CSF cxs modsecurity trigger HELP please?
Posted: 11 Sep 2019, 05:13
Hello. Well the cxs subforum looks sort of dead so I'll try this as a start, but maybe this is more appropriate for a ticket. I've read all I can stand about this and just am looking for some simple guidance on an IP block rule concerning the following.
I figured out how to tweak IP address blocking for modsecurity hits in CSF which was a huge help! Bear with me though.
OK so this access log entry from some exploiting bot trying to write to /tmp
POST /wp-admin/admin-ajax.php HTTP/1.1" 302
Triggers the modsecurity action logged in apache/error_log:
ModSecurity: Access denied with code 406 (phase 2). File "/tmp/xxx" rejected by the approver script "/etc/cxs/cxscgi.sh": 0 [file "/etc/apache2/conf.d/modsec_vendor_configs/configserver/00_configserver.conf"] [line "7"] [id "1010101"] [msg "ConfigServer Exploit Scanner (cxs) triggered"] [severity "CRITICAL"] [hostname "xxx.net"] [uri "/wp-admin/admin-ajax.php"] [unique_id "XXhRl7j1eF4u6@7r-Bm42QAAAAU"]
And then the associated IP is banned as seen in lfd.log:
(cxs) cxs mod_security triggered by xx.xx.xx.xx (US/United States/reversedns.xxx): 1 in the last 3600 secs - *Blocked in csf* [LF_CXS]
I get that.
I see the rule in 00_configserver.conf that somehow makes this process work:
SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" \
"log,auditlog,deny,severity:2,phase:2,t:none,id:'1010101',msg:'ConfigServer Exploit Scanner (cxs) triggered'"
Ok I'm getting this so far, sort of.
Here is my question.
How can I make a rule or change a setting to automatically block IP addresses for modsecurity hits such as the examples below (so such events are recognized as a modsecurity hit by cxs)?:
ModSecurity: Multipart parsing error: Multipart: No boundaries found in payload. [hostname "xxx.com"] [uri "/wp-admin/admin-post.php"] [unique_id "XXhb3aknKPJexZMvviJ6twAAAAk"]
or
ModSecurity: Internal error: REQUEST_BODY phase incomplete for input filter in phase 1 [hostname "xxx.com"] [uri "/index.php"] [unique_id "XXhb3aknKPJexZMvviJ6twAAAAk"]
or
ModSecurity: Multipart parsing error: Multipart: Invalid Content-Disposition header (-10): form-data; name="file_upload"; filename="xxx.php. [hostname "www.xxx.org"] [uri "/index.php"] [unique_id "XXZQZTIJ41lQHEVztUTpiwAAABo"]
That is my question. Any help or guidance is appreciated. I'm happy to pay for help with this. Getting a lot of injection/exploit attempts from bots using these and similar strategies that I'd like to reduce with IP blocks.
Does a commercial product like the Atomic ModSecurity rules cover things like this, and allow for a cxs trigger and CSF IP block? Or not.
Sorry for my poor understanding of this.
Thanks so much!!
I figured out how to tweak IP address blocking for modsecurity hits in CSF which was a huge help! Bear with me though.
OK so this access log entry from some exploiting bot trying to write to /tmp
POST /wp-admin/admin-ajax.php HTTP/1.1" 302
Triggers the modsecurity action logged in apache/error_log:
ModSecurity: Access denied with code 406 (phase 2). File "/tmp/xxx" rejected by the approver script "/etc/cxs/cxscgi.sh": 0 [file "/etc/apache2/conf.d/modsec_vendor_configs/configserver/00_configserver.conf"] [line "7"] [id "1010101"] [msg "ConfigServer Exploit Scanner (cxs) triggered"] [severity "CRITICAL"] [hostname "xxx.net"] [uri "/wp-admin/admin-ajax.php"] [unique_id "XXhRl7j1eF4u6@7r-Bm42QAAAAU"]
And then the associated IP is banned as seen in lfd.log:
(cxs) cxs mod_security triggered by xx.xx.xx.xx (US/United States/reversedns.xxx): 1 in the last 3600 secs - *Blocked in csf* [LF_CXS]
I get that.
I see the rule in 00_configserver.conf that somehow makes this process work:
SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" \
"log,auditlog,deny,severity:2,phase:2,t:none,id:'1010101',msg:'ConfigServer Exploit Scanner (cxs) triggered'"
Ok I'm getting this so far, sort of.
Here is my question.
How can I make a rule or change a setting to automatically block IP addresses for modsecurity hits such as the examples below (so such events are recognized as a modsecurity hit by cxs)?:
ModSecurity: Multipart parsing error: Multipart: No boundaries found in payload. [hostname "xxx.com"] [uri "/wp-admin/admin-post.php"] [unique_id "XXhb3aknKPJexZMvviJ6twAAAAk"]
or
ModSecurity: Internal error: REQUEST_BODY phase incomplete for input filter in phase 1 [hostname "xxx.com"] [uri "/index.php"] [unique_id "XXhb3aknKPJexZMvviJ6twAAAAk"]
or
ModSecurity: Multipart parsing error: Multipart: Invalid Content-Disposition header (-10): form-data; name="file_upload"; filename="xxx.php. [hostname "www.xxx.org"] [uri "/index.php"] [unique_id "XXZQZTIJ41lQHEVztUTpiwAAABo"]
That is my question. Any help or guidance is appreciated. I'm happy to pay for help with this. Getting a lot of injection/exploit attempts from bots using these and similar strategies that I'd like to reduce with IP blocks.
Does a commercial product like the Atomic ModSecurity rules cover things like this, and allow for a cxs trigger and CSF IP block? Or not.
Sorry for my poor understanding of this.
Thanks so much!!