all-in-one IP protection

sehh

Well-Known Member
Feb 11, 2006
579
5
168
Europe
As far as I know, once a system has been compromised (virus, rootkit, etc), it acts as a zombie host for a number of things. Thus, the same compromised system may act as a proxy to send spam, participate in a DDoS attack, perform Brute Force attacks, and all sorts of other "kool" things.

What I believe would be ideal, is a complete all-in-one system that protects all services from blacklisted/banned IP addresses.

For example, by extending cPHulk, to cover:

- exim from spam (instead of exim using /etc/spammeripaddresses).
- apache from remove exploits and other attacks (blocking IP addresses is faster than sending the requests to be processed via modsec).
- dovecot from overzealous brute force attempts that flood the authentication processes and don't let normal users get in.

By extension, it would be ideal if cPHulk would block whole countries per domain/account. Some clients are so local based that they have no communication outside their own country or even organization. It would be ideal for them to block continents/countries. It is something we already do, but with 3rd party tools.

The result, would be to block an IP address because it tried to perform a Brute Force attack one day, and the next day when it tries to send spam, it will be already blacklisted!!! Next day it may try a remote exploit on apache/php, or whatever, it will still fail to have any effect because it has already been blacklisted the very first day it tried something.

What do you guys think?


PS:
I came to this conclusion because I compared cpHulk IP addresses to my exim/dovecot/apache logs and I found the same addresses being repeated over and over again.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Just use CSF.

If someone gets blocked for e-mail brute forcing for example, they're blocked in IPtables which ceases all communication to/from your server and that IP address.

I wouldn't hold your breath waiting for cphulk to do all this when CSF basically already does it and is free. Also, LF_MODSEC will block IP addresses entirely after they trigger more than X number of modsec rules (usually 5).