Currently, after XXX entries in the deny file, csf automatically starts removing the oldest entries. Is there a way to have a list of permanent deny entries that never get auto removed? Is this the global deny list, or would this be a new feature?
Rob
permanent deny list?
DENY_IP_LIMIT
Is that what you are looking for?# Limit the number of IP's kept in the /etc/csf/csf.deny file. This can be
# important as a large number of IP addresses create a large number of iptables
# rules (4 times the number of IP's) which can cause problems on some systems
# where either the the number of iptables entries has been limited (esp VPS's)
# or where resources are limited. This can result in slow network performance,
# or, in the case of iptables entry limits, can prevent your server from
# booting as not all the required iptables chain settings will be correctly
# configured. The value set here is the maximum number of IPs/CIDRs allowed
# if the limit is reached, the entries will be rotated so that the oldest
# entries (i.e. the ones at the top) will be removed and the latest is added.
# The limit is only checked when using csf -d (which is what lfd also uses)
# Set to 0 to disable limiting
Not exactly. I understand that setting, and use it as well. But we have a list of permanent deny rules we need loaded and never deleted even when the limit is reached. I guess the global deny is the solution, but I'm just confirming that is true, that a global deny list will never be removed even if the deny_ip_limit is reached. Thanks.
Rob
Rob
Yes, use the GLOBAL DENY option and that IPs will not be delisted until you erase them from the file.robm wrote:Not exactly. I understand that setting, and use it as well. But we have a list of permanent deny rules we need loaded and never deleted even when the limit is reached. I guess the global deny is the solution, but I'm just confirming that is true, that a global deny list will never be removed even if the deny_ip_limit is reached. Thanks.
Rob