Control Web Panel

Security => CSF Firewall => Topic started by: Emilius on June 23, 2025, 05:16:49 PM

Title: CSF analyzer
Post by: Emilius on June 23, 2025, 05:16:49 PM

I have created intelligent analyzer and fixer script for CSF firewall deny list and i would like to share it with everyone.
In short what it doues:
- Finds IPv4 /24 and IPv6 /64 or /128 subnets with more than 3 individual IPs.
- Reports those subnets with the associated comment.
- Detects and reports redundant IPs already covered by subnet blocks.
- Detects and reports duplicate subnet entries.
- Detects and reports entries older then 60 days.
- Detects and reports entries withoud date stamp.
- To fix all of that call it with -fix

Let me know how you like it and is there anything else what could be smart to add.

https://www.simunovic.net/TMP/scfanalyzer.sh (https://www.simunovic.net/TMP/scfanalyzer.sh)

Title: Re: CSF analyzer
Post by: Emilius on June 24, 2025, 01:00:58 AM

Also recommended settings to fine tune SCF firewall

CSF Optimization Recommendations:
 - LF_TRIGGER = 3                                   # Lower threshold to catch slower, stealthy attacks (default is often 10)
 - LF_INTERVAL = 21600                           # Longer observation window in seconds (6 hours) detects slow scans or attacks
 - LF_PERMBLOCK = 1                               # Enable permanent blocks for repeated offenders
 - LF_PERMBLOCK_INTERVAL = 21600        # Time window in seconds (6 hours) to consider repeated offenses
 - LF_PERMBLOCK_COUNT = 2                    # Number of temp bans before an IP gets permanently blocked
 - DENY_IP_LIMIT = 20000                         # Allow a larger deny list size to prevent early purging
 - LF_IPSET = 1                                          # Enable ipset for faster large-scale deny processing
 - LF_IPSET_HASHSIZE = 4096                    # Increase hash size to support thousands of entries
 - LF_SELECT = 1                                        # Only log/select login failures (reduces false positives)
 - PORTFLOOD = 22;tcp;5;60,25;tcp;10;60   # Rate-limit SSH and SMTP to protect against slow brute-force or spam
 - LF_DSHIELD = 1                                      # Enable DShield blocklist (community-based malicious IPs)
 - LF_SPAMHAUS = 1                                   # Enable Spamhaus blocklist (blocks known spam/malware IPs)
 - LF_GREYLIST = 1                                     # Enable greylisting for suspicious IPs (adds delay, discourages bots)

Title: Re: CSF analyzer
Post by: overseer on June 24, 2025, 01:23:35 AM

CSF... are the scf references a mistake instead of csf?
Out of curiosity, why shell code instead of python or perl?

Title: Re: CSF analyzer
Post by: Emilius on June 24, 2025, 01:43:32 AM

There is couple: speed, native to Unix/Linux systems, lightweight with no dependencies, excellent for chaining tools, great for simple automation and cron job...

I did some benchmarks and shell is a winner for this.

Title: Re: CSF analyzer
Post by: Starburst on June 24, 2025, 01:45:00 AM

Those are options in the csf.conf file.

Everyone has different tunes for their servers.

There are more efficient script out there directly from the RBL's like AbuseIPDB.

We finally got knocked out of 8th place.
https://submit.spamhaus.org/leaderboards/ip/ (https://submit.spamhaus.org/leaderboards/ip/)