Page 1 of 1

Blocking or Identifying bad IPs

Posted: 01 Jun 2020, 20:02
by skycomp
Hello,

I'm wondering if CSF has any way to do some aggregate monitoring across a set of clustered servers to look for bad actor IP addresses.

For example even a single IP that is hitting lots of websites across all of our servers is suspicious.

It's really suspicious if it's hitting /xmlrpc.php on multiple sites across our servers and a strong sign it's a bot net or some type of scanning.

Volume of requests would be a trigger as well and requests to /xmlrpc.php or other common hacked URLS that are from IPs outside of our country.

So curious if CSF has any configuration that may provide some reports. Some ideally I'd like to auto-ban (ie /xmlrpc.php connections from a single IP across multiple hosted websites is a strong sign to me that they are trying something bad).

So I thought I'd start on the forum here to see if I may be overlooking some existing features of CSF.

Thanks.

Re: Blocking or Identifying bad IPs

Posted: 07 Jun 2020, 04:18
by Sergio
I haven't seen this option in CSF.

But you can do the following:
- When an attack to xmlrpc.php is blocked, you can send the reportl to an email address of yours from all the servers you have.
- Create a bash script that reads all the emails each 15 minutes and get the offending IPs and add the IPs to you own blacklist.
- The bash script should check and clean IPs if there are more than X number of blocked IPs from the same CIDR and change to the 0/24 and delete the IPs that belongs to that CIDR.
- Your black list can be accessed for all your servers if you add it to the BLOCK LIST option in CSF in all of them.

Sergio