IP Reputation Poopulation

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
Post Reply
JDStallings
Junior Member
Posts: 55
Joined: 10 Dec 2006, 10:04

IP Reputation Poopulation

Post by JDStallings »

I have the following question on how the IP Reputation files all.txt, etc get populated.

If an IP address triggers a BLOCK on one of my servers, does this automatically get reported to CXS? The reason I am asking, if a user enters their password wrong and gets blocked on our server, does CSF report that to the IP Reputation respiratory?

If it does report it, then if I unblock the IP address from CSF must I also run the command line --Rremove to remove that IP from the list or does CSF report it as unblocked to CXS lists?

I think I had a user where this happened and I had to also disable CSX IP Reputation because they were still being blocked.

I hope I explained this well enough. Thank you for any responses.

aegis
Junior Member
Posts: 11
Joined: 31 Jan 2010, 00:13

Re: IP Reputation Poopulation

Post by aegis »

I've had a similar problem. I've a user who persistently gets her IMAP login wrong. She has a phone with the wrong password. When she arrives at work, they get a temp ban.

The temp ban then gets sent to ConfigServer's IP reputation server and they end up on the CXS_ALL list.

In the meantime the temp ban has lapsed. If they log in to my support (WHMCS with a plugin that lets them unblock), it tells them there is no ban as that only looks at the csf deny & temp deny lists, not directly at iptables.

To fix it, I have to manually cxs --Rremove the IP and wait 10 minutes. Or remove it from iptables directly.

I repeat this every few months as the user is incapable of changing the IMAP password on their iPhone and the router holds on to a dynamic IP for that long. I add their IP to the ignore list.

It would be great if a) removing a ban on csf also removed it from cxs and b) cxs was cluster aware as you can only remove an address from the server that reported it.

sahostking
Junior Member
Posts: 24
Joined: 29 May 2013, 19:07
Location: Cape Town, South Africa
Contact:

Re: IP Reputation Poopulation

Post by sahostking »

I've had the same issue but we notice enabling the individual lists like LF_SMTP seem to block very nicely
So we enabled the following:

CXS_LF_SSHD
CXS_LF_FTPD
CXS_LF_SMTPAUTH
CXS_LF_CXS

Works quiet well for us atleast and load has gone down ALOT.

Post Reply