Page 1 of 1
Plz help How to block User-agent by Modsecurit with CSF
Posted: 07 Apr 2017, 11:52
by manhclhd
Specs:
- DDos from facebook
- User-agent
Code: Select all
173.252.124.57 - - [07/Apr/2017:17:36:47 +0700] "GET / HTTP/1.1" 444 13710 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
Panel: Directadmin Custombuild 2.0
Csf Config:
LF_CXS = 1
LF_CXS_PERM = 1
LF_MODSEC = 5
MODSEC_LOG = /var/log/httpd/modsec_audit.log
LDF On
Log in audit log security
Code: Select all
--64513437-H--
Message: Access denied with code 444 (phase 1). Pattern match "externalhit_uatext" at REQUEST_HEADERS:User-Agent. [file "/etc/modsecurity.d/manh.conf"] [line "1"] [id "1993"]
Action: Intercepted (phase 1)
Stopwatch: 1491562247538072 750 (- - -)
Stopwatch2: 1491562247538072 750; combined=26, p1=21, p2=0, p3=0, p4=0, p5=5, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/).
Server: Apache/2
Engine-Mode: "ENABLED"
- When i try test with agent "Linux", csf block my ip (Trigger modsecurity) but only 1 time, after i remove ip then test again, csf do not block
- Im block User-agent from facebook with modsecurity, modsecurity blocked, but csf DO NOT work, DO NOT block anything.
- I'm too tired for find issue,
what wrong with my config?
Re: Plz help How to block User-agent by Modsecurit with CSF
Posted: 09 Apr 2017, 00:18
by Sergio
How is configued the Mod_Security option in csf?
Re: Plz help How to block User-agent by Modsecurit with CSF
Posted: 09 Apr 2017, 09:32
by msfh
I don't know what really is the best solution for this issue.
Mod_security blocking Googlebot is a "false positive", and usually those are fixed by creating an exception. As has been suggested you could "whitelist" Googlebot by it's User-Agent, but that would open a hole for anyone using a fake Googlebot User-Agent.
If you want to know what mod_security is and how it works you should start reading for ex. here:
https://github.com/SpiderLabs/ModSe...s ... odSecurity
CSF/LFD reads, if configured so, mod_security log file, and when it sees that one IP has been blocked LF_MODSEC times in 5 minutes it blocks the IP, either permanently or temporarily.
So it works so that mod_security is blocking something, in this case Googlebot, CSF/LFD sees those blocks in mod_security log, and blocks the used IP in the firewall.
In this case, mod_security is not blocking Googlebot because it is Googlebut, but because Googlebot is doing something that seems suspicious. If you can't prevent mod_security from doing that, you should at least make sure that Googlebot is not blocked permanently.
Re: Plz help How to block User-agent by Modsecurit with CSF
Posted: 09 Apr 2017, 14:53
by Sergio
msfh wrote: ↑09 Apr 2017, 09:32
I don't know what really is the best solution for this issue.
Mod_security blocking Googlebot is a "false positive", and usually those are fixed by creating an exception. As has been suggested you could "whitelist" Googlebot by it's User-Agent, but that would open a hole for anyone using a fake Googlebot User-Agent.
If you want to know what mod_security is and how it works you should start reading for ex. here:
https://github.com/SpiderLabs/ModSe...s ... odSecurity
CSF/LFD reads, if configured so, mod_security log file, and when it sees that one IP has been blocked LF_MODSEC times in 5 minutes it blocks the IP, either permanently or temporarily.
So it works so that mod_security is blocking something, in this case Googlebot, CSF/LFD sees those blocks in mod_security log, and blocks the used IP in the firewall.
In this case, mod_security is not blocking Googlebot because it is Googlebut, but because Googlebot is doing something that seems suspicious. If you can't prevent mod_security from doing that, you should at least make sure that Googlebot is not blocked permanently.
You can add Google range of IPs in your Allowed IP list, that way if Mod_Security blocks googlebot the IP will not be blocked and if it is someone impersonating googlebot it will be blocked by CSF.
Re: Plz help How to block User-agent by Modsecurit with CSF
Posted: 10 Apr 2017, 03:06
by manhclhd
Sergio wrote: ↑09 Apr 2017, 00:18
How is configued the Mod_Security option in csf?
Csf Config:
LF_CXS = 1
LF_CXS_PERM = 1
LF_MODSEC = 5
MODSEC_LOG = /var/log/httpd/modsec_audit.log
LDF On
Can you see it?
Re: Plz help How to block User-agent by Modsecurit with CSF
Posted: 10 Apr 2017, 05:15
by Sergio
When testing, have you tried 5+ times to see it your IP was blocked?
Re: Plz help How to block User-agent by Modsecurit with CSF
Posted: 10 Apr 2017, 06:10
by manhclhd
Sergio wrote: ↑10 Apr 2017, 05:15
When testing, have you tried 5+ times to see it your IP was blocked?
I'm try many many times, 100+ times, but still do not work!