Automatically add cPHulk IP blocks to CFS

CSF will do this when you've fine tuned it.

I see that you only installed csf recently.
Did you choose one of the default profiles?

I'd suggest choosing the high profile, and then fine tuning some of the options to suit your requirements.
It's a mine field.
Also within CSF is the option to use predefined black lists. (LFD Blocklists) (about 4 icons up from the PayPal logo)

The ones with the hash missing, are the ones i'm using, without any detrimental effect.

Code:

#Spamhaus Don't Route Or Peer List (DROP)
#Details: http://www.spamhaus.org/drop/
SPAMDROP|86400|0|http://www.spamhaus.org/drop/drop.lasso

#Spamhaus Extended DROP List (EDROP)
#Details: http://www.spamhaus.org/drop/
SPAMEDROP|86400|0|http://www.spamhaus.org/drop/edrop.lasso

#DShield.org Recommended Block List
#Details: http://dshield.org
DSHIELD|86400|0|http://www.dshield.org/block.txt

# TOR Exit Nodes List
# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: https://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList
# TOR|86400|0|https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.2.3.4

# Alternative TOR Exit Nodes List
# Details: http://torstatus.blutmagie.de/
# ALTTOR|86400|0|http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv

# BOGON list
# Details: http://www.team-cymru.org/Services/Bogons/
BOGON|86400|0|http://www.cymru.com/Documents/bogon-bn-agg.txt

# Project Honey Pot Directory of Dictionary Attacker IPs
# Details: http://www.projecthoneypot.org
HONEYPOT|86400|0|http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1

# C.I. Army Malicious IP List
# Details: http://www.ciarmy.com
CIARMY|86400|0|http://www.ciarmy.com/list/ci-badguys.txt

# BruteForceBlocker IP List
# Details: http://danger.rulez.sk/index.php/bruteforceblocker/
BFB|86400|0|http://danger.rulez.sk/projects/bruteforceblocker/blist.php

# OpenBL.org 30 day List
# Details: https://www.openbl.org
OPENBL|86400|0|https://www.openbl.org/lists/base_30days.txt

# Autoshun Shun List
# Details: http://www.autoshun.org/
AUTOSHUN|86400|0|http://www.autoshun.org/files/shunlist.csv

# MaxMind GeoIP Anonymous Proxies
# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: https://www.maxmind.com/en/anonymous_proxies
# MAXMIND|86400|0|https://www.maxmind.com/en/anonymous_proxies

# Blocklist.de
# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: https://www.blocklist.de
# This first list only retrieves the IP addresses added in the last hour
# BDE|3600|0|https://api.blocklist.de/getlast.php?time=3600
# This second list retrieves all the IP addresses added in the last 48 hours
# and is usually a very large list (over 10000 entries), so be sure that you
# have the resources available to use it
# BDEALL|86400|0|http://lists.blocklist.de/lists/all.txt

Another neat security feature is "Host Access Control" in whm.
There you could limit certain tasks to IP's.
So for instance, if you, and you alone, should have SSH access, then add your IP address, your range of IP addresses, and deny everyone else.

Again, another bit of a mine field, but happy to show you how i configured mine

 

Also consider moving ssh from port 22 to a port somewhere else (below 1000), and then closing port 22 in CSF.

 

The security tool will help identify vulnerablities, but stronger profiles will help tighten lfd's.
Even then, you might want to tweak them.
for instance, I have SMTP authentication locked down to one failed login and you're blocked.

My server is a company server, our users are not tech savvy and don't have access to smtp outside of the office.

 

Just so you don't inadvertantly block yourself, seriously consider adding not only your work IP, but your home IP, (or ranges if using dynamic) to CSF Firewall Allow IP list.
If dynamic, add it as follows 123.456.0.0/16


And in Host access control in whm do the follwoing.

ALL 123.456.0.0/255.255.0.0 ALLOW (if dynamic)
ALL 123.456.123.123 ALLOW (if static)

If your'e still in the testing phases, or you know that no one else other than you should have access to FTP, SSH, Cpanel etc etc, then add the following entry at the very end of Host Access Control

ALL ALL DENY

Although denying everying to everyone is probably no good if you're renting space out.

 

Yes.
Lets assume your IP at home is allocated dynamically, and is always on 23.255.x.x, then add 23.255.0.0/255.255.0.0 in "Host Access Control"
and 23.255.0.0/16 in CSF Allow IP.

Of course, your dynamic IP could even be a range like 23.245.X.X and 23.243.X.X so you'd need to add these also.

At least if you add a few entries, like work, home, mums and tech support (in your data centre) you have a route in.

 

You will still get Brute Force login attempts, but the added protection from CSF and its tightening of the rules, will offer you much more protection than CPHULK alone.

I'm not sure that you can use domain names in the acces control tool maybe one of the specialists may know this.

 

Eg. At 21:44 last night i see a small number of brute force attempts from 217.92.232.xxx

217.92.232.xxx # lfd: (smtpauth) Failed SMTP AUTH login from 217.92.232.xxx (DE/Germany/pd95ce8c9.dip0.t-ipconnect.de): 1 in the last 3600 secs - Wed Jun 10 21:44:32 2015

As can be seen above, CSF also detected this and added it to the block list.
My block list is for 1500 entries which under normal operating conditions (ie under no attack), lasts about a month before he can come back with that IP.

 

I'm personally not sure in which order these security checks are done, however, i'm pretty sure that once the entry is in CSF deny, then any further attempts from that IP will be blocked.

I don't understand Mod Security at all, it looks like voodoo to me.
When I look in Mod Security tools, I only see entries that were denied.

I dare say that MODSEC has a pre defined set of rules around how many attempts before it logs the entry with CSF, so if someone tries to hack 4 times but the threshold is 5 within a given period, then you would see multiple entries.
And if the hacker comes back after that given period, then he would get another shot.
I have seen ModSec interact with CSF as i regularly see ModSec entries in the CSF block list.

There are some really knowledgeable guys on here who understand this much more than I do, who will no doubt chip in.

 

You did take CSF out of test mode ?

I also went through the same doubts as you are, it took me about 12 weeks to finally start to relax.
When I say relax, by no means take my eye off the ball, but i do feel a little more confident in the tools that are working for me.

 

i'd maybe open another thread for that one, so as not to confuse anyone reading this thread.