mod_sec violations not being blocked

[MACscr]

I am seeing the same ip showing up in my httpd error_log for numerous mod_sec violations, yet its not being blocked by CSF. I have CSF set to block after 5 errors and it is watching the correct error_log path.

Code: Select all

[Thu Dec 18 10:21:12.222145 2014] [:error] [pid 23305] [client 94.102.49.241] ModSecurity: XML parser error: XML: Failed parsing document. [hostname "www.example.com"] [uri "/xmlrpc.php"] [unique_id "VJL@@EPhny0AAFsJedsAAAAH"]
[Thu Dec 18 10:21:12.222225 2014] [:error] [pid 23305] [client 94.102.49.241] ModSecurity: Warning. Match of "eq 0" against "REQBODY_ERROR" required. [file "/var/cpanel/cwaf/rules/cwaf_01.conf"] [line "163"] [id "210230"] [msg "COMODO WAF: The request body could not be parsed. Possibility of an impedance mismatch attack. This is not a false positive."] [data "XML parser error: XML: Failed parsing document."] [severity "CRITICAL"] [hostname "www.example.com"] [uri "/xmlrpc.php"] [unique_id "VJL@@EPhny0AAFsJedsAAAAH"]
[Thu Dec 18 10:21:12.549214 2014] [:error] [pid 23305] [client 94.102.49.241] ModSecurity: Warning. Operator GE matched 5 at TX:incoming_points. [file "/var/cpanel/cwaf/rules/cwaf_04.conf"] [line "572"] [id "214930"] [msg "COMODO WAF: Inbound Points Exceeded (Total Incoming Points: 5)"] [hostname "www.example.com"] [uri "/xmlrpc.php"] [unique_id "VJL@@EPhny0AAFsJedsAAAAH"]

Any suggestions? Thats just an example of 3 that are triggered at once, but its happening every couple of minutes from that same ip address.

[WhiteDog]

I have the same "problem" with this exact same rule. Can someone shine some light on this why certain rules trigger a block and others not? What is missing here in order for CSF to block this?

[marcele]

I have the same "problem" with this exact same rule. Can someone shine some light on this why certain rules trigger a block and others not? What is missing here in order for CSF to block this?

Those are just modsecurity warnings. By default LFD will only block "access denied" messages.

modsec2 regex:

Code: Select all

/^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[(\w*:)?error\] (\[pid \d+(:tid \d+)?\] )?\[client (\S+)\] (\w+: )?ModSecurity:(( \[[^]]+\])*)? Access denied with (code|connection)/

If you want to see what all the regex looks like then take a look in:
/usr/local/csf/bin/regex.pm

You can easily add your own custom regex (that will survive CSF upgrades) to:
/usr/local/csf/bin/regex.custom.pm

Here is a great tool I use for creating and validating my own custom regex:
https://regex101.com/

I hope this helps!

[MACscr]

Thanks for the reply and info marcele. So you are saying that modsec is just giving warnings about the hack attempt and isnt even actually denying them? Thus LFD doesnt doesnt track the attempts?