Page 1 of 1

ban ip upon detection of keyword?

Posted: 23 Jan 2013, 10:59
by wolga
I looked around and just cannot seem to find where I can add a phrase or keyword so that when that phrase is detected, csf will ban the IP

I've been having an issue with osCommerce tell_a_friend.php and I can search for it and ban ip's that are accessing that file and it will be fine for a few days until the spammers switch to another ip.

So I have to constantly keep banning IP's or they just start up again.

Is there a way for csf to do this?

I run virtualmin which has webmin and your webmin module is installed. Very handy tool.

Thanks,
-John Wolgamot

Re: ban ip upon detection of keyword?

Posted: 24 Jan 2013, 05:02
by Sergio
Does your system can run Mod_Security? If so, then Mod_Security will be the easier way to block IPs with the aid of CSF. Mod_Security detects the word that you want to ban and CSF will block the IP that triggered Mod_Security.

Re: ban ip upon detection of keyword?

Posted: 24 Jan 2013, 06:36
by wolga
Thanks Sergio,
I think I can run it. I'm on "The Google" quest for Mod_Security knowledge now.

I run Centos with VirtualminPro install.shh which takes a minimal Centos install and sets up a nice LAMP server vps environment. I used to run on an openvz and because I wanted more access to the system I started using a KVM environment which I read a KVM environment is closest to the hardware and gives you access to the kernel.

Ha, I had to put an extra h at the end of the install.shh above, because phpBB thought it was a link and forbid it

You've been a big help,
Thanks

Re: ban ip upon detection of keyword?

Posted: 24 Jan 2013, 18:28
by Sergio
When you install Mod_Security try to get GotRoot.com set of rules they have a free version that is one month old than the payed one and can help you to block some words.

If you need a rule specifically to block words on the URL, I made one that I can share it with you, it is working great on my servers, send me a PM.

Sergio

Re: ban ip upon detection of keyword?

Posted: 01 Feb 2013, 10:39
by wolga
Man oh Man Sergio,

This has been a wild ride trying to figure out mod_sec.

I was Googling for info and stumbled back onto my own post here and found your second reply.

I'm grateful for your time you took to reply.

I think I forgot to choose notify me of replies.

I am getting more and more familiar with this and it looks like it's what I need but as with all Linux servers you pay the price of a complex learning curve.

The infamous osCommerce tell_a_friend exploit to send spam is what started my search.

I disabled it, deleted the tel_a_friend files so they weren't even on the server and somehow they still kept at it when their IP's changed.

I blocked all the ip's that were hitting it and it all seemed to stop for a day or so.

I kept an eye on the logs and within a day or so their IP changed and they started up again. So I blocked that one too, and the next, etc...

So I went on a quest to find a way to block an IP if tell_a_friend is detected in the logs.

I used to use fail2ban to block IP's after 5 failed SSH login attempts and finally I changed my root port to a non standard port and that cleaned up my secure logs overnight.

But fail2ban did not monitor log files for the occurrence of a phrase.

So here I am lurking around mod_sec docs and forums still scratching my head trying to get over the learning curve.

I can't believe I figured out how to setup a virtualmin server on a KVM hosting service service provider and yet various things like mod_sec prove to have a stiff learning curve.

I love having full control over the server so you can jump in and fix issues but there are so many things that eat up your time.

Thanks again for your tips,
-John