DirectAdmin modsecurity denials not blocked by CSF/LFD

[nbeernink]

I have a bunch of DirectAdmin servers that have modsecurity installed through custombuild 2.0. I can't get CSF to block the denials by modsecurity and would appreciate some help with this. Modsecurity is working according to the audit log but some of the attacks are rather heavy and blocking in the firewall is preferred.

Specs:

• Centos 6.8
• Apache 2.4.23
• PHP 5.4.45
• Modsecurity 2.9.1 (Security Engine set to on)
• Comodo ModSecurity Rule Set: 1.98
• csf: v9.28 (DirectAdmin)

I've tried to point LFD to several logs (one per try) like this:

Code: Select all

MODSEC_LOG = "/var/log/httpd/error_log"
MODSEC_LOG = "/var/log/httpd/modsec_audit.log"
MODSEC_LOG = "/var/log/httpd/domains/*.error.log"

However, LFD isn't blocking the IP (123.123.123.123) as we would expect. Am I supposed to write my own regex to block these attacks? (which I would then share in the Custom REGEX rules for CSF-thread) But I was kindof expecting things to work out of the box.

Examples:
/var/log/httpd/modsec_audit.log:

Code: Select all

--9eabec13-A--
[01/Nov/2016:11:10:44 +0100] WBhqJAWsLBMAAB0D76YAAABA 123.123.123.123 64938 111.222.333.444 80

--9eabec13-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.4.45
Pragma: no-cache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Set-Cookie: PHPSESSID=lp5u4qhip7jqqcp2n30ng0p9u7; path=/
Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/
Vary: Accept-Encoding,User-Agent
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

--9eabec13-H--
Message: Warning. Operator GE matched 2 at IP:brute_force_burst_counter. [file "/usr/local/cwaf/rules/09_Bruteforce_Bruteforce.conf"] [line "45"] [id "230007"] [rev "2"] [msg "COMODO WAF: Potential Brute Force Attack|Source 123.123.123.123 - # of Request Bursts: 2|example.org|F|2"] [severity "CRITICAL"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Handler: fcgid-script
Stopwatch: 1477995044481261 169367 (- - -)
Stopwatch2: 1477995044481261 169367; combined=7182, p1=528, p2=2460, p3=81, p4=25, p5=3935, sr=176, sw=153, l=0, gc=0
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache/2
Engine-Mode: "ENABLED"

--9eabec13-Z--

/var/log/httpd/domains/example.org.error.log:

Code: Select all

[Wed Dec 07 17:00:50.493215 2016] [:error] [pid 20195:tid 140060137608960] [client 123.123.123.123:50882] [client 123.123.123.123] ModSecurity: Access denied with code 403 (phase 2). Match of "rx ^(\\\\d*|uploads\\\\/.*\\\\.(jpeg|jpg|gif|png|bmp))$" against "ARGS_GET:img" required. [file "/usr/local/cwaf/rules/29_Apps_WPPlugin.conf"] [line "624"] [id "222050"] [rev "4"] [msg "COMODO WAF: Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress (CVE-2014-9734)||www.example.org|F|2"] [severity "CRITICAL"] [hostname "www.example.org"] [uri "/wp-admin/admin-ajax.php"] [unique_id "WEgyMgWsLBMAAE7jvqIAAAAI"]

Can anyone shed some light on this?

Thanks

Niek

[nbeernink]

Okay, the situation was rather pressing so we came up with the following regex for our use-case:

Code: Select all

#mod_security v2 (apache on DirectAdmin host)
if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+ \S+ \S+ \S+ \S+\] \[(\w*)?:error\] (\[pid \d+(:tid \d+)\]) \[client \S+:\S+\] \[client (\S+)\] ModSecurity:(( \[[^\]]+\])*)? Access denied/)) {
        my $ip = $4;
        $ip =~ s/^::ffff://;
        if (split(/:/,$ip) == 2) {$ip =~ s/:\d+$//}
        my $ruleid = "unknown";
        if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1}
        if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip","mod_security-custom","1","80,443","1")} else {return}
}

Geekcreds to Hindrik Deelstra.

[Sergio]

Hi, nbeernink.
I was checking your post and the regex I think will not work as expected as the IP will not be set at $1, it will be set at $4 as,
$1 = (\w)
$2 = (:tid \d+)
$3 = (\[pid \d+$2\])
$4 = (\S+) <<<==== This is the IP that you want to block.
So, using:
mod_security-custom","1","80,443","1"
will not work, instead it should be:
mod_security-custom","4","80,443","1"
Remember that enclosing an item inside "( )" without escaping it, will save the item in the memory $n

[sahostking]

wrt to this post I assume this would be correct then?

Code: Select all

#mod_security v2 (apache on DirectAdmin host)
if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+ \S+ \S+ \S+ \S+\] \[(\w*)?:error\] (\[pid \d+(:tid \d+)\]) \[client \S+:\S+\] \[client (\S+)\] ModSecurity:(( \[[^\]]+\])*)? Access denied/)) {
        my $ip = $4;
        $ip =~ s/^::ffff://;
        if (split(/:/,$ip) == 2) {$ip =~ s/:\d+$//}
        my $ruleid = "unknown";
        if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1}
        if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip","mod_security-custom","4","80,443","1")} else {return}
}