BFM Modify ModSecurity rules for block only port 443/80 instead all ports.

castris

castris

Verified User
Joined
Apr 16, 2021
Messages
144
Location
Arcenillas
I have tried to understand how to modify the custom file so that BFM adds the IP to the deny list, but it ONLY affects the http port, that is, 80 and 443

And I can't find it.

Well, I'm not even sure it can be done anymore with BFM.

On CSF is easy configure this question.
 
modsecurity works only on webserver DA do not use main webserver to serve the panel
 
@DanielP What are you talking about? I'm talking about BFM (Brute Force Monitor) and CSF Firewall and question about deny for IP to deny for service.
 
Title has modsecurity in it - BFM Modify ModSecurity rules for block only port 443/80 instead all ports.
 
Maybe my English is bad... but not that bad.

BFM > When Modsecuroity get issue > Block all ports And I like block only 80/443 (ports of web server)

> ModSecurity works only on the web server. DA does not use the main web server to serve the panel

"The Importance of a dot"

See you around.
 
Heat wave is craze in my current location ....

I think it works other way around when ModSecurity is triggered x times - CSF read logs and Blocks due to LF_MODSEC enabled and then block it is just registered by BFM
 
The heat is hard here too.

I already know what you're telling me.
The thing is that currently the Directadmin BDM blocks the IP in a general way.

And CSF natively supports that an IP is blocked by the affected ports or those that are told to it. This is how it works, if it were the manager of the mod security blocks. You could say to it:

"Hey CSF, if the block is due to Mod Security, put this IP in a temporary block for XXXX seconds, on ports 80,443"

That's the question. How to do it or if it's even possible, to do it by configuring BFM.

May the heat be mild for you.
 
No config for this logics. directadmin just use cli to interact with csf for completely blocked IP same as other filter in BFM.
 
Ok. Is there any way to get this kind of improvements to the DSirectamdin team?

It is very deficient in my opinion, that BFM blocks the activity of all ports instead of the affected ones, leaving the user without the possibility of accessing the panel itself, where he can manage the blocking, and the affected rules.

A service, whose fine-tuning is very particular, complex and that also only affects a specific service, the web, with the specific ports 80,443, has as a result the ban of the IP in all ports, when BFM, relies on CSF Firewall for its work.

That is, CSF Firewall, allows the banning by ports, and yet BFM is not effective by not using that possibility.

IMHO
 
yes it bad idea for long time. it's not fully integration with csf.


But it can create customize rules for yourself. .... and need programmer skills.


example my case on csf.dyndns
O

Thread '[CSF] csf.dyndns VS BFM'

Hi,

I have the problem BFM blocked my IP without notice for around 2-3 years while I have "csf.dyndns" config. Since I have allowed list, I still can access server without interrupt.
Anyone have same problem with me ?

For workaround, I just disabled block option in directadmin administrator setting, and let's CSF scan logs from "./directadmin/data/admin/brute_log_entries.list"

combined with csf extra scan options "/etc/csf/csf.logfiles" and "/etc/csf/regex.custom.pm".

I just use programmer skills to create workaround for my server. With this, I can decide which one should block all port or block some port.

p.s. No script/tutorial sharing for this, just make them by yourself.
 
I already put my mind to it this morning and there is a small script that changes the lines of `BFM: mod_security` to
tcp|in|d=80,443|s=IP.IP.IP.IP

Now it remains to be seen if BFM, when evaluating the life time of the lines, automatically deletes them, or if when the line is modified I ate something, and I will have to add the cleanup on my part.

Anyway, the best thing is that the "team" will take into consideration what has been expressed, or that there will be a page to request improvements.

Thanks for reply, @Ohm J
 
castris said:
I already put my mind to it this morning and there is a small script that changes the lines of `BFM: mod_security` to
tcp|in|d=80,443|s=IP.IP.IP.IP

Now it remains to be seen if BFM, when evaluating the life time of the lines, automatically deletes them, or if when the line is modified I ate something, and I will have to add the cleanup on my part.

Anyway, the best thing is that the "team" will take into consideration what has been expressed, or that there will be a page to request improvements.

Thanks for reply, @Ohm J
Click to expand...

Actually that is good idea to work one liner with sed and cron
 
You must log in or register to reply here.
Back
Top