Scan for SQL injection with Brute Force Monitor

Freddy

Verified User
Joined
Apr 14, 2016
Messages
119
Is it possible to scan access-log files from all users for SQL injection attacks? I want to block attackers after X amount of malicious URL requests if possible.
One of my users was attacked and the rate of the attack got the server on his knees. The "Web Usage Log" showed me requests like these:
Code:
xx.xx.xxx.xx - - [11/Jan/2021:14:35:08 +0100] "GET /subdir/'%20%20%20image['data-large_image']%20%20%20'%27%20or%20(1,2)=(select*from(select%20name_const(CHAR(79,73,121,98,87,65,117,81,65),1),name_const(CHAR(79,73,121,98,87,65,117,81,65),1))a)%20--%20%27x%27=%27x HTTP/1.1" 404 17873 "-" "Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101

Or will this type of detection be too costly for the server to process? I can understand that usage logs generate allot of data so scanning them will be no easy job.
 
Try out suricata or snort, you can integrate them with firewall (works with CSF) to auto block IP based on that rule. Definitely having this type of IDS/IPS installed can reduce server performance but it's a peace of mind to have one.
 
Don't know if its possible with BFM, but it is certainly possible with configserver firewall (csf/lfd) in combination with modsecurity.
 
BFM also scans ModSecurity logs.
Sounds like a good option. I assume the admin settings also work for these type of scans so an IP only gets blacklisted when it hits the number "Notify Admins after an IP has" limit? And does ModSecurity work the same when running nginx_apache?

Any downsides on installing ModSecurity? Will there be a large performance penalty on pageloads?
 
I have installed ModSecurity on one of my servers with these commands:
Code:
cd /usr/local/directadmin/custombuild
./build update
./build set modsecurity yes
./build set modsecurity_ruleset comodo
./build modsecurity
./build modsecurity_rules
./build rewrite_confs
I have tested some malicious URL's and it seems to work. But when I check my BFM I don't see any log entries showing me an attack was detected. I am running CSF on that server. Do I need to install anything else before BFM picks up the attack? My goal is to block IP addresses that attack the server with SQL injection.
 
https://www.directadmin.com/features.php?id=2861 - is your version of DA at least 1.61.4 ? If yes, try enabling the feature in directadmin.conf.
That works!

Now that I have a basic setup running I would like to customize the owasp ruleset. My start was to copy *.conf and *.data from /etc/modsecurity.d to /usr/local/directadmin/custombuild/custom/modsecurity/conf. After that I run:
Code:
./build set modsecurity_ruleset no
./build modsecurity_rules
./build rewite_confs
The build completes successfully but now I get a HTTP 500 error on all pageloads. I can't find any logfile with an error related to that 500 error so I'm completely in the dark. Rebuilding modsecurity_ruleset with owasp and everything works fine again. Am I starting my custom ruleset in a wrong way?
 
Last edited:
I finally found the error I was looking for.
Code:
2021/01/12 14:13:28 [error] 16604#0: *2 [client xx.xx.xx.xx] ModSecurity: Access denied with code 500 (phase 1). Matched "Operator `Eq' with parameter `0' against variable `TX:crs_setup_version' (Value: `0' ) [file "/etc/modsecurity.d/REQUEST-901-INITIALIZATION.conf"] [line "53"] [id "901001"] [rev ""] [msg "ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [hostname "xx.xx.xx.xx"] [uri "/"] [unique_id "161045720818.859822"] [ref ""], client: xx.xx.xx.xx, server: <HIDDEN_HOSTNAME>, request: "HEAD / HTTP/1.0", host: "xx.xx.xx.xx"
I learned that I forgot to copy the crs-setup.conf.main file. My custom ruleset does no longer generate the 500 server error and I can continue my tests.
 
I am very sorry but I have another question. 😬
I have my ModSecurity up and running and I can see the attacks showing up in the BFM Log Entry list. But the source IP addresses of the attack are not being counted as "Login failures". So it doesn't seem to matter how many attacks an IP throws at the server, it will never get blocked. Look at this screenshot for an example.

1610523946582.png

So how can I configure BFM or ModSecurity so that it actually blocks an IP address when it hits the configured limit?
 
Back
Top