ConfigServer Community Forum

I took the time to tinker around on this, and the answer to my question is yes. I have my block list in MySQL. I have a PHP script that grabs all IPs and displays it on a public website. I then added this public website to the lft Blocklists section and I see my new chain in iptables. So far so good!

I currently run my own blocklist using fail2ban and a few parameters to catch Wordpress brute force. fail2ban adds the entry to csf, and also populates a file that I keep as my own block list. This file is entered into csf.deny so it's reloaded upon csf restarts. I'm looking to expand this list to m...

Interestingly enough, your suggestion didn't work.
That resulted in nothing in the audit_log. Is there another part of modsec I'm missing?

I've reverted back to my ErrorLog tee'ing which seems to be the best solution at this time.

Thanks for that! I'll give it a try. As I found out, apache can't log to 2 ErrorLogs at once, so I ended up doing this in httpd.conf: ErrorLog "|/usr/bin/tee -a /var/log/httpd/mydomain.net-error_log /var/log/httpd/unified_mod_security-error_log" That works great to log to 2 ErrorLog files,...

I think I've solved this. Since CSF can't scan 10 separate domain error_log files, and the custom regex you provided needs the entry from the error_log and NOT the audit_log, the trick was to get all domains to report errors to 1 file. So what I did was in each VirtualHost domain entry in httpd.conf...

I think the problem is that the custom regex is looking to parse entries from the error_log, but the layout of the data in audit_log is quite different.

Is there any other way to do this?

I didn't see this post, and I ended up posting another thread here. It has some information in it, but I'm also broken. Since I have so many domains that log to many different log files, user websavers (on this forum) suggested some custom regex to help with this. It's purpose is to scan all the fil...

Okay, found it. For anyone in the future looking for it, check out your settings in /etc/httpd/conf.d/mod_security.conf, then look for SecAuditLog /var/log/httpd/modsec_audit.log. That's the audit log. I'm still having trouble though. I can get modsec to block me, but CSF still doesn't block my IP. ...

Hmm, quick question. How did you change modsec's logging to go to audit_log? Right now it's logging into each domain's separate error_log, but I haven't found the setting to make it all funnel into 1 log.

I'll keep digging around.

Oh, great explanation. LFD doesn't scan ALL the apache logs, only the main one. Just like you, my apache config is setup to have separate log files for each domain as well. (but I am not running Plesk, which shouldn't matter). I will try out the regex you posted and will try it from my test IP to se...