Skip to main content
Sign in

CloudLinux Knowledge Base

  1. CloudLinux
  2. Imunify Security Products
  3. How do I

How to add IP in the graylist on a server with Imunify360 and CSF/LFD?

Anna
  • Updated

Issue

How to add IP in the graylist on a server with Imunify360 and CSF/LFD?

Environment

  • Imunify360
  • CSF
  • Any OS
  • Any panel

Solution

The IP address can be added to the graylist on servers with CSF through a custom LFD event:

  1. Create a separate log file to record events and IP addresses.

    # touch /var/log/customgraylist

  2. In the csf.conf, for CUSTOM1_LOG, specify the created file:

    # cat /etc/csf/csf.conf | grep CUSTOM1
    CUSTOM1_LOG = "/var/log/customgraylist"

  3. In the /usr/local/csf/bin/regex.custom.pm file, write a regexp which will check the created log, search it for entry, select IP from it and send IP to block via LFD events:

    # "0" = whether to trigger Cloudflare block i`f CF_ENABLE is set. "0" = disable, "1" = enable

    if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^Dropping connection from (\S+) because of graylist/)) { 
    return ("Graylisting for",$1,"imgraylist","3","80,443","1"); 
    } 

    # If the matches in this file are not syntactically correct for perl then lfd

  4. Make sure the integration with CSF is enabled in Imunify360. This will cause the following changes in the logic of Imunify360 and CSF: https://docs.imunify360.com/ids_integration/#_3-rd-party-integration-mode

When some IP address is blocked by LFD, Imunify360 adds this IP address to its Graylist and then removes it from CSF deny/tempdeny lists. The latter is done to allow the IP to have access to the Captcha and to store all automatically blocked IP addresses in a single place. Thus, no IP is automatically added to CSF deny/tempdeny lists.

  1. Restart CSF and LFD, check that LFD has identified the file to monitor:

    # systemctl restart lfd
    # csf -r
    # cat /var/log/lfd.log | grep "/var/log/customgraylist" 
    Dec 20 10:13:38 1354153 lfd[17682]: Watching /var/log/customgraylist...

  2. Send three entries to the /var/log/customgraylist log about the IP to be sent to the graylist:

    # echo "Dropping connection from 17.27.37.47 because of graylist" >> /var/log/customgraylist
    # echo "Dropping connection from 17.27.37.47 because of graylist" >> /var/log/customgraylist 
    # echo "Dropping connection from 17.27.37.47 because of graylist" >> /var/log/customgraylist

  3. Verify that LFD handled this event, and IP turns out to be on the graylist:

    # cat /var/log/lfd.log | grep "17.27.37.47"
    Dec 20 10:14:24 1354153 lfd[18107]: (imgraylist) Graylisting for 17.27.37.47 (US/United States/-): 3 in the last 3600 secs - *Blocked in csf* [LF_CUSTOMTRIGGER]
    # ipset test i360.ipv4.graylist 17.27.37.47
    Warning: 17.27.37.47 is in set i360.ipv4.graylist.
    # ipset list | grep -e "^Name" -e "^17.27.37.47"
    ... 
    Name: i360.ipv4.graylist 
    17.27.37.47 timeout 267 
    ...

With this approach, it is possible to add IP addresses to the graylist using custom LFD events.

Cause

In Imunify360, there is no possibility to directly add IP in the graylist, but sometimes it may be necessary, for example, to use in custom scripts servers.

Useful links

Comments

0 comments

Please sign in to leave a comment.

Related articles