Trigger csf to block IP based on modsec custom rule
Posted: 16 Sep 2024, 20:31
Hello ,
I created a custom modsec rule that returns a 403 status code if there is a sql injection attempt, i want csf to block the ip that is triggering this rule by monitoring the log that modsec is logging in it , but it isnt blocking it at all
the log came up as either
/usr/local/apache/error_log or
/var/log/apache2/error_log
so in csf.conf i specified the MODSEC_LOG to be /var/log/apache2/error_log ,
and the in /etc/csf/regex.custom.pm i added the following line :
if (($config{LF_MODSEC}) and ($lgfile eq $config{MODSEC_LOG}) and ($line =~ /\[client (\S+)\] ModSecurity: Access denied with code \d+/)) {
$ip = $1; $acc = ""; $ip =~ s/^::ffff://;
if (&checkip($ip)) {
return ("mod_security triggered by", "$ip|$acc", "mod_security");
} else {
return;
}
also in csf.conf i modified these two values :
LF_MODSEC = 5
LF_MODSEC_PERM = 1
This is a sample line from the error log :
[Mon Sep 16 15:58:21.985553 2024] [security2:error] [pid 2443232:tid 2443398] [remote remote_ip:60395] [client remote_ip] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|--|OR|AND|FROM|WHERE|HAVING|1=1)\\\\b" at ARGS:id. [file "/etc/apache2/conf.d/modsec/modsec2.user.conf"] [line "3"] [id "10000000"] [msg "SQL Injection Attempt Detected in Parameters or URI"] [hostname "HOSTNAME"] [uri "/index.php"] [unique_id "ZugrbZGyKRlvLTJSUAnqiQABExY"]
and this is the custom rule :
SecRule ARGS|REQUEST_URI "@rx \b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|--|OR|AND|FROM|WHERE|HAVING|1=1)\b" \
"id:10000000,phase:2,deny,status:403,log,auditlog,msg:'SQL Injection Attempt Detected in Parameters or URI'"
What could I change or improve so it will work ?
Thank you ,
Best Regards
}
I created a custom modsec rule that returns a 403 status code if there is a sql injection attempt, i want csf to block the ip that is triggering this rule by monitoring the log that modsec is logging in it , but it isnt blocking it at all
the log came up as either
/usr/local/apache/error_log or
/var/log/apache2/error_log
so in csf.conf i specified the MODSEC_LOG to be /var/log/apache2/error_log ,
and the in /etc/csf/regex.custom.pm i added the following line :
if (($config{LF_MODSEC}) and ($lgfile eq $config{MODSEC_LOG}) and ($line =~ /\[client (\S+)\] ModSecurity: Access denied with code \d+/)) {
$ip = $1; $acc = ""; $ip =~ s/^::ffff://;
if (&checkip($ip)) {
return ("mod_security triggered by", "$ip|$acc", "mod_security");
} else {
return;
}
also in csf.conf i modified these two values :
LF_MODSEC = 5
LF_MODSEC_PERM = 1
This is a sample line from the error log :
[Mon Sep 16 15:58:21.985553 2024] [security2:error] [pid 2443232:tid 2443398] [remote remote_ip:60395] [client remote_ip] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|--|OR|AND|FROM|WHERE|HAVING|1=1)\\\\b" at ARGS:id. [file "/etc/apache2/conf.d/modsec/modsec2.user.conf"] [line "3"] [id "10000000"] [msg "SQL Injection Attempt Detected in Parameters or URI"] [hostname "HOSTNAME"] [uri "/index.php"] [unique_id "ZugrbZGyKRlvLTJSUAnqiQABExY"]
and this is the custom rule :
SecRule ARGS|REQUEST_URI "@rx \b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|--|OR|AND|FROM|WHERE|HAVING|1=1)\b" \
"id:10000000,phase:2,deny,status:403,log,auditlog,msg:'SQL Injection Attempt Detected in Parameters or URI'"
What could I change or improve so it will work ?
Thank you ,
Best Regards
}