The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Updating the csf.disallow from php file

Discussion in 'Security' started by wineo, Mar 19, 2010.

  1. wineo

    wineo Active Member

    Joined:
    Aug 30, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Perth, Australia
    Did a few searches for this but didn't find anything, can some point me in the right direction?

    I have set up an error404 notification that emails me when there are missing files or broken links. Recently, notifications for someone looking for phpmyadmin (and similar) folders on the server have come through in the thousands. I would love to track the IP address being used to prod at my server and add it to the firewall after a certain amount of attempts.

    This means that I would have to update the csf.disallow list and restart the firewall. Has anyone done this before?
     
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    I already have a library of security applications and scripts that monitor precisely what you are asking about specifically and directly interface CSF's configuration and could help you get setup with some of those if you would like.

    However, if you are just wanting to know the command to call from your scripts to add to the "csf.deny" list, this works and doesn't require any restart of your firewall as it adds it live in one step:

    Code:
    # /usr/sbin/csf -d "(ip or cidr goes here)" "Any comments you want"
    
    You can also temporarily ban IPs (in seconds):
    Code:
    # /usr/sbin/csf -td "(ip or cidr goes here)" 3600
    
    (The above would block the IP given for 1 hour)

    You could also setup a cron process to watch your log files and then issue these commands accordingly as needed.
     
  3. wineo

    wineo Active Member

    Joined:
    Aug 30, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Perth, Australia
    Thanks Spiral!

    These commands work perfectly in command line. What function should I use to run this command from php? I have tried 'shell_exec', 'exec' and 'system' to run this but the IP doesn't get added.
     
  4. wineo

    wineo Active Member

    Joined:
    Aug 30, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Perth, Australia
    I think that there is a permissions issue with the script... needs to run as root on the server. Does this have something to do with the server being in safe mode?
     
  5. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    My first question is "Why are you writing this in PHP?" which is more of a curiosity than anything as there might be better options.

    My second question is "Is this meant to run from the web or not?"

    If you are not running this from the web or someplace that is web accessible, you could just simply setup your script as a root level cronjob and then it will be able to run the commands no problem.

    You could grant sudo privileges to the commands you need directly so that they can be run from other users but I don't recommend this method.

    If you mean to run this as a forward outside world facing script on the web then instead of calling the firewall blocking commands instead perhaps put that information in a database and have a separate process setup behind the scenes reading the same database and executing your blocks as this break the direct connection between those functions.

    If you are running this as a process just to read your logs and take actions based on what is in your logs, might want to setup your script as a shell script which can be done by adding a shebang line at the top and set execute permissions and then you can run it directly as a shell script.

    (IE: "#!/usr/bin/php")

    You mentioned that the "IP does not get added" ---

    Exactly how are you determining your IP addresses?

    Just reading from your log files?

    Using REMOTE_ADDR when the script is executed, etc?
     
  6. wineo

    wineo Active Member

    Joined:
    Aug 30, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Perth, Australia
    We have a custom error 404 page that incorporates the site and navigations. This page also emails me to let me know if there are any broken links in the site or missing files, this helps especially when developing.

    Last week I received 2500 emails telling me that someone was trying to access the folder /phpmyadmin and /mysql / and ... which means that someone was trying to find 'holes' in the server. Now what I was hoping to do was get the custom error 404 page to check agains a pre defined list or automated for these folders/strings in the requested urls and if there were a number of matches I could add the offending IP address to the firewall.

    The error 404 page can run the php exec function, but I need to get the permissions right to allow this page to run this function. I get "sh: /usr/sbin/csf: Permission denied" in the error logs. I also check the firewall for the IP address that I am testing from to see if it has been added. Yes, I use REMOTE_ADDR to obtain the IP.
     
  7. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    It would seem like a grep of the traffic logs for 404 responses and banning the logged IP on certain requests might make a little bit more sense.

    I am not sure I would agree with automatically emailing you at every 404 is necessarily the best of ideas either. Might be better to keep a running count of the bad request in a database or file and when when that particular request crosses a preset threshold, then email you
     
  8. wineo

    wineo Active Member

    Joined:
    Aug 30, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Perth, Australia
    Thanks Spiral, we usually just use the error emails while developing or if there are issues.

    I will have to run a cron to check the log files for these errors. I have one that checks the log file errors from where it left off on last run. Is it a bad idea to run the cron every minute?
     
Loading...

Share This Page