Auto block Remote IPs reported by CXS
I receive CXS scan results in an email showing what the attempt was and the file quarantined even though the URL the attacker tried is 404. It also shows the Remote IP i.e. the source of this attack. However, when I search this IP in CSF it is not listed in anywhere, not even in the temp blacklisted IP list. Is there a way to blacklist Remote IPs reported by CXS automatically in CSF? I feed bad IP lists from free sources but sometimes the attacker IP is new and not on any of the lists. Thank you.
Web upload script URL : http://.../wp-admin/admin-ajax.php Remote IP : 20.17.96.236 Deleted : No Quarantined : Yes
-
Hey there! If you haven't seen this, it's worth a quick read:
https://www.cpanel.net/blog/products/the-end-of-configserver/
I don't have any ready-made tools that would handle this work, but if you have any specific items you'd like to see in our future firewall tool I'd encourage you to leave your comments here:
https://features.cpanel.net/c/202-firewall-configuration-tool
0 -
I'm all over that firewall consideration... as long as it doesn't end up like CPGS. I kind of miss CPGS, it was fun.
I seem to remember something, maybe it was in LFD, that would monitor for excessive 404 hits coming from a single IP and would add them to a temporary block. Have you gone through the settings for that to see if it might be in there somewhere?
1 -
LFD could block things with certain criteria, yes, but that was also a ConfigServer tool and not something we made.
0 -
I see that I can use the LF_APACHE_404 in the settings as a workaround since these attacks generate 404, thank you for the suggestion.
0
Please sign in to leave a comment.
Comments
4 comments