ModSec events not triggering CSF blocks (updated)

Post Reply
DADTeam
Junior Member
Posts: 2
Joined: 16 Nov 2023, 16:00

ModSec events not triggering CSF blocks (updated)

Post by DADTeam »

Hi all

Updated post after further investigation.

It looks like CSF has not been blocking IPs based on ModSec events for over 30 days, at least. This is across two WHM CentOS servers.

LFD Stats only show CT_LIMIT, LF_DISTATTACK, and LF_PERMBLOCK_CONT triggers, but no LF_MODSEC events in the last 30 days.

ModSec looks like its doing what it should, and I can see the usual events. There's been an increase in ModSec events, and I'm assuming this is because they have not been picked up by CSF.

Any advice on how to debug this, what areas should I investigate?
Top
DADTeam
Junior Member
Posts: 2
Joined: 16 Nov 2023, 16:00

Re: ModSec events not triggering CSF blocks (updated)

Post by DADTeam »

After opening a post on the cPanel website someone has suggested it's because modsec_audit.log entries are recorded as "ModSecurity: Warning" which won't trigger CSF.

HAs anyone come across this issue before?
Top
Post Reply

Return to “General Discussion (csf)”