Page 1 of 1

IP Reputation Poopulation

Posted: 02 Apr 2019, 20:37
by JDStallings
I have the following question on how the IP Reputation files all.txt, etc get populated.

If an IP address triggers a BLOCK on one of my servers, does this automatically get reported to CXS? The reason I am asking, if a user enters their password wrong and gets blocked on our server, does CSF report that to the IP Reputation respiratory?

If it does report it, then if I unblock the IP address from CSF must I also run the command line --Rremove to remove that IP from the list or does CSF report it as unblocked to CXS lists?

I think I had a user where this happened and I had to also disable CSX IP Reputation because they were still being blocked.

I hope I explained this well enough. Thank you for any responses.

Re: IP Reputation Poopulation

Posted: 25 Apr 2019, 01:38
by aegis
I've had a similar problem. I've a user who persistently gets her IMAP login wrong. She has a phone with the wrong password. When she arrives at work, they get a temp ban.

The temp ban then gets sent to ConfigServer's IP reputation server and they end up on the CXS_ALL list.

In the meantime the temp ban has lapsed. If they log in to my support (WHMCS with a plugin that lets them unblock), it tells them there is no ban as that only looks at the csf deny & temp deny lists, not directly at iptables.

To fix it, I have to manually cxs --Rremove the IP and wait 10 minutes. Or remove it from iptables directly.

I repeat this every few months as the user is incapable of changing the IMAP password on their iPhone and the router holds on to a dynamic IP for that long. I add their IP to the ignore list.

It would be great if a) removing a ban on csf also removed it from cxs and b) cxs was cluster aware as you can only remove an address from the server that reported it.

Re: IP Reputation Poopulation

Posted: 11 May 2020, 06:10
by sahostking
I've had the same issue but we notice enabling the individual lists like LF_SMTP seem to block very nicely
So we enabled the following:

CXS_LF_SSHD
CXS_LF_FTPD
CXS_LF_SMTPAUTH
CXS_LF_CXS

Works quiet well for us atleast and load has gone down ALOT.

Re: IP Reputation Poopulation

Posted: 12 Apr 2021, 11:56
by logout
> It would be great if a) removing a ban on csf also removed it from cxs

I've submitted a feature request for this here:
viewtopic.php?f=27&t=12156

Please add your support.