CSF no longer blocking mod_security

Post Reply
JulesR
Junior Member
Posts: 14
Joined: 17 Jun 2009, 05:01

CSF no longer blocking mod_security

Post by JulesR »

Using Litespeed 4.2.16. Excerpts of our /usr/local/apache/logs/error_log:

Code: Select all

[modsecurity] [Tue Sep 30 20:43:09 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:09 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:09 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:10 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:10 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:10 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:10 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:11 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:11 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:11 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:12 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:12 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:12 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:13 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:13 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:13 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:14 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:14 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:14 2014] [error] [client 104.128.231.3] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:14 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
CSF/LFD is not blocking them. No errors are logged in /var/log/lfd.log, these entries are just seemingly ignored. Our logging format hasn't changed at all, has anything changed in LFD/CSF recently?

I've checked and this is the same behaviour on all of our servers. The only things that have changed are the recent BASH updates (which should not be relevant or related) and a recent Litespeed update.
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: CSF no longer blocking mod_security

Post by ForumAdmin »

The regexes and csf provide no support for litespeed. However, if you ignore that odd initial [modsecurity] on the log line, then this line which resembles a correct Apache log line:

Code: Select all

[Tue Sep 30 20:43:09 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
Does indeed trigger the regex:

Code: Select all

Sep 30 22:05:47 homer lfd[166750]: debug: mod_security (id:5000135) triggered by 95.211.131.148 - 1 failure(s) in the last 3600 secs
Sep 30 22:05:52 homer lfd[166750]: debug: mod_security (id:5000135) triggered by 95.211.131.148 - 2 failure(s) in the last 3600 secs
Sep 30 22:05:52 homer lfd[166750]: debug: mod_security (id:5000135) triggered by 95.211.131.148 - 3 failure(s) in the last 3600 secs
Sep 30 22:05:52 homer lfd[169869]: (mod_security) mod_security (id:5000135) triggered by 95.211.131.148 (NL/Netherlands/-/-/LLNH007.local): 3 in the last 3600 secs - *Blocked in csf* for 666 secs [LF_MODSEC]
JulesR
Junior Member
Posts: 14
Joined: 17 Jun 2009, 05:01

Re: CSF no longer blocking mod_security

Post by JulesR »

That's correct, I just noticed the recent Litespeed update prepended "[modsecurity]" to the start of these lines.

I've reported this issue to Litespeed: http://www.litespeedtech.com/support/fo ... _log.9904/

In the meantime, in case Litespeed take a long time to release a fix, could you please perhaps add this as an alternative regex?
optize
Junior Member
Posts: 26
Joined: 10 May 2009, 18:28

Re: CSF no longer blocking mod_security

Post by optize »

Has there been any news to this? I'd like to get it fixed as well.
optize
Junior Member
Posts: 26
Joined: 10 May 2009, 18:28

Re: CSF no longer blocking mod_security

Post by optize »

This has been fixed by Litespeed in the latest release.
JulesR
Junior Member
Posts: 14
Joined: 17 Jun 2009, 05:01

Re: CSF no longer blocking mod_security

Post by JulesR »

It was fixed in the release before the latest one, that's correct. Details can be found in the link i provided to Litespeed's forum.
Post Reply