CSF + ModSec not working

[tp3580]

I am running a WHM CloudLinux8 based dedicated server that has both ModSecurity and CSF/LFD (v14.22) installed.

Despite being set-up correctly as far as I can see, CSF is neither temporarily nor permanently blocking any repeat offender IPs recorded by ModSec in the server's main error_log

I can see lots of IP entries and rules matches in WHM > ModSecurity > Tools so I know ModSec is working. Corresponding entries are appearing in /usr/local/apache/logs/error_log like this example:

Code: Select all

[Thu Jan 23 20:58:01.284592 2025] [security2:error] [pid 467219:tid 467338] [remote 66.220.149.4:40698] [client 66.220.149.4] ModSecurity: Access denied with code 406 (phase2). Matched phrase "Meta-ExternalAgent" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec/modsec2.user.conf"] [line "15"] [id "350001"] [rev "1"] [msg "BAD BOT - Detected and Blocked."] [severity "CRITICAL"] [hostname "www.somewebsite.com"] [uri "/products/2421/"] [unique_id "Z5KtWZfRiCZ-raqc1k6EFgAAwQw"]

In csf.conf I have:

LF_MODSEC = "5"
LF_MODSEC_PERM = "1"

HTACCESS_LOG = "/usr/local/apache/logs/error_log"
MODSEC_LOG = "/usr/local/apache/logs/error_log"

As a last resort before posting here I have tried adding the following to regex.custom.pm:

Code: Select all

if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+ \S+ \S+ \S+ \S+\] \[(\w*)?:error\] (\[pid \d+(:tid \d+)\]) \[(client|remote) \S+:\S+\] \[client (\S+)\] ModSecurity:(( \[[^\]]+\])*)? Access denied/)) {
        my $ip = $4;
        $ip =~ s/^::ffff://;
        if (split(/:/,$ip) == 2) {$ip =~ s/:\d+$//}
        my $ruleid = "unknown";
        if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1}
        if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip","mod_security-custom","4","80,443","1")} else {return}
}

What am I missing? Any advice would be greatly appreciated.

[tp3580]

Replying to my ignorant self here in the hope it guides someone else in the right direction one day.

I have tweaked my custom regex to the following:

Code: Select all

if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+ \S+ \S+ \S+ \S+\] \[(\w*)?:error\] (\[pid \d+(:tid \d+)\]) \[(?:client|remote) \S+:\S+\] \[client (\S+)\] ModSecurity:(( \[[^\]]+\])*)? Access denied/)) {
        my $ip = $4;
        $ip =~ s/^::ffff://;
        if (split(/:/,$ip) == 2) {$ip =~ s/:\d+$//}
        my $ruleid = "unknown";
        if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1}
        if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip","mod_security-custom","3","80,443","3600")} else {return}
}

The reason for adding this is because I don't think the default mod_security regexes successfully match if the error_log entries contain 'remote' instead of 'client' in the first IP string.

Adding this has finally started getting hits against custom modsec rules I have enabled to block AI user-agents such as meta-externalagent which has been relentlessly attacking my server this past week.

I've also spotted that in my CSF settings the LF_TRIGGER was set at 5 and the LF_TRIGGER_PERM at 600. Reverting these to defaults (0 and 1 respectively) seems to have improved matters and I'm now seeing some temp bans corresponding to the custom regex settings.

[navyblue]

Thanks very, very much for sharing this.

To implement this, do I simply:
1.) add this to /usr/local/csf/bin/regex.custom.pm
2.) set Custom1 log to /usr/local/apache/logs/error_log

I noticed tonight that I had one mod_security tigger an LFD ip block where their ip appears as [client IP:42846] [client IP]

Code: Select all

[Sun Feb 16 03:15:05.494455 2025] [security2:error] [pid 10948:tid
11095] [client 106.53.21.55:42846] [client 106.53.21.55] ModSecurity:
Access denied with code 400 (phase 2). Match of "rx ^0?$" against
"REQUEST_HEADERS:Content-Length" required. [file
"/etc/apache2/conf.d/modsec/modsec2.user.conf"] [line "8"] [id
"1234123443"] [msg "GET or HEAD requests with bodies"] [severity
"CRITICAL"] [tag "PROTOCOL_VIOLATION/EVASION"] [hostname "mydomain.com"]
[uri "/vendor/phpunit/Util/PHP/eval-stdin.php"] [unique_id
"Z7GciTJ_322UWSvJK6eNngAAAdE"]

But, even with the above in place, I'm not able to make CSF/LFD block based on loading my own domain with /etc/passwd even though mod_security shows 50+ hits under ModSecurity Tools in WHM.

The following in the /usr/local/apache/logs/error_log is not causing CSF/LFD to block the test IP, despite attempting to put the above custom rule in place, where my test ip shows as [remote IP:15462] [client IP]

Code: Select all

[Sun Feb 16 03:19:42.297796 2025] [security2:error] [pid 11069:tid
11137] [remote 193.42.0.253:15462] [client 193.42.0.253] ModSecurity:
Access denied with code 501 (phase 2). Pattern match
"(?:\\\\b(?:\\\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\\\.asa|httpd\\\\.conf|boot\\\\.ini)\\\\b|\\\\/etc\\\\/)"
at ARGS:this. [file "/etc/apache2/conf.d/modsec/modsec2.user.conf"]
[line "144"] [id "1234123401"] [msg "Remote File Access Attempt"] [data
"/etc/"] [severity "CRITICAL"] [tag "WEB_ATTACK/FILE_INJECTION"]
[hostname "mydomain.com"] [uri "/"] [unique_id
"Z7GdnhWlmsy6xeabDRvSxwACRhM"]

Any ideas on what I am missing. Many thanks in advance.

[navyblue]

OK, I searched the forum quite a bit, and found this older post
viewtopic.php?t=9951

I modified it changing [client \S+:\S+\] \[client (\S+)\] to [remote \S+:\S+\] \[client (\S+)\]

Code: Select all

if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+ \S+ \S+ \S+ \S+\] \[(\w*)?:error\] (\[pid \d+(:tid \d+)\]) \[remote \S+:\S+\] \[client (\S+)\] ModSecurity:(( \[[^\]]+\])*)? Access denied/)) {
        my $ip = $4;
        $ip =~ s/^::ffff://;
        if (split(/:/,$ip) == 2) {$ip =~ s/:\d+$//}
        my $ruleid = "unknown";
        if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1}
        if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip","mod_security-custom","1","80,443","1")} else {return}
}

I'm not sure why this works and the code in post 2 doesn't work for me.

[navyblue]

It looks like I do not need to specify custom_1 log with this. I wasn't sure if I needed to specify custom_1 log to get the regex.custom.pm to scan, but it seems that is not necessary for this to function.

I must not have had the syntax correct from post 2 in my first attempt: [(?:client|remote) \S+:\S+\]

http2 is new to me -- mysteriously when I started testing 4 hours ago csf/lfd worked without anything custom as my test ip showed as [client IP:12345] but then after that first time it started showing as [remote IP:12345] with no changes to the IP or connection or apache settings. I'm curious - what determines whether it gets logged as client or remote now in the apache error log?