BFM mod_security2, exim, dovecot1

I

inomi13

Verified User
Joined
Jan 7, 2022
Messages
162
In BFM I see lots of bellow informations but I don't know how counters are works. I have read DA docs (Brute Force Monitor: modsec_audit.log Mod_Security) but I don't understand them .

Anybody can me explain bucause many my clients are block and usually I see posstion FM: mod_security2=50. When I ask them what do they do. They say that nothing or they are working in admin wordpress panel. I have a big problem because I can't catch where is the an issue :(

  • BFM: dovecot1=100 (US/United States/xxxxxxxxxxx)
  • BFM: exim1=100 (LT/Lithuania/xxxxxxxxxxxxxxxxx)
  • BFM: mod_security2=50 (RU/Russia/xxxxxxxxxxxx)
 
it count 100/2 = 50 , 100=bruteforce count before blocked.


see that exim1=100, so in modsecurity will use half value of that setting.

In now day, still not have seperate setting between modsecurity and bruteforce protection. still use same setting from bruteforce count. but it just half value of this setting to use in modsecurity.

if it false positive, your customer can disable modsecurity from DA panel ( :2222 ).
 
Thanks for the clarification, but how does mod_security count this? Numbers of page refreshes over time. I don't know what my clients do wrong.
 
yes, it count every request. you can see log when modsec triggered count in DA panel ( Admin -> Server Manager -> Modsecurity -> Log tab )
 
So if I set in DA "Block IP for exceeded number of DA login attempts" that after 100 unauthorized connections. Adress IP will be block when client refresh page 100 times in brute_force_time_limit ?
 
nope, it just half value when use in modsecurity. 100 / 2 = 50times

there have 2 section, First use for protect again :2222 panel. And scroll down, will use to protect again all possible service.

Maybe it name section "Notify Admins after an IP has"
 
I still don't understand. Can you explain to a simple man. My clients login only wordpress page. They don't have access to other services on this server.

Do you have any documents about information how it works count mod_security?
 
In (Admin -> Server Manager -> Modsecurity -> Log tab) I can see request lines and client ID (IP address). right I think...? that if in Modsecurity -> Log tab there will be 50 items from one IP address, the IP address will be blocked?

zdsdsd.jpg


This value for modsecurity is taken from the value: 100 unauthorized connections in Admin Settings -> Security Settings?

Screenshot 2022-12-22 at 20-33-59 demo.directadmin.com Admin Settings.png


In CSF configuration I have below position. What does it mean?

Screenshot 2022-12-22 at 20-31-05 serwer.aldstudio.kylos.net.pl Wtyczki.png
 
Last edited:
yes, but that setting just use for protect DA login ( :2222 ). It should be "Notify Admins after an IP has"

CSF Firewall doesn't do anything, it triggered block from BFM.
 
In my case the tab Modsecurity is missing at all. Any ideas? (Sorry to disturb the thread)
 
yes, but that setting just use for protect DA login ( :2222 ). It should be "Notify Admins after an IP has"
CSF Firewall doesn't do anything, it triggered block from BFM.
Click to expand...

So for example. If I see in
(Admin -> Server Manager -> Modsecurity -> Log tab), following entries from the same IP. Modsecurity will count as 3 hits ? and then when adres IP will be 50 entries this IP will be block ?
  • POST /wp-admin/admin.php?page=import-code-snippets HTTP/2.0
  • GET /wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.9.1 HTTP/2.0
  • GET /wp-admin/plugin-install.php HTTP/2.0
If that's so, is modsecurity doesn't work very perfect becuse it counts every what I do in wordpress backend. Every open page in elementor, install/unistall plugin etc.
 
that's right. I don't know what's rules do you use. But OWASP Rules have too much false positive, I recommend to use COMODO Rules. And if you think, it still false positive. you can tuning rules by yourself. Like exclude one of rules from checking.
 
For test I clicked in wordpress panel after 50 hits mod_security2 blocked my IP address. I don't want to create rules, but I want to change a parameter that will give me more hits.

There are a lot of parameters in httpd-modsecurity.conf but I don't know which one I should change. Can someone explain or give a suggestion?
 
You must log in or register to reply here.
Back
Top