Is it possible to add a new feature to CSF so that if an IP address is blocked due to exceeding the CT_LIMIT (Connection Tracking Limit) the email produced actually contains details of the connections in progress.
For example, instead of just:
From: root
To: root
Subject: lfd: 12.34.56.78 blocked with too many connections
Agreed, one of our customers keeps tripping the Connection Tracking limits and getting blocked... Spoke to him several times about it and he insists he's simply editing his site through the Administrator interface in the "Joomla" CMS system...
But the CSF alert says otherwise:
Subject [lfd] server5: 1.2.3.4 (*****com) blocked with too many connections Show full header
Time: Wed Feb 28 14:59:06 2007
IP: 1.2.3.4 (*******.com)
Connections: 402
Blocked: temporarily
I don't happen to be at the terminal when it happens, so I haven't been able to catch the "netstat -nap | grep 1.2.3.4" output in time to see what was going on...
Chirpy, if you think the log would be too big (though I don't see a problem with that... even it was an MB or more) you could just save the log file in the /etc/csf/logs/lfd/ or some directory like that, with a filename to reflect the IP & date (2007-02-28 14:59:06 1.2.3.4.log