CSF cxs modsecurity trigger HELP please?

2 posts Page 1 of 1
splicesite
Junior Member
Posts: 1
Joined: 11 Sep 2019, 04:43


Hello. Well the cxs subforum looks sort of dead so I'll try this as a start, but maybe this is more appropriate for a ticket. I've read all I can stand about this and just am looking for some simple guidance on an IP block rule concerning the following.

I figured out how to tweak IP address blocking for modsecurity hits in CSF which was a huge help! Bear with me though.

OK so this access log entry from some exploiting bot trying to write to /tmp
POST /wp-admin/admin-ajax.php HTTP/1.1" 302

Triggers the modsecurity action logged in apache/error_log:
ModSecurity: Access denied with code 406 (phase 2). File "/tmp/xxx" rejected by the approver script "/etc/cxs/cxscgi.sh": 0 [file "/etc/apache2/conf.d/modsec_vendor_configs/configserver/00_configserver.conf"] [line "7"] [id "1010101"] [msg "ConfigServer Exploit Scanner (cxs) triggered"] [severity "CRITICAL"] [hostname "xxx.net"] [uri "/wp-admin/admin-ajax.php"] [unique_id "XXhRl7j1eF4u6@7r-Bm42QAAAAU"]

And then the associated IP is banned as seen in lfd.log:
(cxs) cxs mod_security triggered by xx.xx.xx.xx (US/United States/reversedns.xxx): 1 in the last 3600 secs - *Blocked in csf* [LF_CXS]

I get that.

I see the rule in 00_configserver.conf that somehow makes this process work:
SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" \
"log,auditlog,deny,severity:2,phase:2,t:none,id:'1010101',msg:'ConfigServer Exploit Scanner (cxs) triggered'"


Ok I'm getting this so far, sort of.

Here is my question.

How can I make a rule or change a setting to automatically block IP addresses for modsecurity hits such as the examples below (so such events are recognized as a modsecurity hit by cxs)?:

ModSecurity: Multipart parsing error: Multipart: No boundaries found in payload. [hostname "xxx.com"] [uri "/wp-admin/admin-post.php"] [unique_id "XXhb3aknKPJexZMvviJ6twAAAAk"]

or

ModSecurity: Internal error: REQUEST_BODY phase incomplete for input filter in phase 1 [hostname "xxx.com"] [uri "/index.php"] [unique_id "XXhb3aknKPJexZMvviJ6twAAAAk"]


or

ModSecurity: Multipart parsing error: Multipart: Invalid Content-Disposition header (-10): form-data; name="file_upload"; filename="xxx.php. [hostname "www.xxx.org"] [uri "/index.php"] [unique_id "XXZQZTIJ41lQHEVztUTpiwAAABo"]


That is my question. Any help or guidance is appreciated. I'm happy to pay for help with this. Getting a lot of injection/exploit attempts from bots using these and similar strategies that I'd like to reduce with IP blocks.

Does a commercial product like the Atomic ModSecurity rules cover things like this, and allow for a cxs trigger and CSF IP block? Or not.

Sorry for my poor understanding of this.

Thanks so much!!
BallyBasic79
Junior Member
Posts: 24
Joined: 22 Aug 2019, 21:43


Presuming you have LF_MODSEC enabled in CSF. Please confirm.

The way CSF catches MODSEC violations depends on server and modsec versions as well as LF_CXS setting. See RegexMain.pm for details for specific syntax.

Presuming you have LF_MODSEC enabled sufficiently, you can mop up violations that CSF misses with Custom REGEX rules for CSF. See forum thread for details on how to configure.

Important: Be sure to look in csf.conf to compare where it is looking for MODSEC_LOG with the log you are looking at. They may or may not be the same log.

Does this help?

You helped me. Looking at my own MODSEC_LOG in preparing this response, I see some issues that LF_MODSEC is not catching for which I will add custom rules. This includes users repeatedly trying various sensitive URLs "File not found" before getting caught by something that modsecurity does flag.
2 posts Page 1 of 1