Blocking IP while using cxswatch

Post Reply
gvard
Junior Member
Posts: 39
Joined: 16 Feb 2008, 19:42

Blocking IP while using cxswatch

Post by gvard »

Hello,

A nice feature would be to block the IP that uploaded the malicious file, like pure-uploadscript or mod_security rules. This might be done with a similar logic to this (I think):

1) cxswatch sees a virus or fingerprint
2) Check /var/log/messages (last X lines) to see if the same filename was uploaded via FTP
3) Check /usr/local/apache/domlogs/username/* (last X lines) to see which IP performed a POST at that second
4) Block that IP
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Re: Blocking IP while using cxswatch

Post by chirpy »

If you want FTP or HTTP blocking then you need to use those options already available in cxs, i.e. the pure-ftpd hook and the ModSecurity hook.
Post Reply