Custom REGEX rules for CSF.

[Sergio]

@dascos
in $1 you are saving the full IP xxx.yyy.zzz.www because of "(\S+)" and then you save that into $ipblock, so, $ipblock = "$1\.0/24" will be like xxx.yyy.zzz.www.0/24

I think you should try this instead:

Code: Select all

($line =~ /^(\d+\.\d+\.\d+\.).*(?:GET|HEAD...

Sergio

[sahostking]

Something strange is happening. This rule used to work but not its not stopping attacks:

# WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(wp-login\.php|xmlrpc\.php).* (200|401)/)) {
return ("Get lost please",$1,"WPLOGINorWHATEVER","5","80,443","600");
}

---------------------

13.89.63.38 - - [14/Apr/2022:06:52:19 +0200] "POST //wp-login.php HTTP/2" 200 2211 "https://www.example.com//wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
20.118.172.88 - - [14/Apr/2022:06:52:26 +0200] "POST //wp-login.php HTTP/2" 200 2217 "https://example.com//wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

I see it showing in the csf -t

DENY 13.89.63.38 80,443 in 6m 11s lfd - (WPLOGINorWHATEVER) Get lost please 13.89.63.38 (US/United States/-): 5 in the last 3600 secs
DENY 13.89.63.38 80,443 in 6m 11s lfd - (WPLOGINorWHATEVER) Get lost please 13.89.63.38 (US/United States/-): 5 in the last 3600 secs
DENY 20.118.172.88 80,443 in 8m 51s lfd - (WPLOGINorWHATEVER) Get lost please 20.118.172.88 (US/United States/-): 5 in the last 3600 secs
DENY 20.118.172.88 80,443 in 8m 51s lfd - (WPLOGINorWHATEVER) Get lost please 20.118.172.88 (US/United States/-): 5 in the last 3600 secs

However its still populating logs and causing some load for this client, almost like its not stopping at all.
This is on our directadmin servers.

[sahostking]

Something strange is happening. This rule used to work but not its not stopping attacks:

# WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(wp-login\.php|xmlrpc\.php).* (200|401)/)) {
return ("Get lost please",$1,"WPLOGINorWHATEVER","5","80,443","600");
}

---------------------

13.89.63.38 - - [14/Apr/2022:06:52:19 +0200] "POST //wp-login.php HTTP/2" 200 2211 "https://www.example.com//wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
20.118.172.88 - - [14/Apr/2022:06:52:26 +0200] "POST //wp-login.php HTTP/2" 200 2217 "https://example.com//wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

I see it showing in the csf -t

DENY 13.89.63.38 80,443 in 6m 11s lfd - (WPLOGINorWHATEVER) Get lost please 13.89.63.38 (US/United States/-): 5 in the last 3600 secs
DENY 13.89.63.38 80,443 in 6m 11s lfd - (WPLOGINorWHATEVER) Get lost please 13.89.63.38 (US/United States/-): 5 in the last 3600 secs
DENY 20.118.172.88 80,443 in 8m 51s lfd - (WPLOGINorWHATEVER) Get lost please 20.118.172.88 (US/United States/-): 5 in the last 3600 secs
DENY 20.118.172.88 80,443 in 8m 51s lfd - (WPLOGINorWHATEVER) Get lost please 20.118.172.88 (US/United States/-): 5 in the last 3600 secs

However its still populating logs and causing some load for this client, almost like its not stopping at all.
This is on our directadmin servers.

removed nftables and then reinstalled iptables and ipset. Lets see if this works better.

[sahostking]

will this block any attacks on joomla and opencart admin and administrator folders? or will it block legitimate customers too?

Code: Select all

# ADMIN FOLDER
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(\/admin).* (200|401)/)) {
    return ("admin folder",$1,"ADMINFOLDER","5","80,443","600");
    }

# ADMINISTRATOR FOLDER
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(\/administrator).* (200|401)/)) {
    return ("administrator folder",$1,"ADMINISTRATORFOLDER","5","80,443","600");
    }

[Sergio]

Is not possible to know, we will need at least one log example of each, one of an attack and one of a legitimate access.

[moriso12]

For /phpmyadmin Debian 11

Code: Select all

CUSTOM1_LOG = "/var/log/apache2/access.log"

Code: Select all

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/phpmyadmin\/.*" /)) { 
return ("phpmyadmin Login Attack",$1,"phpmyadmin","5","80,443","1");
}

[mazi]

Hello,

On my cPanel/LiteSpeed server,
when visitor login WordPress fail,
It will generate the error record with modsecurity id 33332,
I want to use csf to deny the ip.

2022-11-07 13:35:20.833580 [NOTICE] [1041882] [T7] [1.2.3.4:4902:HTTP2-33#APVH_sitedomain.com:443:MODSEC] mod_security rule [id "33332"] at [/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-litespeed/003_i360_2_bruteforce.conf:17] triggered!

I write the code,
It seems no effect,
Do you mind help me check/correct it ?

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /\S+\s+\S+\.\S+ \[NOTICE\] \[\S+\] \[\S+\] \[(\S+)\:.*\] mod_security rule \[id \"33332\"\].* /)) { return ("mod_security attack id",$1,"myftpmatch","5","80,443","1","1"); }

Thanks

[Sergio]

Hi.

There are two ModSecurity rules that are mostly used:
- Comodo
- OWASP

The rule that you were trying to use was created for COMODO and the LOG structure is completely different to OWASP.
So, I have created this rule that will work for OWASP:

Code: Select all

# BLOCKING ModSec OWASP Rules attacks by Secmas

	if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\S+\.\S+ \[NOTICE\] \[\S+\] \[\S+\] \[(\d+\.\d+\.\d+\.\d+):.*\] mod_security rule \[id \"(33332)\"\]/i)) {
		return ("$2",$1,"Secmas_OWASP","1","1");
	}
	

Test it before using in production.

Sergio

[mazi]

Hello,Sergio,

really thanks from your help.

may i ask you some questions ?

1. if i hope to learn the "Custom REGEX rules for CSF" writting,do you recommend any article or keyword to search ?
2. if i want to put more rule id,such as 33332 and 55555,can i change [id \"(33332)\"\] as [id \"(33332|55555)\"\] ?

thanks

[Sergio]

@Mazi,
search in google for: RegexOne, I have found that site and looks interesting for learning Regex.

About adding more MODSEC IDs to block, yes, you can use "or" "|" to add any rule you want the rule to block, just remember to have all of them inside the parenthesis.

I you have the ConfigServer ModSecurity Control installed in your server, go to "ModSecurity Log" and in there you will see the most attacked IDs and you can get the IDs from there to add it to your rule.

Sergio