ModSec events not triggering CSF blocks (updated)
Posted: 16 Nov 2023, 16:27
Hi all
Updated post after further investigation.
It looks like CSF has not been blocking IPs based on ModSec events for over 30 days, at least. This is across two WHM CentOS servers.
LFD Stats only show CT_LIMIT, LF_DISTATTACK, and LF_PERMBLOCK_CONT triggers, but no LF_MODSEC events in the last 30 days.
ModSec looks like its doing what it should, and I can see the usual events. There's been an increase in ModSec events, and I'm assuming this is because they have not been picked up by CSF.
Any advice on how to debug this, what areas should I investigate?
Updated post after further investigation.
It looks like CSF has not been blocking IPs based on ModSec events for over 30 days, at least. This is across two WHM CentOS servers.
LFD Stats only show CT_LIMIT, LF_DISTATTACK, and LF_PERMBLOCK_CONT triggers, but no LF_MODSEC events in the last 30 days.
ModSec looks like its doing what it should, and I can see the usual events. There's been an increase in ModSec events, and I'm assuming this is because they have not been picked up by CSF.
Any advice on how to debug this, what areas should I investigate?