Including a text file in CSF
I posted this on the CSF forum a few days ago, but there hasn't been a reply. This is a pretty important security issue for me, though, so I'm hoping extra eyes here might have some input.
I'm trying to use the command:
Include /home/example/blacklist.txt
in the csf.deny file. I understand that this lets me have a remote text file with blocked IPs that I can update via PHP.
The questions I have, though, are:
1. If I add an IP to blacklist.txt, do I need to restart CSF? If so, can this be done via PHP?
2. Can I make comments in blacklist.txt using #, like I do in csf.deny?
3. I don't suppose there's an easy way to make temporary denies in an included file, is there? I'm hoping to use PHP to blacklist people that meet specific patterns (like those that attempt SQL injections), but want the ability to blacklist them for a short period without having to go in and remove them from the list manually.
I guess it could be done with a cronjob, but I don't want to go to all that trouble if there's an easy built-in way already.
TIA,
Jason
-
[QUOTE]I posted this on the CSF forum a few days ago, but there hasn't been a reply. This is a pretty important security issue for me, though, so I'm hoping extra eyes here might have some input.
It might not be responded to, either. Reading the docs is helpful. [QUOTE] I'm trying to use the command: Include /home/example/blacklist.txt
That's not a command, it's an include. I would think adding an include to a blocklist, to another blocklist is not going to work. 1) Yes. See CSF readme.txt: 24. IP Block Lists 2) Yes. 3) CSF can temp ban, yes of course. It's all in the settings. Your post reads like you've never gone thru your CSF config and seen all the available options. The only catch is, you wanting to do what CSF does for you automatically, manually, via PHP. Are you hoping to reinvent the wheel here?0 -
[QUOTE]It might not be responded to, either. Reading the docs is helpful.
I don't understand what you mean. I read the docs, but it only gave a paragraph regarding the use of Include, and it was a little vague. Was there further clarification that I missed? [QUOTE]That's not a command, it's an include.
Sorry, just a typo, really. I was posting right before going to bed, so my brain wasn't firing on all cylinders :-) [QUOTE]3) CSF can temp ban, yes of course. It's all in the settings.
I realize that I can temp ban in CSF, but I don't know if it can be done with an Include file that can be modified via PHP. That's what I haven't been able to find. [QUOTE]Your post reads like you've never gone thru your CSF config and seen all the available options. The only catch is, you wanting to do what CSF does for you automatically, manually, via PHP. Are you hoping to reinvent the wheel here?
I've actually gone through it pretty extensively, so I'm thinking that you may be misunderstanding my intent. Either that, or I've grossly overlooked / misunderstood some options. I've had a string of hackers trying to inject SQL commands, so I'm trying to block IPs (preferably a temp block) based on QUERY_STRING. Last night I had someone try to send roughly 500 injection commands within 3 minutes; by time I saw it and logged in to CSF manually, they had stopped. (Their IP didn't show in the permanent or temp deny lists, so I have to assume that they stopped on their own instead of being blocked by CSF.) A few weeks ago, I had a major attack that overloaded the server; they were trying numerous attempts for a few hours! This is what brought it to my attention, actually. If there's a way for CSF to catch and prevent SQL injections, that would be great, but I haven't found it in the configuration. All I know to do is watch for it manually on my end.0 -
I guess we're carrying on from about using the modsec triggers is a good one, because it takes your own application out of the picture and has everything done by CSF and modsec. If you're wanting to go with using an otherwise generated file of IPs (because you're in a low memory environment or don't want to use modsec for whatever reason) you actually need to give this file to CSF within the csf config (csf can be configured to download block lists over the web) [quote]This feature allows csf/lfd to periodically download lists of IP addresses and CIDRs from pubished block or black lists. It is controlled by the file: /etc/csf/csf.blocklists Uncomment the line starting with the rule name to use it, then restart csf and then lfd. Each block list must be listed on per line: as NAME|INTERVAL|MAX|URL NAME : List name with all uppercase alphabetic characters with no spaces and a maximum of 9 characters - this will be used as the iptables chain name INTERVAL: Refresh interval to download the list, must be a minimum of 3600 seconds (an hour), but 86400 (a day) should be more than enough MAX : This is the maximum number of IP addresses to use from the list, a value of 0 means all IPs URL : The URL to download the list from
note that URL here will be0
Please sign in to leave a comment.
Comments
3 comments