I'm running 2 cPanel servers with ConfigServer Security & Firewall plugin. One of the functions of the plugin is to block via iptables (temporarily and/or permanently) IPs which fail various authentications (POP3/IMAP, SMTP, FTP, webmail, mod_security and such).
Now, i'd like to push those IP blocks to the border router to drop packets as soon as possible (and doing so protecting the other machines on the network).
Keep in mind that after N failed logins IP is blocked for 5 minutes, then re-allowed. If multiple bans occours in an hour IP is blocked permanently and should be unlocked "by hand". So I need a near realtime solution.
What I'm looking for is a better way than firing some cronjobs both on cPanels and border router to:
- dump the rules to file
- transfer the file to border router (via scp/sftp)
- load the rules from the file in the border router
I'm aware that I will need some scripts to parse and modify the rules as cPanels have one ethernet interface and some aliases while border router has two ehternet interfaces and some loopbacks.
All machines involved use Linux.
EDIT as per @pjmorse comment.
The plugin consists of a bunch of perl and config files. The part I'm intrested in is a process which scans logfiles (lfd) and installs iptables rules (and sends an alert email). Fact is, it upgrades quite often (one or two times a week) and itself is >7000 lines of perl so I'm not comfortable on tampering with it.
One solution that would provide a realtime 'transfer' would be to replace
iptableswith a script that callsiptableson the router./path/to/override/iptablesas a script which runsssh root@routerhost iptables "$@"PATH="/path/to/override:$PATH"Now whenever the plugin goes looking for
iptablesit'll find the one in/path/to/overridesince it was specified first in$PATH. It'll run the script when passes all the arguments the script received toiptablesonrouterhost.However if the plugin uses an absolute path to
iptables, you will instead have to manually change the path in the plugin.