Mod_security is not blocking

These forums are not for questions about ModSecurity, just the cmc script itself
Post Reply
milhouse
Junior Member
Posts: 5
Joined: 19 May 2018, 05:55

Mod_security is not blocking

Post by milhouse »

Hi, I have a server with WHM and MOD SECURITY installed. "ConfigServer ModSecurity Control - cmc v3.03"

We discovered that Mod_security is not blocking, is just saving the data.

root@server:~# grep ' ModSecurity: Access denied' /usr/local/apache/logs/modsec_audit.log | wc -l
0
root@server:~# grep ' ModSecurity: Warning' /usr/local/apache/logs/error_log | wc -l
126525

Which could be the cause?

In Home > Security Center > ModSecurity™ Configuration > Configure Global Directives
I have Connections Engine PROCESS THE RULES
Rules Engine: Process the rules.

And in Home > Security Center > ModSecurity™ Vendors > Manage Vendors
I have:
ConfigServer ON
OWASP CRS v3.x for ModSec 2.9 (via pkg) ON

Thanks,
Francisco
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Mod_security is not blocking

Post by Sergio »

Francisco,
CMC does not block any IP, the one that should block the IP is CSF, check the following options:
[*]Enable failure detection of repeated Apache mod_security rule triggers
LF_MODSEC = Default: 5 [0-100]
LF_MODSEC_PERM = Default: 1 [0-604800]
Also, in WHM you should check that the ModSecurity option is ENABLED under the /Packages/Feature Manager

Sergio
milhouse
Junior Member
Posts: 5
Joined: 19 May 2018, 05:55

Re: Mod_security is not blocking

Post by milhouse »

Hi, I have checked

WHM > Plugins > ConfigServer Security & Firewall
EDIT CONFIGURATION >

and I see this

LF_MODSEC = 6 Default: 5 [0-100]
LF_MODSEC_PERM = 1 Default: 1 [0-604800]

Also I have enabled ModSecurity in /Packages/Feature Manager

But it still doesnt block me.
in any site for example

https://www.mysite.com/?../../../../etc/passwd

Any other idea?
Thanks,
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Mod_security is not blocking

Post by Sergio »

Yes,
you can create your own CSF rule to block modsecurity attacks.

Please read my post at:
https://forum.configserver.com/viewtopi ... 708#p32708

In that post I wrote a rule that you can use to block ModSec attacks, you will need to write the rules that you want to block and CSF will block the IPs that triggered that rules.

Sergio
milhouse
Junior Member
Posts: 5
Joined: 19 May 2018, 05:55

Re: Mod_security is not blocking

Post by milhouse »

Sergio wrote: 18 Dec 2023, 04:26 Yes,
you can create your own CSF rule to block modsecurity attacks.

Please read my post at:
https://forum.configserver.com/viewtopi ... 708#p32708

In that post I wrote a rule that you can use to block ModSec attacks, you will need to write the rules that you want to block and CSF will block the IPs that triggered that rules.

Sergio
Hi!
I have read your other post.
How do I add those manual rules ? Where do I add them?

Thanks,
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Mod_security is not blocking

Post by Sergio »

You can add rules for CSF on the file:
/usr/local/csf/bin/regex.custom.pm

and after you add your rules you have to restart LFD in order for them to start working.

Be very carful adding rules in there as a bad written rule can make your server down.

Please read CSF readme file to know about this.

Sergio
Post Reply