ConfigServer Community Forum

Hello,
I've a curious problem (CSF 6.35, cPanel 11.38.2.7):
I can see blocked ip ad rules in mod security page of WHM, and I can see rules and ip with ConfigServer ModSec Control (ModSecurity Log with last 20 entries).
So, my system works. Now, i've installed CSF, and that are my settings:
LF_MODSEC = 2
LF_MODSEC_PERM = 1800
MODSEC_LOG = "/usr/local/apache/logs/modsec_audit.log" (restricted UI item)

So, i'm expecting after 2 blocks with same ip, the ip is blocked for 1800 seconds. Am I right?

I'm monitoring the situation, and I can see a lot of triggered rules with same ip, but CSF doesn't see that. I think everyone can try this; i've just build a new server for test, and it doesn't works, so I think it's a problem with log parser of CSF.

Can someone help me? Thank you

MODSEC_LOG should be pointed to the Apache error_log file.

Thanks, but two things:
1) My error_log now doesn't contain anything about mod_security rules (i've just tried with some rules and with my ip..I can see the blocked rules in mod security page of WHM, but error_log doesn't contain anything about mod_security).
2) The default log for mod_security in cPanel I think is modsec_audit.log, this it the reason I've tried with this.

Then there's something wrong with your ModSecurity logging as, by default, ModSecurity one-line errors are logged to the Apache error_log in cPanel servers and it is those errors that the regexes in regex.pm look for.

What is the modsec rule number that is not blocked?

There a few rules that are not blocked by CSF as those are just warnings, rule 377360 is one of them.

Sergio