Page 1 of 1

CSF doesn't always call BLOCK_REPORT when IPs get blocked

Posted: 30 May 2020, 17:55
by optize
Good morning CSF Team!

We are currently evaluating if we can use CloudLinux's Imunify360 solution which has a CSF Integration mode.

In Imunify360, when it detects CSF blocked an IP, it will move that block from CSF to Imunify360, however it relies on the 'BLOCK_REPORT' function of CSF.

During our testing, we've noticed that sometimes CSF will block an IP but Imunify360 didn't see the block.

After going back and forth with CloudLinux, they stated: "CSF doesn't always call the BLOCK_REPORT script.

This is how they reproduced it:

---
1) set CT_LIMIT to 20, restarted CSF/LFD;
2) used ab to flood the server with http requests;
3) when the testing IP address was blocked, the Imunify360 captcha showed up;
4) after solving the captcha, Imunify360 adds the IP address to the whitelist;
5) if ab continues flooding, CSF tries to block the IP address again, however it gets immediately unblocked by Imunify360 (because it is in whitelist);
6) at some point CSF blocks the IP address, but does not call the BLOCK_REPORT script - as a result, the IP address is blocked in CSF and Imunify360 knows nothing about it.
---

From my last response from them, it didn't seem like they were going to contact you directly so I wanted to submit the bug to see if this is a known bug and if it can be fixed.

We are running CSF v14.02.

Thanks in advance.

Re: CSF doesn't always call BLOCK_REPORT when IPs get blocked

Posted: 03 Dec 2020, 15:41
by optize
Just following up to see if there's been any updates to this?