Permanently Block IP or CIDR

bst11 · Post by **bst11** » 13 Dec 2008, 04:47

How about a feature to permanently block IP by putting them in something like csf.pdeny
Right now if the deny_ip_limit is set at 100 and then if all the 100 IPs are filled up and CSF starts removing from the oldest IP blocked order the ones at the top get removed. But there are certain IPs which I would like to keep permanently blocked even if the limit has been reached and csf removes the oldest banned IPs, I wouldn't mind if 1 IP is permanently blocked and now I got only 99 remaining within which csf rotates the other blocked IPs.

ckh · Post by **ckh** » 13 Dec 2008, 05:06

I think the global_deny file would be a good solution.

bst11 · Post by **bst11** » 13 Dec 2008, 05:23

Hi Chris
Thanks for the solution. I am aware of Global_deny but my concern is the security of having a list web accessible. Since the URL is accessible through the browser, if someone manages to access the domain www folders (through FTP for example) and modify the list it can create some problems. That's why I would like to have a csf.pdeny file which is in /etc/csf that is outside of the public_html and not accessible by any browser or visitor to see what ranges or IP are blocked or be capable of editing it under any circumstance.

ckh · Post by **ckh** » 13 Dec 2008, 09:09

I don't know how a list of IP's would be insecure but if you are that concerned about it, just name the file something really obscure that couldn't be guessed.

If someone gets your ftp information or otherwise gets access to the file, you are going to have worse problems to worry about than a list of IPs.

docenta · Post by **docenta** » 16 Dec 2008, 10:13

Amazing, just like to offer the same - permanent deny. Mean .pdeny where the IPs will not be wiped when the limit is reached. A very good addon I think.

Thanks,

Post by **chirpy** » 16 Dec 2008, 17:20

There'll be a feature in the next release to stop DENY_IP_LIMIT from removing specified entries in csf.deny

robm · Post by **robm** » 08 Apr 2009, 14:34

Was this feature ever added? Not sure if the csf.gdeny file is the solution? Thanks.

Rob

Post by **chirpy** » 15 Apr 2009, 09:48

It was added ages ago:
http://configserver.com/blog/index.php?itemid=370

robm · Post by **robm** » 17 Apr 2009, 01:30

chirpy wrote:It was added ages ago:
http://configserver.com/blog/index.php?itemid=370

Doh! Completely missed that. Thanks for pointing it out.

Rob

halimzhz · Post by **halimzhz** » 09 Aug 2016, 03:14

Dear CSF,

I understand this is the old thread, i try to refer to the link above but theres nothing about where i can get the tip to permanent block the IP instead of csf.deny

Please help. TQ

ConfigServer Community Forum

Permanently Block IP or CIDR

Permanently Block IP or CIDR

Re: Permanently Block IP or CIDR