ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

IP Deny logging to a database or post block/post remove hooks

https://mail.forum.configserver.com/viewtopic.php?t=1606

Page 1 of 2

IP Deny logging to a database or post block/post remove hooks

Posted: 09 Sep 2008, 16:20
by nickp666
Would it be possible to do either of the following:

1. Log all csf/lfd blocks and removes to a database of some nature, to enable this to be queried for use elsewhere by non-privelidged accounts

or 2. Add some form of hook script to be run after an IP is blocked or removed from the blocklist (much like cpanels postupcp method)

My reason for asking is I am trying to create some form of centralised database of blocks from my network so that I can send clients to a 'check if your ip is blocked' page

Presently I am manually parsing the block file and running a script via cron to do this, would be far more elequant if I could do this as and when the blocks happened.

TIA

Posted: 09 Sep 2008, 17:03
by chirpy
Nick, that's a good idea and I've put the idea on the development list.

Posted: 09 Sep 2008, 17:55
by nickp666
excellent, keep me posted and I will post my work up as open source

Posted: 10 Sep 2008, 06:21
by nabuhonodozor
Jonathan, It would be also great if thsose blocked IP would be stored in some centralized point where others could compare them with their own logs and it would be then possible to analyze persistent attackers across our servers - something like dshield but more closely to csf. What do both of You think ?

Posted: 10 Sep 2008, 13:14
by nickp666
Sounds like a good idea in principle, im assuming your idea is some form of RBL based on the blocks by csf?

The only downside to this would be the false positive rate, given that clients frequently forget passwords and end up getting themselves blocked for login failures, I guess some form of scoring method (e.g. this IP address is blocked in x amount of csf based servers) would have to be attached to this, otherwise the RBL would be blocking legitimate (but forgetful) users.

Posted: 10 Sep 2008, 16:53
by chirpy
I did look into a clustering option for csf servers, but it's fraught with security implications, so abandoned it. You'll be able to build your own database and dependent applications or whatever you want to do with the block information data when it's passed out from csf.

Posted: 17 Sep 2008, 08:52
by guidob
Some sort of distributed blocking would be nice too. I get tons of mails from the same bots scanning all my servers now.

Posted: 16 Oct 2008, 12:56
by nickp666
Noticed the post-block hook added in today, thanks greatly chirpy!

Posted: 17 Oct 2008, 09:28
by chirpy
I tested it with a rudimentary script, let me know if there are any problems with it.

Posted: 17 Oct 2008, 15:48
by nickp666
chirpy wrote:I tested it with a rudimentary script, let me know if there are any problems with it.
I tested it with PHP using Console_Getopt seems to be working ok
All times are UTC
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited