I am a huge fan of csf. To the point where my servers doesn't crash from the number of hack attempts/port scans. They must be sorely disappointed after 5 attempts and going no further. mwhahaha!
What would be good to have is a global list of "blocked" IP addresses, mainly to save me sifting through my inbox and deleting those e-mails that need deleting!
I guess the only problem with this would be, once a hacker has out resourced one machine they move onto the next. And another problem would be the bandwidth to share this resource as well - perhaps cPanel wouldn't mine sharing a bit of there's .
I am guessing the same could be applied for the "allow" lists?
The reason being, we are constantly adding new servers. It would be nice to have a global allow list which we can manage from a central point (MySQL?) and each time CSF reloads, it reads the rules from a single place (along with any custom rules in the csf.allow/deny files)
When a new monitoring server or access point is added, it would make rolling out changes very easy
If a server is needed to make something like this happen, I work for a hosting company and we use your product pretty extensively. Would love to assist in getting a server up for something like this to be tested on.
Just an Idea for this list.
BCC a central server that only pulls the headers off the mail, specifically the IP address and the hostname to prevent false positives from servers spamming an IP address. Once an IP hits a designated limit of hosts reporting it, it is added to a text file.
While Bogon, Dshield, and spamhause are great lists. It would be even better to have a live list that was created from all the data that can be collected from all these servers running CSF.
Some other points;
Do not have any kind of de-listing service as this would probably be a nightmare to support. Just have the IPs drop off after a short period say 48 hours.
Keep it basic on this machine, use a stripped down install and only run what is needed. Probably lighttpd to serve up the text file. Also run everything in a Tempfs or memcache if a database will be used to avoid IO lag it should be minimal storage anyway if you flush data regularly. Only pull the data you need off the email and /dev/null the rest including reports that have already been put on the list.
This would work very well and will require minimal developing time. I can see it now as we have a relatively small IP range (one B block) and conventionally the whole datacenter emails me when one machine hits the whole range. These are obviously infected or rogue machines as no one can rationalize hitting 10 plus servers trying to login as root.
I don't know perl but can help in any other area and I assume this is what you would want to use.
.