Page 1 of 1

atomic rules

Posted: 22 Oct 2022, 19:27
by dev2
Hello,

I have been running these delayed atomic rule sets for some time. I have found out that atomic rule sets are working if I review Mod_security tools. I see Critical messages. I am aware that CSF does not block warnings. In my case Critical notices are not blocking IPs in the CSF firewall. I have checked the rule (331032) severity is set to 5.

I'm at a loss here and wondering if anyone else is having problems blocking IP addresses in CSF triggered by atomic rules? Or anyone can guide me. I pretty much want to block all IPs that are seen in mod_sec tools (cPanel).

Thanks for any help. Also, how can I get help from configserver to login and see what is going on, since I cannot figure it out?
Jerry

Re: atomic rules

Posted: 26 Oct 2022, 06:09
by Sergio
Take a look at this post:
viewtopic.php?t=12529

In there I shared one of my CSF rules that blocks IPs accordingly to the Mod_Security rule that was triggered.

Take a look and tell if that works for you.

Sergio

Re: atomic rules

Posted: 27 Oct 2022, 18:58
by dev2
Hi Sergio,

I have a few weird things going on, that appear un-predictable.

I think the first thing I need to figure out is how to write a regex rule that blocks mod_sec "Warnings" as noted in cPanel mod_sec tools. I read that you have a regex for this and I need to pay for it (I am useless at regex code). I am happy to do so and perhaps we could hire you to check our setup. It looks as if private messaging is disabled here, so can you reach out to me?

The other rule you posted a link to is failing during upload.

CXS uploads are being blocked by mod_sec. They keep trying due to IP not being blocked, even though I have it set correctly. Should mod_sec not block the offending IP first time of a malware upload?

Please ping me so we can setup your services if possible?

Jerry

Re: atomic rules

Posted: 27 Oct 2022, 19:17
by dev2
I am not sure if I have done the right thing. I figured the rule you mentioned above is a CSF Regex and not a mod_security rule. I have added it to the CSF Custom Regex area like this:

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(930130|949110)"\]/i)) {
return ("mod_security attack id $2",$1,"Secmas_ModSec","1","1");
}

The intent is to have mod_sec block IPs that attack using these rules: 930130|949110

I see the attacker getting stopped, but their IPs are still not getting blocked.

LF_MODSEC = "3"
LF_MODSEC_PERM = "1"


This is not working for us either:
LF_CXS = "1"
LF_CXS_PERM = "1"

Centos7/ cPanel/ Modsec2/ CSF/ CXS

Re: atomic rules

Posted: 27 Oct 2022, 19:28
by Sergio
Have you set CUSTOM1_LOG inside CSF?

Sergio

Re: atomic rules

Posted: 27 Oct 2022, 19:54
by dev2
Yes- have I done it wrong?
CUSTOM1_LOG = "/usr/local/apache/domlogs/*/*"

Re: atomic rules

Posted: 27 Oct 2022, 20:02
by dev2
HTACCESS_LOG = "/usr/local/apache/logs/error_log"
MODSEC_LOG = "/etc/apache2/logs/modsec_audit.log"
SSHD_LOG = "/var/log/secure"
SU_LOG = "/var/log/secure"
SUDO_LOG = "/var/log/secure"
FTPD_LOG = "/var/log/messages"
SMTPAUTH_LOG = "/var/log/exim_mainlog"
SMTPRELAY_LOG = "/var/log/exim_mainlog"
POP3D_LOG = "/var/log/maillog"
IMAPD_LOG = "/var/log/maillog"
CPANEL_LOG = "/usr/local/cpanel/logs/login_log"
CPANEL_ACCESSLOG = "/usr/local/cpanel/logs/access_log"
SCRIPT_LOG = "/var/log/exim_mainlog"
IPTABLES_LOG = "/var/log/messages"
SUHOSIN_LOG = "/var/log/messages"
BIND_LOG = "/var/log/messages"
SYSLOG_LOG = "/var/log/messages"
WEBMIN_LOG = "/var/log/secure"

CUSTOM1_LOG = "/usr/local/apache/domlogs/*/*"
CUSTOM2_LOG = "/var/log/exim_rejectlog"
CUSTOM3_LOG = "/usr/local/cpanel/logs/access_log"
CUSTOM4_LOG = "/etc/apache2/logs/error_log"
CUSTOM5_LOG = "/usr/local/apache/logs/modsec_audit.log"
CUSTOM6_LOG = "/var/log/customlog"
CUSTOM7_LOG = "/var/log/customlog"
CUSTOM8_LOG = "/var/log/customlog"
CUSTOM9_LOG = "/var/log/customlog"

Re: atomic rules

Posted: 27 Oct 2022, 20:05
by Sergio
I will need at least one log line from that file to test the REGEX rule.

Re: atomic rules

Posted: 28 Oct 2022, 01:05
by dev2
Hi Sergio, a very big thank you for helping me out. Now it makes sense!
AND for introducing me to https://regex101.com/ Off I go to start learning more about regex.

Re: atomic rules

Posted: 28 Oct 2022, 01:23
by Sergio
You are welcome.

I really like CSF FireWall.