Plz help How to block User-agent by Modsecurit with CSF

[manhclhd]

Specs:

- DDos from facebook

- User-agent

Code: Select all

173.252.124.57 - - [07/Apr/2017:17:36:47 +0700] "GET / HTTP/1.1" 444 13710 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"

OS: Cloudlinux 6
Panel: Directadmin Custombuild 2.0

Csf Config:
LF_CXS = 1
LF_CXS_PERM = 1
LF_MODSEC = 5
MODSEC_LOG = /var/log/httpd/modsec_audit.log
LDF On

Log in audit log security

Code: Select all

--64513437-H--
Message: Access denied with code 444 (phase 1). Pattern match "externalhit_uatext" at REQUEST_HEADERS:User-Agent. [file "/etc/modsecurity.d/manh.conf"] [line "1"] [id "1993"]
Action: Intercepted (phase 1)
Stopwatch: 1491562247538072 750 (- - -)
Stopwatch2: 1491562247538072 750; combined=26, p1=21, p2=0, p3=0, p4=0, p5=5, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/).
Server: Apache/2
Engine-Mode: "ENABLED"

My Problem:
- When i try test with agent "Linux", csf block my ip (Trigger modsecurity) but only 1 time, after i remove ip then test again, csf do not block
- Im block User-agent from facebook with modsecurity, modsecurity blocked, but csf DO NOT work, DO NOT block anything.
- I'm too tired for find issue,

what wrong with my config?

[Sergio]

How is configued the Mod_Security option in csf?

[msfh]

I don't know what really is the best solution for this issue.
Mod_security blocking Googlebot is a "false positive", and usually those are fixed by creating an exception. As has been suggested you could "whitelist" Googlebot by it's User-Agent, but that would open a hole for anyone using a fake Googlebot User-Agent.

If you want to know what mod_security is and how it works you should start reading for ex. here:
https://github.com/SpiderLabs/ModSe...s ... odSecurity

CSF/LFD reads, if configured so, mod_security log file, and when it sees that one IP has been blocked LF_MODSEC times in 5 minutes it blocks the IP, either permanently or temporarily.
So it works so that mod_security is blocking something, in this case Googlebot, CSF/LFD sees those blocks in mod_security log, and blocks the used IP in the firewall.
In this case, mod_security is not blocking Googlebot because it is Googlebut, but because Googlebot is doing something that seems suspicious. If you can't prevent mod_security from doing that, you should at least make sure that Googlebot is not blocked permanently.

[Sergio]

I don't know what really is the best solution for this issue.
Mod_security blocking Googlebot is a "false positive", and usually those are fixed by creating an exception. As has been suggested you could "whitelist" Googlebot by it's User-Agent, but that would open a hole for anyone using a fake Googlebot User-Agent.

If you want to know what mod_security is and how it works you should start reading for ex. here:
https://github.com/SpiderLabs/ModSe...s ... odSecurity

CSF/LFD reads, if configured so, mod_security log file, and when it sees that one IP has been blocked LF_MODSEC times in 5 minutes it blocks the IP, either permanently or temporarily.
So it works so that mod_security is blocking something, in this case Googlebot, CSF/LFD sees those blocks in mod_security log, and blocks the used IP in the firewall.
In this case, mod_security is not blocking Googlebot because it is Googlebut, but because Googlebot is doing something that seems suspicious. If you can't prevent mod_security from doing that, you should at least make sure that Googlebot is not blocked permanently.

You can add Google range of IPs in your Allowed IP list, that way if Mod_Security blocks googlebot the IP will not be blocked and if it is someone impersonating googlebot it will be blocked by CSF.

[manhclhd]

How is configued the Mod_Security option in csf?

Csf Config:
LF_CXS = 1
LF_CXS_PERM = 1
LF_MODSEC = 5
MODSEC_LOG = /var/log/httpd/modsec_audit.log
LDF On

Can you see it?

[Sergio]

When testing, have you tried 5+ times to see it your IP was blocked?

[manhclhd]

When testing, have you tried 5+ times to see it your IP was blocked?

I'm try many many times, 100+ times, but still do not work!