CSF doesn't always call BLOCK_REPORT when IPs get blocked
Posted: 30 May 2020, 17:55
Good morning CSF Team!
We are currently evaluating if we can use CloudLinux's Imunify360 solution which has a CSF Integration mode.
In Imunify360, when it detects CSF blocked an IP, it will move that block from CSF to Imunify360, however it relies on the 'BLOCK_REPORT' function of CSF.
During our testing, we've noticed that sometimes CSF will block an IP but Imunify360 didn't see the block.
After going back and forth with CloudLinux, they stated: "CSF doesn't always call the BLOCK_REPORT script.
This is how they reproduced it:
---
1) set CT_LIMIT to 20, restarted CSF/LFD;
2) used ab to flood the server with http requests;
3) when the testing IP address was blocked, the Imunify360 captcha showed up;
4) after solving the captcha, Imunify360 adds the IP address to the whitelist;
5) if ab continues flooding, CSF tries to block the IP address again, however it gets immediately unblocked by Imunify360 (because it is in whitelist);
6) at some point CSF blocks the IP address, but does not call the BLOCK_REPORT script - as a result, the IP address is blocked in CSF and Imunify360 knows nothing about it.
---
From my last response from them, it didn't seem like they were going to contact you directly so I wanted to submit the bug to see if this is a known bug and if it can be fixed.
We are running CSF v14.02.
Thanks in advance.
We are currently evaluating if we can use CloudLinux's Imunify360 solution which has a CSF Integration mode.
In Imunify360, when it detects CSF blocked an IP, it will move that block from CSF to Imunify360, however it relies on the 'BLOCK_REPORT' function of CSF.
During our testing, we've noticed that sometimes CSF will block an IP but Imunify360 didn't see the block.
After going back and forth with CloudLinux, they stated: "CSF doesn't always call the BLOCK_REPORT script.
This is how they reproduced it:
---
1) set CT_LIMIT to 20, restarted CSF/LFD;
2) used ab to flood the server with http requests;
3) when the testing IP address was blocked, the Imunify360 captcha showed up;
4) after solving the captcha, Imunify360 adds the IP address to the whitelist;
5) if ab continues flooding, CSF tries to block the IP address again, however it gets immediately unblocked by Imunify360 (because it is in whitelist);
6) at some point CSF blocks the IP address, but does not call the BLOCK_REPORT script - as a result, the IP address is blocked in CSF and Imunify360 knows nothing about it.
---
From my last response from them, it didn't seem like they were going to contact you directly so I wanted to submit the bug to see if this is a known bug and if it can be fixed.
We are running CSF v14.02.
Thanks in advance.