I'm using a subset of the OWASP ruleset, and I'm still getting lots of false positives. Almost every time that happens, the IP responsible gets a permanent block in iptables, which I think is a little strict even if they were trying to attack the server.
I've tried Googling around a bit, and I can't find a way to make bans temporary. I think a block of 5~30 minutes would be reasonable.
Change permanent block to temporary
Re: Change permanent block to temporary
Update: I asked the same question on the cPanel forums, and found out there's a setting for this in CSF:
This would block for 5 minutes (300 seconds) after modsec rules being triggered.Code: Select all
LF_MODSEC = "10" LF_MODSEC_PERM = "300"