanning, cxs cannot get the IP address.