Page 1 of 1

CSF - LF_APACHE_403 not working?

Posted: 03 Nov 2014, 13:14
by joshuah
Hello,

I have setup modsecurity rules to give permission denied (403) on multiple brute force attempts; which works great, but now I want CSF to block their IP if they continue. So my thoughts were to configure LF_APACHE_403 to automatically block their IP. Unfortunately, it is not working.

An example of this:
192.95.29.115 - - [04/Nov/2014:00:03:05 +1100] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
192.95.29.115 - - [04/Nov/2014:00:03:06 +1100] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
192.95.29.115 - - [04/Nov/2014:00:03:06 +1100] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
192.95.29.115 - - [04/Nov/2014:00:03:07 +1100] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"
192.95.29.115 - - [04/Nov/2014:00:03:07 +1100] "POST /wp-login.php HTTP/1.1" 403 1139 "-" "-"

There is an example of a brute force attack (there is thousands). Notice the 403, which means the modsecurity is working great..

The problem is, how come CSF wont pickup the many 403's and block them?

Here is the config:

cat /etc/csf/csf.conf | grep LF_APACHE_403
# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked
LF_APACHE_403 = "40"
LF_APACHE_403_PERM = "120"
LF_INTERVAL = "3600"

Any idea on what else I can try to fix this?

Note: I am running cPanel, litespeed 4.2.18, Comodo WAF (not sure if that matters or not).. main thing is, modsecurity is doing it's job fine, because it is giving it 403, but CSF wont block the many 403

Re: CSF - LF_APACHE_403 not working?

Posted: 06 Nov 2014, 21:35
by broschats
Did you arrive at a solution?