CSF analyzer

I have created intelligent analyzer and fixer script for CSF firewall deny list and i would like to share it with everyone.
In short what it doues:
- Finds IPv4 /24 and IPv6 /64 or /128 subnets with more than 3 individual IPs.
- Reports those subnets with the associated comment.
- Detects and reports redundant IPs already covered by subnet blocks.
- Detects and reports duplicate subnet entries.
- Detects and reports entries older then 60 days.
- Detects and reports entries withoud date stamp.
- To fix all of that call it with -fix

Let me know how you like it and is there anything else what could be smart to add.

https://www.simunovic.net/TMP/scfanalyzer.sh

Also recommended settings to fine tune SCF firewall

CSF Optimization Recommendations:
 - LF_TRIGGER = 3                                   # Lower threshold to catch slower, stealthy attacks (default is often 10)
 - LF_INTERVAL = 21600                           # Longer observation window in seconds (6 hours) detects slow scans or attacks
 - LF_PERMBLOCK = 1                               # Enable permanent blocks for repeated offenders
 - LF_PERMBLOCK_INTERVAL = 21600        # Time window in seconds (6 hours) to consider repeated offenses
 - LF_PERMBLOCK_COUNT = 2                    # Number of temp bans before an IP gets permanently blocked
 - DENY_IP_LIMIT = 20000                         # Allow a larger deny list size to prevent early purging
 - LF_IPSET = 1                                          # Enable ipset for faster large-scale deny processing
 - LF_IPSET_HASHSIZE = 4096                    # Increase hash size to support thousands of entries
 - LF_SELECT = 1                                        # Only log/select login failures (reduces false positives)
 - PORTFLOOD = 22;tcp;5;60,25;tcp;10;60   # Rate-limit SSH and SMTP to protect against slow brute-force or spam
 - LF_DSHIELD = 1                                      # Enable DShield blocklist (community-based malicious IPs)
 - LF_SPAMHAUS = 1                                   # Enable Spamhaus blocklist (blocks known spam/malware IPs)
 - LF_GREYLIST = 1                                     # Enable greylisting for suspicious IPs (adds delay, discourages bots)

CSF... are the scf references a mistake instead of csf?
Out of curiosity, why shell code instead of python or perl?

There is couple: speed, native to Unix/Linux systems, lightweight with no dependencies, excellent for chaining tools, great for simple automation and cron job...

I did some benchmarks and shell is a winner for this.

Those are options in the csf.conf file.

Everyone has different tunes for their servers.

There are more efficient script out there directly from the RBL's like AbuseIPDB.

We finally got knocked out of 8th place.
https://submit.spamhaus.org/leaderboards/ip/

Yes I know but there is some key elements missing for my needs. My script dues subnet consolidation /24, /64 and /128, check aging, duplicates and coverage. Also my script has native CSF integration, works 100% offline and it is focused on local firewall optimization based on observed log patterns. Also one major key difference is real time subnet control without any outdated confidence score. Botnets are changing subnet all the time and in my opinion any kind of scoring is more or less useless, sorry. I catch them very fast and block whole subnet for next 2 months after it get dropped from the list. By that time they will use another subnet range anyway...

Like you mention everyone has different needs. I could not find anything close I had on my mind so I build it my self. Simple and convenient. It needs 2 seconds to burst true my deny list. It is just a little addition to the already existing excellent firewall and deny list.

I choose to share it with others. That is all. Plain and simple.

BTW this options in csf.conf file are there to fine tune your server for your needs. Again, changing some of these option will help a lot to catch these slow botnet attacks. That is why I mention it. You have to know that we are not all IT geeks. Like my self I have to study all of it before I say ahhhh