cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CRITICAL FIX: Add timeout to chain_DENY ipset blocks (prevent permanent bans)

Browse Source 
Issue: When adding IPs to CSF's chain_DENY ipset, no timeout was specified
Result: IPs were permanently blocked instead of 1-hour temporary ban

Before:
  ipset add chain_DENY \"$ip\" -exist 2>/dev/null
  → Permanent block (until manually removed)

After:
  ipset add chain_DENY \"$ip\" timeout 3600 -exist 2>/dev/null
  → Temporary 1-hour block (auto-removes)
  → Falls back to permanent if chain_DENY doesn't support timeouts

Impact:
- SYN attackers now get 1-hour temporary blocks, not permanent bans
- Consistent with primary ipset blocking (also 3600s timeout)
- Allows legitimate services to recover after attack ends
- CSF -td fallback still manages timeout if needed

Verification:
- Tries timeout first (modern CSF/ipset)
- Falls back to permanent if timeout not supported
- Syntax validated

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
cschantz
2026-03-06 22:11:23 -05:00
parent b747882ba1
commit c47b02621b
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/live-attack-monitor-v2.sh
+8 -2
View File
@@ -984,8 +984,14 @@ batch_block_ips() {
fi
# Add directly to CSF's chain_DENY ipset (instant kernel-level blocking)
if ipset add chain_DENY "$ip" -exist 2>/dev/null; then
echo "[$(date +"%H:%M:%S")] BATCH_BLOCK: chain_DENY ipset SUCCESS for $ip" >> "$TEMP_DIR/debug.log" 2>/dev/null || true
# Include 1-hour timeout if chain_DENY supports it
if ipset add chain_DENY "$ip" timeout 3600 -exist 2>/dev/null; then
echo "[$(date +"%H:%M:%S")] BATCH_BLOCK: chain_DENY ipset SUCCESS for $ip (timeout 1h)" >> "$TEMP_DIR/debug.log" 2>/dev/null || true
((blocked++))
echo "$ip" >> "$TEMP_DIR/blocked_ips_cache"
elif ipset add chain_DENY "$ip" -exist 2>/dev/null; then
# Fallback: chain_DENY doesn't support timeout (CSF will manage via csf -td in background)
echo "[$(date +"%H:%M:%S")] BATCH_BLOCK: chain_DENY ipset SUCCESS for $ip (no timeout - CSF managed)" >> "$TEMP_DIR/debug.log" 2>/dev/null || true
((blocked++))
echo "$ip" >> "$TEMP_DIR/blocked_ips_cache"
else