This really needs to be addressed here.
It appears that there is absolutely no reference to LF_MODSEC_PERM in code at all.
One would expect (rightly so) that if an option is set (LF_MODSEC_PERM) it would be utilized properly, but not so much here.
There needs to be a way to temporarily ban these individuals, without actually banning them entirely.
LF_PERMBLOCK is set to 0 as well, so the modsec ban is clearly ignoring everything as far as configuration goes and just automatically perm blocking things. NOT good!
LF_MODSEC_PERM ignored
-
ForumAdmin
- Moderator
- Posts: 1523
- Joined: 01 Oct 2008, 09:24
Re: LF_MODSEC_PERM ignored
You've got something configured differently, as it certainly does work. It works in an identical way to all the other similar settings around it:
[Sat May 01 10:52:46 2014] [error] [client 94.41.178.204] ModSecurity: Access denied with code 403 (phase 2). Pattern match "indy library" at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec/20_asl_useragents.conf"] [line "174"] [id "330036"] [rev "1"] [msg "Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Suspicious User agent detected"] [severity "CRITICAL"] [hostname "forum.configserver.com"] [uri "/register.php"] [unique_id "S9v57lUNw@sAAFHNRgAAAAAE"]
[Sat May 01 10:52:46 2014] [error] [client 94.41.178.204] ModSecurity: Access denied with code 403 (phase 2). Pattern match "indy library" at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec/20_asl_useragents.conf"] [line "174"] [id "330036"] [rev "1"] [msg "Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Suspicious User agent detected"] [severity "CRITICAL"] [hostname "forum.configserver.com"] [uri "/register.php"] [unique_id "S9v57lUNw@sAAFHNRgAAAAAE"]
[Sat May 01 10:52:46 2014] [error] [client 94.41.178.204] ModSecurity: Access denied with code 403 (phase 2). Pattern match "indy library" at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec/20_asl_useragents.conf"] [line "174"] [id "330036"] [rev "1"] [msg "Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Suspicious User agent detected"] [severity "CRITICAL"] [hostname "forum.configserver.com"] [uri "/register.php"] [unique_id "S9v57lUNw@sAAFHNRgAAAAAE"]
Produces:
Apr 21 10:43:09 homer lfd[863801]: (mod_security) mod_security (id:330036) triggered by 94.41.178.204 (RU/Russian Federation/Khabarovsk/Orenburg/host-94-41-178-204.unknown.o56.ru): 3 in the last 3600 secs - *Blocked in csf* for 666 secs [LF_MODSEC]
And a temporary block:
DENY 94.41.178.204 * inout 11m 2s lfd - (mod_security) mod_security (id:330036) triggered by 94.41.178.204 (RU/Russian Federation/Khabarovsk/Orenburg/host-94-41-178-204.unknown.o56.ru): 3 in the last 3600 secs
With setting of:
LF_MODSEC = "3"
LF_MODSEC_PERM = "666"
You have either forgotten to restart lfd after making changes, or have LF_TRIGGER enabled.
[Sat May 01 10:52:46 2014] [error] [client 94.41.178.204] ModSecurity: Access denied with code 403 (phase 2). Pattern match "indy library" at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec/20_asl_useragents.conf"] [line "174"] [id "330036"] [rev "1"] [msg "Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Suspicious User agent detected"] [severity "CRITICAL"] [hostname "forum.configserver.com"] [uri "/register.php"] [unique_id "S9v57lUNw@sAAFHNRgAAAAAE"]
[Sat May 01 10:52:46 2014] [error] [client 94.41.178.204] ModSecurity: Access denied with code 403 (phase 2). Pattern match "indy library" at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec/20_asl_useragents.conf"] [line "174"] [id "330036"] [rev "1"] [msg "Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Suspicious User agent detected"] [severity "CRITICAL"] [hostname "forum.configserver.com"] [uri "/register.php"] [unique_id "S9v57lUNw@sAAFHNRgAAAAAE"]
[Sat May 01 10:52:46 2014] [error] [client 94.41.178.204] ModSecurity: Access denied with code 403 (phase 2). Pattern match "indy library" at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec/20_asl_useragents.conf"] [line "174"] [id "330036"] [rev "1"] [msg "Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Suspicious User agent detected"] [severity "CRITICAL"] [hostname "forum.configserver.com"] [uri "/register.php"] [unique_id "S9v57lUNw@sAAFHNRgAAAAAE"]
Produces:
Apr 21 10:43:09 homer lfd[863801]: (mod_security) mod_security (id:330036) triggered by 94.41.178.204 (RU/Russian Federation/Khabarovsk/Orenburg/host-94-41-178-204.unknown.o56.ru): 3 in the last 3600 secs - *Blocked in csf* for 666 secs [LF_MODSEC]
And a temporary block:
DENY 94.41.178.204 * inout 11m 2s lfd - (mod_security) mod_security (id:330036) triggered by 94.41.178.204 (RU/Russian Federation/Khabarovsk/Orenburg/host-94-41-178-204.unknown.o56.ru): 3 in the last 3600 secs
With setting of:
LF_MODSEC = "3"
LF_MODSEC_PERM = "666"
You have either forgotten to restart lfd after making changes, or have LF_TRIGGER enabled.