ConfigServer Community Forum

Sergio wrote: ↑11 Oct 2022, 20:06 To know if the rule is good, I need at least 2 log lines to check the rule.

But as far as I have checked with what you gave, that rule is not good. It takes a lot of time to check, I will never use this rule in my servers.
You have to remember that the server will be checking hundred of log lines in a few minutes and then your rules should be less than 1 or 2 milliseconds to run.

Your rule takes 1,060 steps that uses 5ms to run.

On my servers I have a rule just for ModSecurity that runs faster 712 steps and 1ms:

Code: Select all

^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(77704)"\]

on the ID you can OR different rules like this:

Code: Select all

^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(77704|999999|1010101)"\]

 return ("Multi 406 Error",$1,"HTACCESS406","2","80,443","604800");

Sergio wrote: ↑31 Oct 2022, 05:16 Kind of old, but will answer your question:
viewtopic.php?t=676

Sergio wrote: ↑31 Oct 2022, 13:49 For me, as it is a temporary block, it is not saved in any file.
I think that the IP is just added directly to the server iptables, that makes a lot of sense.
So, in CSF you can use the "Temporary IP Entries" to see if there are any and it will show you the IP.

Sergio wrote: ↑31 Oct 2022, 14:20 * ERRATA:
You will only see in "Temporary IP Entries" the ones that you saved in there.
The ones that are created automatically by CSF rules will not be shown in there, sorry my mistake on that statement.