LF_MODSEC not working
Posted: 28 Nov 2014, 07:05
Hi
I'm using a modsec rule to detect and block joomla and wordpress bruteforce attack. This is working well, but I would like to block also the IP with CSF. Therefore I set LF_MODSEC=3, but it doesnt work. I'm using cpanel and in /usr/local/apache/logs/error_log it looks like this:
The path to the log in csf is correct:
MODSEC_LOG = /usr/local/apache/logs/error_log
Regards
Mike
I'm using a modsec rule to detect and block joomla and wordpress bruteforce attack. This is working well, but I would like to block also the IP with CSF. Therefore I set LF_MODSEC=3, but it doesnt work. I'm using cpanel and in /usr/local/apache/logs/error_log it looks like this:
Why is CSF not blocking the IP 69.167.187.208?[Fri Nov 28 07:48:37.849064 2014] [:error] [pid 500520] [client 69.167.187.208] ModSecurity: [file "/usr/local/apache/conf/modsec2.user.conf"] [line "45"] [id "5000235"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."] Access denied with code 401 (phase 2). Operator GT matched 0 at IP:bf_block. [hostname "mydomain_ch"] [uri "/administrator/index.php"] [unique_id "VHgaxS7os4MAB6MoKKEAAAAI"]
[Fri Nov 28 07:48:38.169854 2014] [:error] [pid 500367] [client 69.167.187.208] ModSecurity: [file "/usr/local/apache/conf/modsec2.user.conf"] [line "45"] [id "5000235"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."] Access denied with code 401 (phase 2). Operator GT matched 0 at IP:bf_block. [hostname "mydomain_ch"] [uri "/administrator/index.php"] [unique_id "VHgaxi7os4MAB6KPWpEAAAAH"]
[Fri Nov 28 07:48:38.499118 2014] [:error] [pid 500366] [client 69.167.187.208] ModSecurity: [file "/usr/local/apache/conf/modsec2.user.conf"] [line "45"] [id "5000235"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."] Access denied with code 401 (phase 2). Operator GT matched 0 at IP:bf_block. [hostname "mydomain_ch"] [uri "/administrator/index.php"] [unique_id "VHgaxi7os4MAB6KOfuEAAAAG"]
[Fri Nov 28 07:48:39.820104 2014] [:error] [pid 500337] [client 69.167.187.208] ModSecurity: [file "/usr/local/apache/conf/modsec2.user.conf"] [line "45"] [id "5000235"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."] Access denied with code 401 (phase 2). Operator GT matched 0 at IP:bf_block. [hostname "mydomain_ch"] [uri "/administrator/index.php"] [unique_id "VHgaxy7os4MAB6Jx6-YAAAAC"]
[Fri Nov 28 07:48:40.136813 2014] [:error] [pid 500520] [client 69.167.187.208] ModSecurity: [file "/usr/local/apache/conf/modsec2.user.conf"] [line "45"] [id "5000235"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."] Access denied with code 401 (phase 2). Operator GT matched 0 at IP:bf_block. [hostname "mydomain_ch"] [uri "/administrator/index.php"] [unique_id "VHgayC7os4MAB6MoKKIAAAAI"]
[Fri Nov 28 07:48:40.450841 2014] [:error] [pid 500338] [client 69.167.187.208] ModSecurity: [file "/usr/local/apache/conf/modsec2.user.conf"] [line "45"] [id "5000235"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."] Access denied with code 401 (phase 2). Operator GT matched 0 at IP:bf_block. [hostname "mydomain_ch"] [uri "/administrator/index.php"] [unique_id "VHgayC7os4MAB6JyYX4AAAAD"]
[Fri Nov 28 07:48:40.766125 2014] [:error] [pid 500367] [client 69.167.187.208] ModSecurity: [file "/usr/local/apache/conf/modsec2.user.conf"] [line "45"] [id "5000235"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."] Access denied with code 401 (phase 2). Operator GT matched 0 at IP:bf_block. [hostname "mydomain_ch"] [uri "/administrator/index.php"] [unique_id "VHgayC7os4MAB6KPWpIAAAAH"]
[Fri Nov 28 07:48:41.080831 2014] [:error] [pid 500353] [client 69.167.187.208] ModSecurity: [file "/usr/local/apache/conf/modsec2.user.conf"] [line "45"] [id "5000235"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."] Access denied with code 401 (phase 2). Operator GT matched 0 at IP:bf_block. [hostname "mydomain_ch"] [uri "/administrator/index.php"] [unique_id "VHgayS7os4MAB6KB02MAAAAF"]
[Fri Nov 28 07:48:41.394227 2014] [:error] [pid 500366] [client 69.167.187.208] ModSecurity: [file "/usr/local/apache/conf/modsec2.user.conf"] [line "45"] [id "5000235"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."] Access denied with code 401 (phase 2). Operator GT matched 0 at IP:bf_block. [hostname "mydomain_ch"] [uri "/administrator/index.php"] [unique_id "VHgayS7os4MAB6KOfuIAAAAG"]
[Fri Nov 28 07:48:41.709782 2014] [:error] [pid 500336] [client 69.167.187.208] ModSecurity: [file "/usr/local/apache/conf/modsec2.user.conf"] [line "45"] [id "5000235"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."] Access denied with code 401 (phase 2). Operator GT matched 0 at IP:bf_block. [hostname "mydomain_ch"] [uri "/administrator/index.php"] [unique_id "VHgayS7os4MAB6JwiIQAAAAB"]
[Fri Nov 28 07:48:42.025457 2014] [:error] [pid 500339] [client 69.167.187.208] ModSecurity: [file "/usr/local/apache/conf/modsec2.user.conf"] [line "45"] [id "5000235"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."] Access denied with code 401 (phase 2). Operator GT matched 0 at IP:bf_block. [hostname "mydomain_ch"] [uri "/administrator/index.php"] [unique_id "VHgayS7os4MAB6Jz9sUAAAAE"]
[Fri Nov 28 07:48:43.344885 2014] [:error] [pid 500335] [client 69.167.187.208] ModSecurity: [file "/usr/local/apache/conf/modsec2.user.conf"] [line "45"] [id "5000235"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."] Access denied with code 401 (phase 2). Operator GT matched 0 at IP:bf_block. [hostname "mydomain_ch"] [uri "/administrator/index.php"] [unique_id "VHgayy7os4MAB6JvjTIAAAAA"]
[Fri Nov 28 07:48:43.662593 2014] [:error] [pid 500337] [client 69.167.187.208] ModSecurity: [file "/usr/local/apache/conf/modsec2.user.conf"] [line "45"] [id "5000235"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."] Access denied with code 401 (phase 2). Operator GT matched 0 at IP:bf_block. [hostname "mydomain_ch"] [uri "/administrator/index.php"] [unique_id "VHgayy7os4MAB6Jx6-cAAAAC"]
The path to the log in csf is correct:
MODSEC_LOG = /usr/local/apache/logs/error_log
Regards
Mike