Page 1 of 1

CSF not correctly recognizing OWASP mod_security trigger

Posted: 09 Feb 2015, 20:58
by CanSpace
We are using cPanel based servers and recently switched from using the AtomiCorp mod_security rules to the OWASP rules now being provided by cPanel (as I imagine a lot of people will be doing).

It looks like CSF no longer recognizes events triggered by these rules and is not blocking the IP addresses after a certain number of hits.

I described the issue in a thread here [edit: I can't post links, but it is one of the newer threads in the cPanel security sub-forum), and someone came up with this:

It appears to be CSF mishandling it. Let's look at their regex.pm for ModSecurity:

Code:

#mod_security v2 (apache)
if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[(\w*:)?error\] (\[pid \d+(:tid \d+)?\] )?\[client (\S+)\] (\w+: )?ModSecurity:(( \[[^]]+\])*)? Access denied with (code|connection)/)) { ***SNIP***

So the issue here is the regex that LFD is using only covers log lines containing "Access denied with code" or "Access denied with connection." It would need to be (code|connection|redirection) to work with rules that redirect the attacker like the OWASP rules.

You should report this as a bug to configserver. In the mean time if you go into the file /usr/local/csf/bin/regex.pm you can make the edit to change (code|connection) to (code|connection|redirection) and it will work. I just tested this and it works great after restarting CSF/LFD.

Re: CSF not correctly recognizing OWASP mod_security trigger

Posted: 09 Feb 2015, 21:49
by ForumAdmin
A new version of csf (v7.62) has been released to more generically support ModSecurity "Access denied" triggers:
http://blog.configserver.com/