Automatically add cPHulk IP blocks to CFS

[angelleye]

I've got cPHulk configured so that's catching quite a few brute force attempts. It sends me an email notification each time it locks somebody out with a handy link to blacklist the IP address in cPHulk if I want to.

I've read, though, that it's better to block the IP in CFS because then it never even makes it to cPHulk and won't use up server resources at all, so each time I get one of these emails I've been adding the IP to /etc/csf/csf.deny.

Is there some way to automate this? Basically, any time cPHulk blocks an IP because it reached the max number of failed attempts I would like that IP automatically added to /etc/csf/csf.deny.

Any info on this would be great. Thanks!

 

[angelleye]

Actually, I just noticed in the cPHulk configuration in WHM there seems to be an option to do this, but it's disabled so I can't enable it and it says...

The system disabled firewall options. These options require IPTables v1.4 or higher and a non-Virtuozzo environment.

I see that I can choose to run my own command, though, so I'd imagine I can get it done that way..?? I'm not finding any details about how to write such a script, though..??

 

[keat63]

CSF will do this when you've fine tuned it.

I see that you only installed csf recently.
Did you choose one of the default profiles?

I'd suggest choosing the high profile, and then fine tuning some of the options to suit your requirements.
It's a mine field.
Also within CSF is the option to use predefined black lists. (LFD Blocklists) (about 4 icons up from the PayPal logo)

The ones with the hash missing, are the ones i'm using, without any detrimental effect.

#Spamhaus Don't Route Or Peer List (DROP)
#Details: http://www.spamhaus.org/drop/
SPAMDROP|86400|0|http://www.spamhaus.org/drop/drop.lasso

#Spamhaus Extended DROP List (EDROP)
#Details: http://www.spamhaus.org/drop/
SPAMEDROP|86400|0|http://www.spamhaus.org/drop/edrop.lasso

#DShield.org Recommended Block List
#Details: http://dshield.org
DSHIELD|86400|0|http://www.dshield.org/block.txt

# TOR Exit Nodes List
# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: https://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList
# TOR|86400|0|https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.2.3.4

# Alternative TOR Exit Nodes List
# Details: http://torstatus.blutmagie.de/
# ALTTOR|86400|0|http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv

# BOGON list
# Details: http://www.team-cymru.org/Services/Bogons/
BOGON|86400|0|http://www.cymru.com/Documents/bogon-bn-agg.txt

# Project Honey Pot Directory of Dictionary Attacker IPs
# Details: http://www.projecthoneypot.org
HONEYPOT|86400|0|http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1

# C.I. Army Malicious IP List
# Details: http://www.ciarmy.com
CIARMY|86400|0|http://www.ciarmy.com/list/ci-badguys.txt

# BruteForceBlocker IP List
# Details: http://danger.rulez.sk/index.php/bruteforceblocker/
BFB|86400|0|http://danger.rulez.sk/projects/bruteforceblocker/blist.php

# OpenBL.org 30 day List
# Details: https://www.openbl.org
OPENBL|86400|0|https://www.openbl.org/lists/base_30days.txt

# Autoshun Shun List
# Details: http://www.autoshun.org/
AUTOSHUN|86400|0|http://www.autoshun.org/files/shunlist.csv

# MaxMind GeoIP Anonymous Proxies
# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: https://www.maxmind.com/en/anonymous_proxies
# MAXMIND|86400|0|https://www.maxmind.com/en/anonymous_proxies

# Blocklist.de
# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: https://www.blocklist.de
# This first list only retrieves the IP addresses added in the last hour
# BDE|3600|0|https://api.blocklist.de/getlast.php?time=3600
# This second list retrieves all the IP addresses added in the last 48 hours
# and is usually a very large list (over 10000 entries), so be sure that you
# have the resources available to use it
# BDEALL|86400|0|http://lists.blocklist.de/lists/all.txt

Another neat security feature is "Host Access Control" in whm.
There you could limit certain tasks to IP's.
So for instance, if you, and you alone, should have SSH access, then add your IP address, your range of IP addresses, and deny everyone else.

Again, another bit of a mine field, but happy to show you how i configured mine

 

[angelleye]

I found this documentation providing details on variables passed to a command, so I'm guessing I can write a bash script that calls "csf -d %ip%" and that'll do it..??

I don't suppose anybody has a template for such a script..??

 

[angelleye]

I see that you only installed csf recently.
Did you choose one of the default profiles?

I'd suggest choosing the high profile, and then fine tuning some of the options to suit your requirements.
It's a mine field.

Well, no. I'm new to all of this so I was just following tutorials and I didn't see the profiles until later. I just did a general install, and then I went through the "Check Server Security" tool it was providing in WHM to lock it all down as much as I could. I'm showing a score of 130/133 now. Is that basically the same as I would have had if I chose the high profile?

 

[keat63]

Also consider moving ssh from port 22 to a port somewhere else (below 1000), and then closing port 22 in CSF.

 

[angelleye]

I did change my ssh port already, but I didn't think about closing 22 back up. Thanks for the tip. I've got my lfd blocklist setup like you show now, so hopefully that'll help.

 

[keat63]

The security tool will help identify vulnerablities, but stronger profiles will help tighten lfd's.
Even then, you might want to tweak them.
for instance, I have SMTP authentication locked down to one failed login and you're blocked.

My server is a company server, our users are not tech savvy and don't have access to smtp outside of the office.

 

[keat63]

Just so you don't inadvertantly block yourself, seriously consider adding not only your work IP, but your home IP, (or ranges if using dynamic) to CSF Firewall Allow IP list.
If dynamic, add it as follows 123.456.0.0/16


And in Host access control in whm do the follwoing.

ALL 123.456.0.0/255.255.0.0 ALLOW (if dynamic)
ALL 123.456.123.123 ALLOW (if static)

If your'e still in the testing phases, or you know that no one else other than you should have access to FTP, SSH, Cpanel etc etc, then add the following entry at the very end of Host Access Control

ALL ALL DENY

Although denying everying to everyone is probably no good if you're renting space out.

 

[angelleye]

So if my current IP address is 23.255.239.121 would I use 23.255.0.0/255.255.0.0 for dynamic? I think I'm a little confused there.

 

[keat63]

Yes.
Lets assume your IP at home is allocated dynamically, and is always on 23.255.x.x, then add 23.255.0.0/255.255.0.0 in "Host Access Control"
and 23.255.0.0/16 in CSF Allow IP.

Of course, your dynamic IP could even be a range like 23.245.X.X and 23.243.X.X so you'd need to add these also.

At least if you add a few entries, like work, home, mums and tech support (in your data centre) you have a route in.

 

[cPanelMichael]

I did change my ssh port already, but I didn't think about closing 22 back up. Thanks for the tip. I've got my lfd blocklist setup like you show now, so hopefully that'll help.

Hello,

You may also find this thread helpful:

Securing SSH

Thank you.

 

[angelleye]

If your'e still in the testing phases, or you know that no one else other than you should have access to FTP, SSH, Cpanel etc etc, then add the following entry at the very end of Host Access Control

ALL ALL DENY

Yes.
Lets assume your IP at home is allocated dynamically, and is always on 23.255.x.x, then add 23.255.0.0/255.255.0.0 in "Host Access Control"
and 23.255.0.0/16 in CSF Allow IP.

Of course, your dynamic IP could even be a range like 23.245.X.X and 23.243.X.X so you'd need to add these also.

At least if you add a few entries, like work, home, mums and tech support (in your data centre) you have a route in.

Ok, I've got it setup like this now. I guess I'm not understanding something, though, because I'm still getting brute force attempt notifications from cPHulk even after doing this. I was thinking this would pretty much stop all of that since it won't even pick up for anybody but me..??

Also, my ISP (Google Fiber) isn't being too helpful letting me know what the ranges might be. Can I use a domain within the host access tool instead of an IP range? That way I could use a dynamic dns service and then add some_dynamic_service.mydomain.com for the host access..??

 

[keat63]

You will still get Brute Force login attempts, but the added protection from CSF and its tightening of the rules, will offer you much more protection than CPHULK alone.

I'm not sure that you can use domain names in the acces control tool maybe one of the specialists may know this.

 

[keat63]

Eg. At 21:44 last night i see a small number of brute force attempts from 217.92.232.xxx

217.92.232.xxx # lfd: (smtpauth) Failed SMTP AUTH login from 217.92.232.xxx (DE/Germany/pd95ce8c9.dip0.t-ipconnect.de): 1 in the last 3600 secs - Wed Jun 10 21:44:32 2015

As can be seen above, CSF also detected this and added it to the block list.
My block list is for 1500 entries which under normal operating conditions (ie under no attack), lasts about a month before he can come back with that IP.

 

[angelleye]

@keat63 I'm seeing a similar thing in my logs. Looks like it's grabbing a lot and adding it to the block automatically, but then when I look at my ModSecurity Tools log I still see a lot of IPs hitting me a bunch that are getting flagged as "Known Malicious Client" and "Path Traversal Attack" type things.

It's showing that it's catching it and sending them to my home page with a redirect, so that's good, but that seems to be chewing up server resources to do that, right?

So I'm taking these IPs that I see in here and I'm adding them to the block list in CSF, however, I'm still seeing the same IPs showing up in ModSecurity Tools and it's showing that it's redirecting. Same goes for the cPHulk notifications. The same IPs are coming through even after I've added them to CFS block.

If I'm completely blocking the IP why is that still happening? I thought CSF would be eliminating this traffic before it even makes it to ModSecurity/cPHulk. Apparently not..??

 

[keat63]

I'm personally not sure in which order these security checks are done, however, i'm pretty sure that once the entry is in CSF deny, then any further attempts from that IP will be blocked.

I don't understand Mod Security at all, it looks like voodoo to me.
When I look in Mod Security tools, I only see entries that were denied.

I dare say that MODSEC has a pre defined set of rules around how many attempts before it logs the entry with CSF, so if someone tries to hack 4 times but the threshold is 5 within a given period, then you would see multiple entries.
And if the hacker comes back after that given period, then he would get another shot.
I have seen ModSec interact with CSF as i regularly see ModSec entries in the CSF block list.

There are some really knowledgeable guys on here who understand this much more than I do, who will no doubt chip in.

 

[keat63]

You did take CSF out of test mode ?

I also went through the same doubts as you are, it took me about 12 weeks to finally start to relax.
When I say relax, by no means take my eye off the ball, but i do feel a little more confident in the tools that are working for me.

 

[angelleye]

Yes, I took CSF out of test mode. I confirmed this by checking the the config file, and also because when test mode is enabled I get notifications about lfd not being able to load. Once test mode was disabled I got a notification that it loaded fine, and I've never gotten another notice about it since.

So it's just confusing because lots of tutorials I see specifically say to use a firewall instead of just cPHulk / ModSecurity in order to save server resources, but blocking through CSF doesn't seem to be doing that for me at all.

I'm also banging my head against the wall right now because ModSecurity OWASP is redirecting users to my home page when a 500 error occurs, which is cool, but I want to whitelist my own IP so that this doesn't happen for me. One tutorial tells me I should do that through "/usr/local/apache/conf/modsec2/whitelist.conf", but that file doesn't exist. Another tutorial tells me to do it through "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_10_whitelist.conf" but that doesn't exist either.

Somehow I've got this thing screwed up so that even with error_display turned on in php.ini it's not display errors on the screen. I don't remember anything specific to that coming up when going through server security tutorials, though. Ugh.

 

[keat63]

i'd maybe open another thread for that one, so as not to confuse anyone reading this thread.