Mod_security CSF

[dev2]

Hello,

This topic has been mentioned already. I have read all the relative posts, I think and cannot find an answer.

We are running centos 7.9, mod_security 3, CSF rules and mod_lsapi. We do see that mod_security is correctly identifying attacks in the cPanel tools. When we look in our CSF logs, we see only about a third of the IP's are being blocked.

Saw mention of the need to create a regex. No clue how to do that. We found some regex here to block mod_ IP's but they dont work. The LF settings are set to "1" to permanently block the IP.

Does anyone have a regex that will block all mod_security IP addresses? Or have a clue what we can do to fix this? We would like all identified attacks to be blocked, not just some of them.

Is it possible to get support from config? How do we go about that?

thanks in advance
Jerry

[Sergio]

@Jerry,
add the following rule to your /usr/local/csf/bin/regex.custom.pm

BE SURE to have set "CUSTOM1_LOG" in csf to: /etc/apache2/logs/error_log

Code: Select all

# BLOCKING ModSec Rules attacks by Secmas

	if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(210280|210350|210380|210481|210492|210710|210730|210831|210921|211210|211220|211230|211270|211650|212000|212280|212340|212770|217200|217291|218500|220030|225080|225170|230011|231011|240000|240335|244050|959595|990035|999999|5000135|1010101)"\]/i)) {
		return ("mod_security attack id $2",$1,"Secmas_ModSec","1","1","1");
	}

After you save the rule you have to restart LFD.

DELETE OR ADD RULE IDs as you please, but always obeying the "or" notation of REGEX.
Be DOUBLE CARE to NEVER have "||" two (2) ORs togehter or you will be blocking everything.

DISCLAIMER: I am not responsible in any way if you use the above rule. Use it at your own risk, Sergio.