2

I just learned about CSF, and like the logging/blocking possibilities it gives me. However it does not do the desired blocking.

The situation is following, I have a server with multiple ip-addresses. I'm running apache on a ip, and ssh on a other one, (so hackers targeting my site have less change to attack the ssh or an other service).

To the csf.allow I added:

tcp|in|d=80|d=xx.xx.xx.xx
tcp|in|d=22|d=xx.xx.xx.xy

However in iptables, the allow is added before the block, rendering it useless.

Chain LOCALINPUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1     1074 92873 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            xx.xx.xx.xy       tcp dpt:22 
2    34401 2163K ACCEPT     tcp  --  !lo    *       0.0.0.0/0            xx.xx.xx.xx       tcp dpt:80 
3        0     0 DROP       all  --  !lo    *       xx.xx.xx.hacker1     0.0.0.0/0           
4        0     0 DROP       all  --  !lo    *       xx.xx.xx.hacker2     0.0.0.0/0

Is there a way to reverse it?

Paul Jacobse
  • 131
  • 1
  • 6

1 Answers1

0

I figured out how to accomplish this I changed csf.pl with the following:

In sub linefilter I swapped the $inadd (on line 1923).

original:

my $inadd = "-I";
if ($ad eq "deny") {
    $inadd = "-A";

new:

my $inadd = "-A";
if ($ad eq "deny") {
    $inadd = "-I";

I realize the original is the most common way to go, however if you want to filter specific ports/ip's this is the solution. Just make sure you have your own (external) ip on the ignore list, or you have easy physical (or kvm over ip, etc) access to the machine, so you don't get accidentally locked out!

Paul Jacobse
  • 131
  • 1
  • 6
  • Nice! Feel free to accept your own answer for the question, which helps "put the question to bed", as it were, so it doesn't keep bobbing up for more attention. – MadHatter Apr 23 '13 at 07:31