IP Reputation Poopulation

Community forum to discuss cxs.
If you believe that there is a problem with your cxs installation and want support then, as a paid product, you should use the helpdesk after having consulted the documentation.
2 posts Page 1 of 1
JDStallings
Junior Member
Posts: 55
Joined: 10 Dec 2006, 10:04


I have the following question on how the IP Reputation files all.txt, etc get populated.

If an IP address triggers a BLOCK on one of my servers, does this automatically get reported to CXS? The reason I am asking, if a user enters their password wrong and gets blocked on our server, does CSF report that to the IP Reputation respiratory?

If it does report it, then if I unblock the IP address from CSF must I also run the command line --Rremove to remove that IP from the list or does CSF report it as unblocked to CXS lists?

I think I had a user where this happened and I had to also disable CSX IP Reputation because they were still being blocked.

I hope I explained this well enough. Thank you for any responses.
aegis
Junior Member
Posts: 11
Joined: 31 Jan 2010, 00:13


I've had a similar problem. I've a user who persistently gets her IMAP login wrong. She has a phone with the wrong password. When she arrives at work, they get a temp ban.

The temp ban then gets sent to ConfigServer's IP reputation server and they end up on the CXS_ALL list.

In the meantime the temp ban has lapsed. If they log in to my support (WHMCS with a plugin that lets them unblock), it tells them there is no ban as that only looks at the csf deny & temp deny lists, not directly at iptables.

To fix it, I have to manually cxs --Rremove the IP and wait 10 minutes. Or remove it from iptables directly.

I repeat this every few months as the user is incapable of changing the IMAP password on their iPhone and the router holds on to a dynamic IP for that long. I add their IP to the ignore list.

It would be great if a) removing a ban on csf also removed it from cxs and b) cxs was cluster aware as you can only remove an address from the server that reported it.
2 posts Page 1 of 1