How to ban IPs in CSF for ModSecurity violations?

beansbaxter · Jan 21, 2023

How can I create a custom rule in CSF that will automatically ban an IP address that violates a Mod Security rule?

I've tried multiple things, and read through the DA documentation, but cannot find a solution.

For example, I want to create a CSF rule that automatically blocks any IP that tries to check for .env violating Mod Security rule 210492. I edited /usr/local/csf/bin/regex.custom.pm and added this rule:

Code:

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(210492)"\]/i)) {
        return ("mod_security attack id $2",$1,"ENV ModSec","1","1");
    }

Restarted CSF. Looking at the logs 24 hours later, I see this is not working.

Reading through the DA documentation for CSF and ModSecurity, and the way it's worded, it appears this only works with Apache. I am running Nginx with Mod Security, no Apache. The documentation says this feature doesn't always work, but this is citing a CSF link from 2017. DA also references this Brute Force Monitor feature:

Version 1.61.4 | Directadmin Docs

DirectAdmin Knowledge Base

www.directadmin.com

But looking at my directadmin.conf, there is no brute_force_scan_mod_security_logs option.

The closest thing I see is a brute_force_scan_apache_logs option, however this says Apache, and I assume not relevant for Nginx systems?

I don't know what else to try.

My CSF configuration currently shows:

Code:

[*]Enable failure detection of repeated Apache mod_security rule triggers
LF_MODSEC = 5
LF_MODSEC_PERM = 1

If it matters, I'm running EL8 with the most recent versions of DA, CSF, and Nginx.

Any help or direction would be greatly appreciated.

sahostking · Jan 25, 2023

Did you add monitoring of all the .log files too? I see you referencing CUSTOM1_LOG

We have the below in ours.

CUSTOM1_LOG = "/var/log/httpd/domains/*.log"

The regex you created is looking at CUSTOM1_LOG so I assume the above may help in this regard.

Hope it helps

dataonline.vn · Jan 15, 2025

I don't know which rule is blocking
csf.deny: 118.70.100.161 # BFM: mod_security1=82 (VN/Vietnam/-) - Tue Jan 14 09:37:59 2025

zEitEr · Jan 16, 2025

dataonline.vn said:
BFM

Bute Force Monitor is part of Directadmin. But if you want to disable a mod security rule, the block the IP, you will need to check mod security logs for more details.

How to ban IPs in CSF for ModSecurity violations?

beansbaxter

Verified User

Version 1.61.4 | Directadmin Docs

sahostking

Verified User

dataonline.vn

Verified User

zEitEr

Super Moderator