How to block a small IP range in csf

blockcsfip

I'm looking for a way to block a small ip range in csf, e.g. 151.80.31.103 to 151.80.31.115

I know how to block each ip by issuing a cmmand csf -d IP, but it is a lot more effective to have a way to block a small set of ip range, as the given example.

I have searched for a while, but not finding any relevant information.

Thanks for any hint!

Best Answer

If you have SSH access, you can manually edit the file /etc/csf/csf.deny with vim or emacs or your favorite text editor.

Here's a portion of the top of that file with some comments:

# The following IP addresses will be blocked in iptables
# One IP address per line
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24)
# Only list IP addresses, not domain names (they will be ignored)
#
# Note: If you add the text "do not delete" to the comments of an entry then
# DENY_IP_LIMIT will ignore those entries and not remove them

Given that information, use a subnet calculator (such as this one from MXtoolbox) to determine the smaller subnet. Given your criteria, one possible subnet suggested by mxtoolbox would be 151.80.31.96/27, which would filter everything from 151.80.31.96 through 151.80.31.127.

Make sure that you restart CSF afterwards with csf -r and then restart lfd with lfd -r.

Related Solutions

Get IP network range after reverse DNS

Is there any way to obtain an entire range of IPs from a reverse-DNS?

Not really, no; in extremely rare cases you might be able to do a DNS zone transfer query to get all the records in the zone (the whole /24, generally), but there's a very low chance that the name server you're querying will respond to this request. Expect one query per address for reverse DNS (sorry!).

Now, would it be safe to assume that all at least all IPs from 128.151.162.* will also resolve to rochester.edu?

Generally speaking, probably, as a university they're likely to own the whole /24. However, that's not a good rule to apply as a general case; a smaller school might not have a whole /24, or might not have it in reverse DNS.

The reverse DNS itself is going to be pretty hit-or-miss - in many cases it'll be just generated names under the ISP's hostnames or no records at all. For better data, we're going to make things even more expensive - you should also look at data from whois.

For example, here's the info from that Rochester IP - it shows the size of the allocation (the whole /16 range, so in this case that applies to 128.151.*.*) and the organization it's allocated to.

The whois info should provide a great source of truth for the info you want, and has the upside of being able to see what range that applies to. The downside is that for smaller allocations, a range will often just show as belonging to the ISP instead of the end customer. Combining both whois and reverse DNS should provide the best information (and be ridiculously slow).

Ubuntu – csf Integrated User Interface not working

it really helps to write a question here to find answer :P

while gathering info to write this question , when i was looking for csf log file to include in question i noticed that LFD has a separate log file here:

/var/log/lfd.log

there i found this line:

Sep 30 17:46:13 git lfd[6555]: *Error* Cannot run csf UI - Perl module IO::Socket::SSL required

even though i did installed it apparently csf -r does not restart lfd so it didn't notice it was installed , you should restart lfd separately with

sudo service lfd restart

also this related problem's solution which i found while searching might be useful to someone else : http://forum.configserver.com/viewtopic.php?f=5&t=4924

Best Answer

Related Solutions

Get IP network range after reverse DNS

Ubuntu – csf Integrated User Interface not working

Related Topic