ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

IPs not being blocked for ModSec

https://mail.forum.configserver.com/viewtopic.php?t=7782

Page 1 of 1

IPs not being blocked for ModSec

Posted: 02 May 2014, 16:36
by sahostking
Hi all,

Need some advice.

LF_MODSEC = 5
LF_MODSEC_PERM = 300

LF_CXS = 1
LF_CXS_PERM = 300

I have the following settings and have Modsecurity, CXS and CSF installed though IPs are not being blocked after 5 ModSec hits:

[Fri May 02 17:30:50.588560 2014] [:error] [pid 792706:tid 139737910183680] [client 103.22.182.252] ModSecurity: Warning. Pattern match "200" at RESPONSE_STATUS. [file "/usr/local/apache/conf/modsec_rules/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] [hostname "domainname"] [uri "/wp-login.php"] [unique_id "U2O6KsXyRKIADBiCq4UAAAAN"]
[Fri May 02 17:30:51.648957 2014] [:error] [pid 792183:tid 139737926969088] [client 103.22.182.252] ModSecurity: Warning. Pattern match "200" at RESPONSE_STATUS. [file "/usr/local/apache/conf/modsec_rules/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] [hostname "domainname"] [uri "/wp-login.php"] [unique_id "U2O6K8XyRKIADBZ3l0wAAAML"]
[Fri May 02 17:30:52.616888 2014] [:error] [pid 796098:tid 139737876612864] [client 103.22.182.252] ModSecurity: Warning. Pattern match "200" at RESPONSE_STATUS. [file "/usr/local/apache/conf/modsec_rules/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] [hostname "domainname"] [uri "/wp-login.php"] [unique_id "U2O6LMXyRKIADCXC-loAAABR"]
[Fri May 02 17:30:53.655044 2014] [:error] [pid 792706:tid 139738093782784] [client 103.22.182.252] ModSecurity: Warning. Pattern match "200" at RESPONSE_STATUS. [file "/usr/local/apache/conf/modsec_rules/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] [hostname "domainname"] [uri "/wp-login.php"] [unique_id "U2O6LcXyRKIADBiCq4YAAAAA"]
[Fri May 02 17:30:54.728123 2014] [:error] [pid 885056:tid 139738076997376] [client 103.22.182.252] ModSecurity: Warning. Pattern match "200" at RESPONSE_STATUS. [file "/usr/local/apache/conf/modsec_rules/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] [hostname "domainname"] [uri "/wp-login.php"] [unique_id "U2O6LsXyRKIADYFAATsAAACC"]
[Fri May 02 17:30:55.788726 2014] [:error] [pid 792159:tid 139737851434752] [client 103.22.182.252] ModSecurity: Warning. Pattern match "200" at RESPONSE_STATUS. [file "/usr/local/apache/conf/modsec_rules/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] [hostname "domainname"] [uri "/wp-login.php"] [unique_id "U2O6L8XyRKIADBZfqTkAAALU"]
[Fri May 02 17:30:56.800308 2014] [:error] [pid 792238:tid 139737885005568] [client 103.22.182.252] ModSecurity: Warning. Pattern match "200" at RESPONSE_STATUS. [file "/usr/local/apache/conf/modsec_rules/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] [hostname "domainname"] [uri "/wp-login.php"] [unique_id "U2O6MMXyRKIADBaudysAAAOQ"]
[Fri May 02 17:30:57.752589 2014] [:error] [pid 796098:tid 139737960539904] [client 103.22.182.252] ModSecurity: Warning. Pattern match "200" at RESPONSE_STATUS. [file "/usr/local/apache/conf/modsec_rules/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] [hostname "domainname"] [uri "/wp-login.php"] [unique_id "U2O6McXyRKIADCXC-lsAAABH"]
[Fri May 02 17:30:58.714627 2014] [:error] [pid 792159:tid 139737885005568] [client 103.22.182.252] ModSecurity: Warning. Pattern match "200" at RESPONSE_STATUS. [file "/usr/local/apache/conf/modsec_rules/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] [hostname "domainname"] [uri "/wp-login.php"] [unique_id "U2O6MsXyRKIADBZfqToAAALQ"]

Any ideas?

Re: IPs not being blocked for ModSec

Posted: 05 May 2014, 19:01
by Sergio
Your triggered modsecurity rules are only "WARNINGS" and CSF will not block that rules.

You will need to create your own REGEX to block rule 377360 and a few others that are warnings as well.

Re: IPs not being blocked for ModSec

Posted: 23 Jun 2014, 20:14
by Dejan
We have thousands of those login warnings per hour, and I always thought that CSF/LFD should block those repeated warnings. I just find out that all those login attempts are ignored by LFD, but they are actually very important!

Does anyone have a custom regex for this?

Re: IPs not being blocked for ModSec

Posted: 27 Jun 2014, 11:01
by index
I have the same problem. Rule 377360 BotNet brute force attack on wp-login.php (wordpress) and rule 377304 BotNet brute force attack on administrator/index.php (joomla).

I contacted the support Atomicorp and they say that I contact support of ConfigServer or to buy their Atomic Secured Linux.

This is an example of asl_brute.conf rule from Atomicorp

#joomla
#Use a valid username and password to gain access to the Administrator Back-end
SecRule RESPONSE_BODY "(?:<li>Username and password do not match|Use a valid username and password to gain access to the Administrator Back-end)" \
"phase:4,t:none,nolog,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp WAF Rules - Login Failure Detection: Joomla Administration system Login Attempt Failure ',id:'377304',rev:2,severity:'4',tag:'no_ar'"

#wordpress
<LocationMatch /wp-login.php>
SecRule REQUEST_METHOD "@streq POST" \
"phase:5,chain,t:none,auditlog,pass,msg:'Atomicorp WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure ',id:'377360',rev:2,severity:'4',tag:'no_ar'"
SecRule RESPONSE_STATUS "200" "t:none"
</LocationMatch>
SecRule SERVER_PORT "@streq 30000" phase:4,id:339854,pass,t:none,nolog,skipAfter:END_BRUTE_OUT_1

Please help! How to block BotNet brute force attack IP addresses in CSF?

Re: IPs not being blocked for ModSec

Posted: 27 Jun 2014, 21:05
by Sergio
The only way to block those rules is writing your own regex rule and adding them to regex.custom.pl

CSF is not blocking that rules as ASL marked them as a "warning" only, ie, the error reported by that rule is a 200 instead of 406, so, csf doesn't block it.

To customers that buy from me the ASL subscription rules, I provide that regex rule free of charge.

Re: IPs not being blocked for ModSec

Posted: 08 Feb 2015, 13:06
by funmaking
Hello,

I have the same problem but in my case any of the atomic rules is triggered in CSF. No blocking any ip (errors and warnings)

How could to enable the automatic block of those ips?
I have enabled the LF_MODSEC options in CSF and CXS is enabled too.

Thank you
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited