How to ban IPs in CSF for ModSecurity violations?

beansbaxter

Verified User
Joined
Mar 17, 2004
Messages
196
Location
WA
How can I create a custom rule in CSF that will automatically ban an IP address that violates a Mod Security rule?

I've tried multiple things, and read through the DA documentation, but cannot find a solution.

For example, I want to create a CSF rule that automatically blocks any IP that tries to check for .env violating Mod Security rule 210492. I edited /usr/local/csf/bin/regex.custom.pm and added this rule:

Code:
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(210492)"\]/i)) {
        return ("mod_security attack id $2",$1,"ENV ModSec","1","1");
    }

Restarted CSF. Looking at the logs 24 hours later, I see this is not working.

Reading through the DA documentation for CSF and ModSecurity, and the way it's worded, it appears this only works with Apache. I am running Nginx with Mod Security, no Apache. The documentation says this feature doesn't always work, but this is citing a CSF link from 2017. DA also references this Brute Force Monitor feature:


But looking at my directadmin.conf, there is no brute_force_scan_mod_security_logs option.

The closest thing I see is a brute_force_scan_apache_logs option, however this says Apache, and I assume not relevant for Nginx systems?

I don't know what else to try.

My CSF configuration currently shows:
Code:
[*]Enable failure detection of repeated Apache mod_security rule triggers
LF_MODSEC = 5
LF_MODSEC_PERM = 1

If it matters, I'm running EL8 with the most recent versions of DA, CSF, and Nginx.

Any help or direction would be greatly appreciated.
 

sahostking

Verified User
Joined
Jan 29, 2021
Messages
75
Location
South Africa
Did you add monitoring of all the .log files too? I see you referencing CUSTOM1_LOG

We have the below in ours.

CUSTOM1_LOG = "/var/log/httpd/domains/*.log"

The regex you created is looking at CUSTOM1_LOG so I assume the above may help in this regard.

Hope it helps
 
Top