Updating the csf.disallow from php file

**wineo** · 03-19-2010 02:17 AM

Did a few searches for this but didn't find anything, can some point me in the right direction?

I have set up an error404 notification that emails me when there are missing files or broken links. Recently, notifications for someone looking for phpmyadmin (and similar) folders on the server have come through in the thousands. I would love to track the IP address being used to prod at my server and add it to the firewall after a certain amount of attempts.

This means that I would have to update the csf.disallow list and restart the firewall. Has anyone done this before?

**Spiral** · 03-21-2010 05:50 PM

I already have a library of security applications and scripts that monitor precisely what you are asking about specifically and directly interface CSF's configuration and could help you get setup with some of those if you would like.

However, if you are just wanting to know the command to call from your scripts to add to the "csf.deny" list, this works and doesn't require any restart of your firewall as it adds it live in one step:

Code:

# /usr/sbin/csf -d "(ip or cidr goes here)" "Any comments you want"

You can also temporarily ban IPs (in seconds):

Code:

# /usr/sbin/csf -td "(ip or cidr goes here)" 3600

(The above would block the IP given for 1 hour)

You could also setup a cron process to watch your log files and then issue these commands accordingly as needed.

**wineo** · 03-22-2010 12:42 AM

Thanks Spiral!

These commands work perfectly in command line. What function should I use to run this command from php? I have tried 'shell_exec', 'exec' and 'system' to run this but the IP doesn't get added.

**wineo** · 03-22-2010 01:41 AM

I think that there is a permissions issue with the script... needs to run as root on the server. Does this have something to do with the server being in safe mode?

**Spiral** · 03-22-2010 05:42 PM

Originally Posted by wineo

Thanks Spiral!

These commands work perfectly in command line. What function should I use to run this command from php? I have tried 'shell_exec', 'exec' and 'system' to run this but the IP doesn't get added.

My first question is "Why are you writing this in PHP?" which is more of a curiosity than anything as there might be better options.

My second question is "Is this meant to run from the web or not?"

If you are not running this from the web or someplace that is web accessible, you could just simply setup your script as a root level cronjob and then it will be able to run the commands no problem.

You could grant sudo privileges to the commands you need directly so that they can be run from other users but I don't recommend this method.

If you mean to run this as a forward outside world facing script on the web then instead of calling the firewall blocking commands instead perhaps put that information in a database and have a separate process setup behind the scenes reading the same database and executing your blocks as this break the direct connection between those functions.

If you are running this as a process just to read your logs and take actions based on what is in your logs, might want to setup your script as a shell script which can be done by adding a shebang line at the top and set execute permissions and then you can run it directly as a shell script.

(IE: "#!/usr/bin/php")

You mentioned that the "IP does not get added" ---

Exactly how are you determining your IP addresses?

Just reading from your log files?

Using REMOTE_ADDR when the script is executed, etc?

**wineo** · 03-22-2010 10:59 PM

We have a custom error 404 page that incorporates the site and navigations. This page also emails me to let me know if there are any broken links in the site or missing files, this helps especially when developing.

Last week I received 2500 emails telling me that someone was trying to access the folder /phpmyadmin and /mysql / and ... which means that someone was trying to find 'holes' in the server. Now what I was hoping to do was get the custom error 404 page to check agains a pre defined list or automated for these folders/strings in the requested urls and if there were a number of matches I could add the offending IP address to the firewall.

The error 404 page can run the php exec function, but I need to get the permissions right to allow this page to run this function. I get "sh: /usr/sbin/csf: Permission denied" in the error logs. I also check the firewall for the IP address that I am testing from to see if it has been added. Yes, I use REMOTE_ADDR to obtain the IP.

**Spiral** · 03-23-2010 02:03 AM

It would seem like a grep of the traffic logs for 404 responses and banning the logged IP on certain requests might make a little bit more sense.

I am not sure I would agree with automatically emailing you at every 404 is necessarily the best of ideas either. Might be better to keep a running count of the bad request in a database or file and when when that particular request crosses a preset threshold, then email you

**wineo** · 03-31-2010 08:37 PM

Thanks Spiral, we usually just use the error emails while developing or if there are issues.

I will have to run a cron to check the log files for these errors. I have one that checks the log file errors from where it left off on last run. Is it a bad idea to run the cron every minute?

LinkBack

Thread Tools

Updating the csf.disallow from php file

possible to disallow custom php.ini via whm?

CSf Firewall: Edit csf.deny, the IP address deny file (Currently:1000 permanent IP b

CSf Firewall: Edit csf.deny, the IP address deny file (Currently:1000 permanent IP b

How to disallow php.ini overriding?

CSF firewall - "Manually denied" in the csf.deny file?