Hi, I have a server with WHM and MOD SECURITY installed. "ConfigServer ModSecurity Control - cmc v3.03"
We discovered that Mod_security is not blocking, is just saving the data.
root@server:~# grep ' ModSecurity: Access denied' /usr/local/apache/logs/modsec_audit.log | wc -l
0
root@server:~# grep ' ModSecurity: Warning' /usr/local/apache/logs/error_log | wc -l
126525
Which could be the cause?
In Home > Security Center > ModSecurity™ Configuration > Configure Global Directives
I have Connections Engine PROCESS THE RULES
Rules Engine: Process the rules.
And in Home > Security Center > ModSecurity™ Vendors > Manage Vendors
I have:
ConfigServer ON
OWASP CRS v3.x for ModSec 2.9 (via pkg) ON
Thanks,
Francisco
Mod_security is not blocking
Re: Mod_security is not blocking
Francisco,
CMC does not block any IP, the one that should block the IP is CSF, check the following options:
Sergio
CMC does not block any IP, the one that should block the IP is CSF, check the following options:
Also, in WHM you should check that the ModSecurity option is ENABLED under the /Packages/Feature Manager[*]Enable failure detection of repeated Apache mod_security rule triggers
LF_MODSEC = Default: 5 [0-100]
LF_MODSEC_PERM = Default: 1 [0-604800]
Sergio
Re: Mod_security is not blocking
Hi, I have checked
WHM > Plugins > ConfigServer Security & Firewall
EDIT CONFIGURATION >
and I see this
LF_MODSEC = 6 Default: 5 [0-100]
LF_MODSEC_PERM = 1 Default: 1 [0-604800]
Also I have enabled ModSecurity in /Packages/Feature Manager
But it still doesnt block me.
in any site for example
https://www.mysite.com/?../../../../etc/passwd
Any other idea?
Thanks,
WHM > Plugins > ConfigServer Security & Firewall
EDIT CONFIGURATION >
and I see this
LF_MODSEC = 6 Default: 5 [0-100]
LF_MODSEC_PERM = 1 Default: 1 [0-604800]
Also I have enabled ModSecurity in /Packages/Feature Manager
But it still doesnt block me.
in any site for example
https://www.mysite.com/?../../../../etc/passwd
Any other idea?
Thanks,
Re: Mod_security is not blocking
Yes,
you can create your own CSF rule to block modsecurity attacks.
Please read my post at:
https://forum.configserver.com/viewtopi ... 708#p32708
In that post I wrote a rule that you can use to block ModSec attacks, you will need to write the rules that you want to block and CSF will block the IPs that triggered that rules.
Sergio
you can create your own CSF rule to block modsecurity attacks.
Please read my post at:
https://forum.configserver.com/viewtopi ... 708#p32708
In that post I wrote a rule that you can use to block ModSec attacks, you will need to write the rules that you want to block and CSF will block the IPs that triggered that rules.
Sergio
Re: Mod_security is not blocking
Hi!Sergio wrote: ↑18 Dec 2023, 04:26 Yes,
you can create your own CSF rule to block modsecurity attacks.
Please read my post at:
https://forum.configserver.com/viewtopi ... 708#p32708
In that post I wrote a rule that you can use to block ModSec attacks, you will need to write the rules that you want to block and CSF will block the IPs that triggered that rules.
Sergio
I have read your other post.
How do I add those manual rules ? Where do I add them?
Thanks,
Re: Mod_security is not blocking
You can add rules for CSF on the file:
/usr/local/csf/bin/regex.custom.pm
and after you add your rules you have to restart LFD in order for them to start working.
Be very carful adding rules in there as a bad written rule can make your server down.
Please read CSF readme file to know about this.
Sergio
/usr/local/csf/bin/regex.custom.pm
and after you add your rules you have to restart LFD in order for them to start working.
Be very carful adding rules in there as a bad written rule can make your server down.
Please read CSF readme file to know about this.
Sergio