Issue: When adding IPs to CSF's chain_DENY ipset, no timeout was specified
Result: IPs were permanently blocked instead of 1-hour temporary ban
Before:
ipset add chain_DENY \"$ip\" -exist 2>/dev/null
→ Permanent block (until manually removed)
After:
ipset add chain_DENY \"$ip\" timeout 3600 -exist 2>/dev/null
→ Temporary 1-hour block (auto-removes)
→ Falls back to permanent if chain_DENY doesn't support timeouts
Impact:
- SYN attackers now get 1-hour temporary blocks, not permanent bans
- Consistent with primary ipset blocking (also 3600s timeout)
- Allows legitimate services to recover after attack ends
- CSF -td fallback still manages timeout if needed
Verification:
- Tries timeout first (modern CSF/ipset)
- Falls back to permanent if timeout not supported
- Syntax validated
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
cschantz
c47b02621b