Would it be possible to do either of the following:
1. Log all csf/lfd blocks and removes to a database of some nature, to enable this to be queried for use elsewhere by non-privelidged accounts
or 2. Add some form of hook script to be run after an IP is blocked or removed from the blocklist (much like cpanels postupcp method)
My reason for asking is I am trying to create some form of centralised database of blocks from my network so that I can send clients to a 'check if your ip is blocked' page
Presently I am manually parsing the block file and running a script via cron to do this, would be far more elequant if I could do this as and when the blocks happened.
TIA
IP Deny logging to a database or post block/post remove hooks
-
nabuhonodozor
- Junior Member
- Posts: 48
- Joined: 29 Oct 2007, 07:01
Jonathan, It would be also great if thsose blocked IP would be stored in some centralized point where others could compare them with their own logs and it would be then possible to analyze persistent attackers across our servers - something like dshield but more closely to csf. What do both of You think ?
Sounds like a good idea in principle, im assuming your idea is some form of RBL based on the blocks by csf?
The only downside to this would be the false positive rate, given that clients frequently forget passwords and end up getting themselves blocked for login failures, I guess some form of scoring method (e.g. this IP address is blocked in x amount of csf based servers) would have to be attached to this, otherwise the RBL would be blocking legitimate (but forgetful) users.
The only downside to this would be the false positive rate, given that clients frequently forget passwords and end up getting themselves blocked for login failures, I guess some form of scoring method (e.g. this IP address is blocked in x amount of csf based servers) would have to be attached to this, otherwise the RBL would be blocking legitimate (but forgetful) users.