We are using cPanel based servers and recently switched from using the AtomiCorp mod_security rules to the OWASP rules now being provided by cPanel (as I imagine a lot of people will be doing).
It looks like CSF no longer recognizes events triggered by these rules and is not blocking the IP addresses after a certain number of hits.
I described the issue in a thread here [edit: I can't post links, but it is one of the newer threads in the cPanel security sub-forum), and someone came up with this:
It appears to be CSF mishandling it. Let's look at their regex.pm for ModSecurity:
Code:
#mod_security v2 (apache)
if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[(\w*:)?error\] (\[pid \d+(:tid \d+)?\] )?\[client (\S+)\] (\w+: )?ModSecurity:(( \[[^]]+\])*)? Access denied with (code|connection)/)) { ***SNIP***
So the issue here is the regex that LFD is using only covers log lines containing "Access denied with code" or "Access denied with connection." It would need to be (code|connection|redirection) to work with rules that redirect the attacker like the OWASP rules.
You should report this as a bug to configserver. In the mean time if you go into the file /usr/local/csf/bin/regex.pm you can make the edit to change (code|connection) to (code|connection|redirection) and it will work. I just tested this and it works great after restarting CSF/LFD.
CSF not correctly recognizing OWASP mod_security trigger
-
- Moderator
- Posts: 1524
- Joined: 01 Oct 2008, 09:24
Re: CSF not correctly recognizing OWASP mod_security trigger
A new version of csf (v7.62) has been released to more generically support ModSecurity "Access denied" triggers:
http://blog.configserver.com/
http://blog.configserver.com/