When I get email notifications from CSF regarding an IP block that has taken place due to Mod_Security, it looks like this:
So, even though I have LF_MODSEC set to 10, the email says that it was tripped due to 5 failures.Time: Mon Jul 14 21:08:24 2014 -0500
IP: 1.2.3.4 (FR/France/some.reverse.dns.fr)
Failures: 5 (mod_security)
Interval: 300 seconds
Blocked: Permanent Block
Log entries:
[Mon Jul 14 21:08:21 2014] [error] [client 1.2.3.4] ModSecurity: Access denied with code 403 (phase 2). Operator GT matched 0 at USER:bf_block. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "23"] [id "5000209"] [msg "IP address blocked for 24 hrs. Description of the rule is here."] [hostname "example.com"] [uri "/administrator/index.php"] [unique_id "U8SNFTIcCC0AAFVQLS0AAABN"]
(another 4 entries snipped)
What am I doing wrong? Thanks for any insight!
- Scott