Page 1 of 1

Restart after adding to external deny include file

Posted: 19 Apr 2022, 19:53
by FourMat
If I were to create an external include file for the csf.deny that listed the IP addresses, would I need to restart the csf service every time the external file was modified?

I would like to use a security detection script that monitors traffic on the website to write an IP to the external csf deny include file. I'd rather not get into execution permissions from a script if possible.

If csf does require a restart each time something is changed in the external include, are there suggestions for another way to pull off dynamically adding or removing IP's using a PHP script or other user account level script?

Re: Restart after adding to external deny include file

Posted: 19 Apr 2022, 23:07
by Sergio
If you add your own list to CSF, you can tell how often do you want CSF to look for that list.

- Enter into CSF.
- Enter into the option "LFD BLOCKLISTS" and read the first REM lines, that will tell you on how to do it.

Simple instructions:
- create and mantain your file.
- add the file, following the instructions in the BLOCKLISTS.
- save and restart CSF, that will the only time you will need to do it.

After you restart CSF from now on, CSF will check your black list and will add the IPs to the firewall.

Re: Restart after adding to external deny include file

Posted: 02 May 2022, 16:32
by FourMat
Thanks. My solution is to write IP's to the .htaccess file for immediate blockage, and also write them to our own blocklist, which gets reloaded every hour. After a couple of hours, I run a routine and remove them from the .htaccess block and keep them in the blocklist for a certain number of days.

Thanks for the suggestion.

Re: Restart after adding to external deny include file

Posted: 02 May 2022, 18:35
by Sergio
Instead of writing the IPs to .htaccess, Have you tried to use a custom regex rule at /usr/local/csf/bin/regex.custom.pm?

Try to do this,
create a rule at /usr/local/csf/bin/regex.custom.pm and left CSF to block the offenders for a period of time automatically, then let your shebang script to recollect the IPs and add them to your own blocklist.

Re: Restart after adding to external deny include file

Posted: 02 May 2022, 22:03
by FourMat
I had not previously known about that. So the CUSTOMx_LOG will be read just like any other log. Right now I'm writing all of the IP's I catch with my trap to a Blocklist.txt that will be sucked in through the LFD_BLOCKLISTS, and that seems to be working ok.

I'd rather not use .htaccess if I can help it, as it has a lot of potential problems with its usage.

So right now Blocklist.txt is just a list of IPs, one on each line. Every line in the file is an IP that needs to be blocked. If I set the CUSTOM1_LOG to point to this IP list, and create a regex that will match if it sees any IP address, then it will instantly be loaded into the system to block the IP for a set period of time, based on the settings in the return statement: eg:

CUSTOM1_LOG = /blah/blah/Blocklist.txt

Code: Select all

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)) {
       return ("Failed Blocklist from",$1,"customblocklist","5","80,443","3600/temporary","0");
}
I'm not sure what the "trigger level for blocking" should be set to (5 in this example)

Does this look correct?

Re: Restart after adding to external deny include file

Posted: 02 May 2022, 23:42
by Sergio
Seems to me that we are talking about different things.

The regex rule that you have to write should be created from a LOG generated by the server, if you set the rule that you have in your post in production, as I can see, you will be blocking any IP on the server and that is NO good.

If you want, we can go one step at a time and I will help you to create the rule that you need, but to do that I need to see a LOG line where the IP can be gathered and what was the message that the LOG line has.