The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Including a text file in CSF

Discussion in 'Security' started by GoWilkes, Jun 20, 2014.

  1. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I posted this on the CSF forum a few days ago, but there hasn't been a reply. This is a pretty important security issue for me, though, so I'm hoping extra eyes here might have some input.

    I'm trying to use the command:

    Include /home/example/blacklist.txt

    in the csf.deny file. I understand that this lets me have a remote text file with blocked IPs that I can update via PHP.

    The questions I have, though, are:

    1. If I add an IP to blacklist.txt, do I need to restart CSF? If so, can this be done via PHP?

    2. Can I make comments in blacklist.txt using #, like I do in csf.deny?

    3. I don't suppose there's an easy way to make temporary denies in an included file, is there? I'm hoping to use PHP to blacklist people that meet specific patterns (like those that attempt SQL injections), but want the ability to blacklist them for a short period without having to go in and remove them from the list manually.

    I guess it could be done with a cronjob, but I don't want to go to all that trouble if there's an easy built-in way already.

    TIA,

    Jason
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,463
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    It might not be responded to, either. Reading the docs is helpful.

    That's not a command, it's an include. I would think adding an include to a blocklist, to another blocklist is not going to work.


    1) Yes. See CSF readme.txt: 24. IP Block Lists
    2) Yes.
    3) CSF can temp ban, yes of course. It's all in the settings.

    Your post reads like you've never gone thru your CSF config and seen all the available options.

    The only catch is, you wanting to do what CSF does for you automatically, manually, via PHP.

    Are you hoping to reinvent the wheel here?
     
  3. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I don't understand what you mean. I read the docs, but it only gave a paragraph regarding the use of Include, and it was a little vague. Was there further clarification that I missed?

    Sorry, just a typo, really. I was posting right before going to bed, so my brain wasn't firing on all cylinders :)

    I realize that I can temp ban in CSF, but I don't know if it can be done with an Include file that can be modified via PHP. That's what I haven't been able to find.

    I've actually gone through it pretty extensively, so I'm thinking that you may be misunderstanding my intent. Either that, or I've grossly overlooked / misunderstood some options.

    I've had a string of hackers trying to inject SQL commands, so I'm trying to block IPs (preferably a temp block) based on QUERY_STRING. Last night I had someone try to send roughly 500 injection commands within 3 minutes; by time I saw it and logged in to CSF manually, they had stopped.

    (Their IP didn't show in the permanent or temp deny lists, so I have to assume that they stopped on their own instead of being blocked by CSF.)

    A few weeks ago, I had a major attack that overloaded the server; they were trying numerous attempts for a few hours! This is what brought it to my attention, actually.

    If there's a way for CSF to catch and prevent SQL injections, that would be great, but I haven't found it in the configuration. All I know to do is watch for it manually on my end.
     
    #3 GoWilkes, Jun 20, 2014
    Last edited: Jun 20, 2014
  4. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    I guess we're carrying on from http://forums.cpanel.net/f185/executing-usr-sbin-csf-php-413212.html might be handy if you could merge the two threads Infopro?

    Quizknows suggestion http://forums.cpanel.net/f185/executing-usr-sbin-csf-php-413212.html#post1666801 about using the modsec triggers is a good one, because it takes your own application out of the picture and has everything done by CSF and modsec.

    If you're wanting to go with using an otherwise generated file of IPs (because you're in a low memory environment or don't want to use modsec for whatever reason) you actually need to give this file to CSF within the csf config (csf can be configured to download block lists over the web)

    note that URL here will be http://example.com/blockfile.txt rather than a local path.

    The issue you may be running into using file based includes *I think* is that the list of IPs will be loaded when CSF initially includes the file (i.e. when it restarts) you'll note that if you edit csf.allow or deny or it's other config files from WHM, CSF has to restart to pick up these changes
     
Loading...

Share This Page