Page 1 of 1

Blocking IP while using cxswatch

Posted: 09 May 2012, 10:39
by gvard
Hello,

A nice feature would be to block the IP that uploaded the malicious file, like pure-uploadscript or mod_security rules. This might be done with a similar logic to this (I think):

1) cxswatch sees a virus or fingerprint
2) Check /var/log/messages (last X lines) to see if the same filename was uploaded via FTP
3) Check /usr/local/apache/domlogs/username/* (last X lines) to see which IP performed a POST at that second
4) Block that IP

Re: Blocking IP while using cxswatch

Posted: 01 Jul 2012, 09:34
by chirpy
If you want FTP or HTTP blocking then you need to use those options already available in cxs, i.e. the pure-ftpd hook and the ModSecurity hook.