ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

CSF no longer blocking mod_security

https://mail.forum.configserver.com/viewtopic.php?t=8129

Page 1 of 1

CSF no longer blocking mod_security

Posted: 30 Sep 2014, 21:53
by JulesR
Using Litespeed 4.2.16. Excerpts of our /usr/local/apache/logs/error_log:

Code: Select all

[modsecurity] [Tue Sep 30 20:43:09 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:09 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:09 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:10 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:10 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:10 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:10 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:11 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:11 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:11 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:12 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:12 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:12 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:13 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:13 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:13 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:14 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:14 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:14 2014] [error] [client 104.128.231.3] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
[modsecurity] [Tue Sep 30 20:43:14 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
CSF/LFD is not blocking them. No errors are logged in /var/log/lfd.log, these entries are just seemingly ignored. Our logging format hasn't changed at all, has anything changed in LFD/CSF recently?

I've checked and this is the same behaviour on all of our servers. The only things that have changed are the recent BASH updates (which should not be relevant or related) and a recent Litespeed update.

Re: CSF no longer blocking mod_security

Posted: 30 Sep 2014, 22:07
by ForumAdmin
The regexes and csf provide no support for litespeed. However, if you ignore that odd initial [modsecurity] on the log line, then this line which resembles a correct Apache log line:

Code: Select all

[Tue Sep 30 20:43:09 2014] [error] [client 95.211.131.148] ModSecurity: Access denied with code 403, [Rule: 'user:bf_block' '@gt 0'] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
Does indeed trigger the regex:

Code: Select all

Sep 30 22:05:47 homer lfd[166750]: debug: mod_security (id:5000135) triggered by 95.211.131.148 - 1 failure(s) in the last 3600 secs
Sep 30 22:05:52 homer lfd[166750]: debug: mod_security (id:5000135) triggered by 95.211.131.148 - 2 failure(s) in the last 3600 secs
Sep 30 22:05:52 homer lfd[166750]: debug: mod_security (id:5000135) triggered by 95.211.131.148 - 3 failure(s) in the last 3600 secs
Sep 30 22:05:52 homer lfd[169869]: (mod_security) mod_security (id:5000135) triggered by 95.211.131.148 (NL/Netherlands/-/-/LLNH007.local): 3 in the last 3600 secs - *Blocked in csf* for 666 secs [LF_MODSEC]

Re: CSF no longer blocking mod_security

Posted: 30 Sep 2014, 22:09
by JulesR
That's correct, I just noticed the recent Litespeed update prepended "[modsecurity]" to the start of these lines.

I've reported this issue to Litespeed: http://www.litespeedtech.com/support/fo ... _log.9904/

In the meantime, in case Litespeed take a long time to release a fix, could you please perhaps add this as an alternative regex?

Re: CSF no longer blocking mod_security

Posted: 11 Oct 2014, 16:20
by optize
Has there been any news to this? I'd like to get it fixed as well.

Re: CSF no longer blocking mod_security

Posted: 12 Oct 2014, 16:55
by optize
This has been fixed by Litespeed in the latest release.

Re: CSF no longer blocking mod_security

Posted: 12 Oct 2014, 21:59
by JulesR
It was fixed in the release before the latest one, that's correct. Details can be found in the link i provided to Litespeed's forum.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited