IPs are not blocked in csf/lfd after error code in modsecurity (Openlitespeed + Modsecurity + csf)

Axanti

Axanti

Verified User
Joined
Jan 9, 2021
Messages
21
Location
Canada
Hello,
Before posting this problem, I tried to resolve it without success.
The current server configuration: openlitespeed + modsecurity with owasp and csf as software firewall.
The modsecurity protection works fine with a 403 error if I attempt URL access with this:
Code: 
http://www.domain.com/?r=/etc/passwd
On the other hand, the firewall does not block the IP address despite the fact that the LF_MODSEC option is > 0 (5 by default), and default log file scanned by CSF is /var/log/httpd/error_log file but the error entries of modsecurity is not there only on /var/log/httpd/modsec_audit.log. It is therefore logical that csf does not block the IPs from intrusion attempts and other code injections via the url because the entries are not there. I tried to put /var/log/httpd/modsec_audit.log in csf in MODSEC_LOG but it doesn't work anymore, for sure I'm not a pro ...

I come from the CPanel world and like many, after increasing licensing costs I turned to another solution.
I had already considered DirectAdmin but due to lack of time, I had not tested this product.

Today I find DirectAdmin very good, but some points like this above bothers me a lot.
So what should be done in order to tell csf to look at the logs in the right place in order to block the IPs from intrusion attempts by URL.
Am I in the right place to troubleshoot, otherwise well I will definitely need to 'tweak' a csf regex rule in order to alleviate this problem.
Is this a problem only with openlitespeed web server?

Anyway, if someone could help me out or give me a tip, that would be greatly appreciated.

Thanks and sorry for my fairly average english!
 
I can't help you directly, but CSF is not part of Directadmin, same as it's not part as cPanel where it was developped for in the beginning.
You don't need to be a pro to change the modsec logfile in CSF. I presume you restarted both csf and lfd after the change.

Axanti said:
Today I find DirectAdmin very good, but some points like this above bothers me a lot.
Click to expand...
CSF is not part of Directadmin. It's a choice to use it or not. It's designed for cPanel in the beginning. And it's a service that it can be integrated automatically with DA.
If this does not work as should be, you might want to consider to post the issue on the CSF forum where creators can fix bugs.

You could tweak a regexp rule and use the CUSTOM_LOG options in CSF.
However, it might be better to ask over at CSF, because if this is indeed limited to OLS, they are the best party to fix this for everybody.
 
Hello Richard,
Thanks for your reply, but actually the more I search the more I realize that the 403 errors generated by openlitespeed (due to modsecurity rules) don't even appear in the /var/log/httpd/error_log file...
So I think more of a problem with openlitespeed than anything else.
Does anyone have this concern with the paid version either litespeed enterprise + modsecurity + csf?
There is this post which reflects a little the concern, except that for my part, the errors do not appear in the file /var/log/httpd/error_log
https://forum.configserver.com/viewtopic.php?t=11811
 
Last edited:
By default (at least it used to) csf/lfd only checks: /var/log/httpd/error_log /var/log/nginx/error_log
You can skip nginx if you don't use nginx.
So it does not check your error logs for your domains.
So make sure you include them in HTACCESS_LOG = /var/log/httpd/error_log /var/log/nginx/error_log /var/log/httpd/domains/*.error.log /var/log/nginx/domains/*.error.log

And MODSEC_LOG = /var/log/nginx/error_log /var/log/nginx/domains/*.error.log

The log locations may vary depending on the OS and webserver configuration used.
The example I provided are for CentOS 8 and DA.

When properly configured lfd will process these log files and block them accordingly to your settings in csf.

If this still not works the log files are not recognized by the predefined regex rules in csf/lfd.
Then try this:
Edit \usr\local\csf\bin\regex.custom.pm and add after carefully reading where to edit:
Code: 
#mod_security v2 (nginx) custom Wanabo, changed date time regex to match the error log files.
if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\d{4}\/\d{2}\/\d{2} \d{2}:\d{2}:\d{2} .* \[client (\S+)\] ModSecurity:(( \[[^]]+\])*)? Access denied/)) {
    my $ip = $1;
        my $acc = "";
        my $domain = "";
        if ($line =~ /\] \[hostname "([^\"]+)"\] \[/) {$domain = $1}
        $ip =~ s/^::ffff://;
        my $ruleid = "unknown";
        if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1}
        if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip|$acc|$domain","mod_security")} else {return}
    }
 
BFM should detect ModSecurity failures, are you sure detection is enabled?
 
Wanabo said:
By default (at least it used to) csf/lfd only checks: /var/log/httpd/error_log /var/log/nginx/error_log
You can skip nginx if you don't use nginx.
So it does not check your error logs for your domains.
So make sure you include them in HTACCESS_LOG = /var/log/httpd/error_log /var/log/nginx/error_log /var/log/httpd/domains/*.error.log /var/log/nginx/domains/*.error.log

And MODSEC_LOG = /var/log/nginx/error_log /var/log/nginx/domains/*.error.log

The log locations may vary depending on the OS and webserver configuration used.
The example I provided are for CentOS 8 and DA.

When properly configured lfd will process these log files and block them accordingly to your settings in csf.

If this still not works the log files are not recognized by the predefined regex rules in csf/lfd.
Then try this:
Edit \usr\local\csf\bin\regex.custom.pm and add after carefully reading where to edit:
Code: 
#mod_security v2 (nginx) custom Wanabo, changed date time regex to match the error log files.
if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\d{4}\/\d{2}\/\d{2} \d{2}:\d{2}:\d{2} .* \[client (\S+)\] ModSecurity:(( \[[^]]+\])*)? Access denied/)) {
    my $ip = $1;
        my $acc = "";
        my $domain = "";
        if ($line =~ /\] \[hostname "([^\"]+)"\] \[/) {$domain = $1}
        $ip =~ s/^::ffff://;
        my $ruleid = "unknown";
        if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1}
        if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip|$acc|$domain","mod_security")} else {return}
    }
Click to expand...
Hello Wanabo,
As I mentioned above, the errors related to modsecurity do not appear in the domain error files (for me with openlitespeed: /var/log/httpd/domains/domainname.com.error.log), nor in the general error file (for me /var/log/httpd/error_log), but I have a trace of the error in the domain log file (/var/log/httpd/domains/domain.com.log)
Code: 
xxx.xxx.xxx.xxx - - [20/Apr/2021:13:59:02 -0400] "GET /?q=%22%3E%3Cscript%3Ealert(1)%3C/script%3E HTTP/1.1" 403 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36"
I have a 403 error which appears on the web page and it appears in the modsecurity file (/var/log/httpd/modsec_audit.log).
Certainly I could work around the problem by using a regex in csf/lfd, but that doesn't explain why modsecurity errors don't show up in error files ...
So as it is a test server, I will change the web server, for example for apache and see if the modsecurity errors are displayed in the error files, I will then switch back to openlitespeed ... We will see.
I'll get back to you, I still find it interesting as a problem, maybe other people maybe also have it.
 
Hi!
I come back with news, so I changed webserver to apache and modsecurity errors show up in domain name error file (/var/log/httpd/domains/domainname.com.error.log) and ip is blocked by csf/lfd.
So I'm going to put the openlitespeed web server back on, to be continued!
 
After:
Here I just switched to openlitespeed and the modsecurity errors do not register in the domain name error file like the apache web server does.
So I will report this problem to litespeed () to see if it is not an adjustment to be made in the configuration file or other ...
I keep you informed.
 
I have the same problem, the server is blocking the ip but these blocks are not shown in csf, and I also have active brute_force_scan_mod_security_logs = 1, my clients use wordpress sites with elementor and they use json and the blocking is constant
 
You must log in or register to reply here.
Back
Top