Truly permanent IP bans
My csf.deny is currently set to contain a maximum of 1000 entries. It's my undestanding that it's not recommended to allow this list to get much larger than this, so I haven't. However, this presents a problem.
I am regularly plagued by spam emails coming from a handful of specific IP ranges. It's easy enough to ban these ranges using the Quick Deny bok, like so:
46.19.0.0/16
This adds a manual entry at the end of the csf.deny file. I do this for the 5 or so offending IP ranges and for a few weeks I am blissfully spam free.
Then eventually my manual entries get pushed to the top of csf.deny until they get removed altogether. At that point, the spam starts coming again.
My question is: where and how can I place a completely permament ban on these IP ranges? There has to be a place were these manual entries can be stored so they are not periodically cleared by the system. If such a place doesn't exist, how do I go about creating one?
I know in theory I could log onto WHM every couple of weeks and manually move those entries to the bottom of csf.deny - but surely there's a better way?
-
Replying to my own question here: it seems you can link a separate txt file to csf.deny with IPs to block. So added this line to the top of csf.deny, just above the list of banned IPs: Include /etc/csf/ipblock.txt I uploaded ipblock.txt file to the above location. The content of the file is simply: 46.19.0.0/16 104.160.0.0/16 88.99.0.0/16 216.218.0.0/16 138.201.0.0/16 Will this work? I assume the line I added to csf.deny will not be removed? And if I add more entries to my ipblock.txt, do I then need to restart csf + lfd? 0 -
Theres no need to create additional lists, If you add # do not delete after the IP, they will remain in the normal block list. I normally follow this up with additional comments for my own records. eg xxx.xxx.xxx.0/24 # do not delete - noisy neighbours 0 -
Sorry, bad edit... 0 -
Theres no need to create additional lists, If you add # do not delete after the IP, they will remain in the normal block list. I normally follow this up with additional comments for my own records. eg xxx.xxx.xxx.0/24 # do not delete - noisy neighbours
Thanks, this is what I was looking for! I knew there had to be a way...0 -
I don't really want to load up long lists with thousands of IPs, it would just end up slowing down the server.
Not necessarily. :) Check your firewall configuration for IPset options. This option allows you to use ipset v6+ for the following csf options: CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny, GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER ipset will only be used with the above options when listing IPs and CIDRs. Advanced Allow Filters and temporary blocks use traditional iptables Using ipset moves the onus of ip matching against large lists away from iptables rules and to a purpose built and optimised database matching utility. It also simplifies the switching in of updated lists To use this option you must have a fully functioning installation of ipset installed either via rpm or source from IP sets Note: Using ipset has many advantages, some disadvantages are that you will no longer see packet and byte counts against IPs and it makes identifying blocked/allowed IPs that little bit harder Note: If you mainly use IP address only entries in csf.deny, you can increase the value of DENY_IP_LIMIT significantly if you wish Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ containers even if it has been installed If you find any problems, please post on forums.configserver.com with full details of the issue
I've highlighted the import parts of that above for you. ;)0
Please sign in to leave a comment.
Comments
7 comments