Including a text file in CSF

I posted this on the CSF forum a few days ago, but there hasn't been a reply. This is a pretty important security issue for me, though, so I'm hoping extra eyes here might have some input.

I'm trying to use the command:

Include /home/example/blacklist.txt

in the csf.deny file. I understand that this lets me have a remote text file with blocked IPs that I can update via PHP.

The questions I have, though, are:

1. If I add an IP to blacklist.txt, do I need to restart CSF? If so, can this be done via PHP?

2. Can I make comments in blacklist.txt using #, like I do in csf.deny?

3. I don't suppose there's an easy way to make temporary denies in an included file, is there? I'm hoping to use PHP to blacklist people that meet specific patterns (like those that attempt SQL injections), but want the ability to blacklist them for a short period without having to go in and remove them from the list manually.

I guess it could be done with a cronjob, but I don't want to go to all that trouble if there's an easy built-in way already.

TIA,

Jason

 

I don't understand what you mean. I read the docs, but it only gave a paragraph regarding the use of Include, and it was a little vague. Was there further clarification that I missed?

Sorry, just a typo, really. I was posting right before going to bed, so my brain wasn't firing on all cylinders

I realize that I can temp ban in CSF, but I don't know if it can be done with an Include file that can be modified via PHP. That's what I haven't been able to find.

I've actually gone through it pretty extensively, so I'm thinking that you may be misunderstanding my intent. Either that, or I've grossly overlooked / misunderstood some options.

I've had a string of hackers trying to inject SQL commands, so I'm trying to block IPs (preferably a temp block) based on QUERY_STRING. Last night I had someone try to send roughly 500 injection commands within 3 minutes; by time I saw it and logged in to CSF manually, they had stopped.

(Their IP didn't show in the permanent or temp deny lists, so I have to assume that they stopped on their own instead of being blocked by CSF.)

A few weeks ago, I had a major attack that overloaded the server; they were trying numerous attempts for a few hours! This is what brought it to my attention, actually.

If there's a way for CSF to catch and prevent SQL injections, that would be great, but I haven't found it in the configuration. All I know to do is watch for it manually on my end.