ConfigServer Community Forum

I get inundated with hacker activity, mainly exploiting Wordpress to install files which CSXS deletes or quarantines but nothing stops the same hackers on the same IP addresses from attacking multiple WP installs.

I don't know of a way to deal with the issue other than to manually block all of the IP addresses. Maybe blocking the IP addresses does no good as it seems I am chasing my tail. No matter how many IP addresses I block, even whole ranges of addresses, the hacking is non-stop.

I would love to reach through the wire and cut off their gonads but that isn't going to happen.

There seems to be no successful WP security programs to stop the hacking so I would like to at least block them.

It seems hackers can't really be stopped, but I at least want to be an annoyance. I suspect it is all done with bots so it isn't as if there is someone sitting there who is going to have a "goshy darn" moment and will really care, but at least blocking them to the degree I can gives me the hint of a warm fuzzy.

Thanks...

If you have csf/lfd on the server you can use the csf option "LF_CXS". See more information in the cxs documentation (WHM > ConfigServer eXploit Scanner > Documentation button - search for "cxs and csf Integration".

Thanks so much Sarah..after some digging I found the setting. Seems there are a pair of options.
LF_CXS was set to 0 which I assume is off so I changed the value to "1"
AFter that is LF_CXS_PERM which is set to 1.

Having changed LF_CXS to 1, should that do what I am trying to do? It will automatically issue a deny for that IP after the first infraction?

I think I saw something about being able to use a ban list that has been compiled somewhere. I am familiar with such lists for email addresses that are know to spam, and servers they are known to come from, but if I can eliminate a lot of known hacker IP addresses that might be a good first line of defense.

Thanks so much!

linkup wrote: ↑05 Jan 2018, 17:59 Having changed LF_CXS to 1, should that do what I am trying to do? It will automatically issue a deny for that IP after the first infraction?

Yes.

linkup wrote: ↑05 Jan 2018, 17:59 I think I saw something about being able to use a ban list that has been compiled somewhere. I am familiar with such lists for email addresses that are know to spam, and servers they are known to come from, but if I can eliminate a lot of known hacker IP addresses that might be a good first line of defense.

You could look at the IP reputation system in cxs/csf. Search the cxs documentation for "IP Reputation System".

Thanks very much..you get a gold star I chose the option to enable all of the lists and will monitor the system to see if it can handle the load.