ModSecurity & CSF Tweak For Returning Attackers When Restarting CSF / LFD
This article is based on a discussion at Sandeep’s AlphaGNU.
Solution for returning attackers when restarting CSF – CWP – Control WEB Panel – AlphaGNU
It is meant to be a backup, just in case the other site gives an error.
INTRODUCTION
In this tutorial we’ll see how create an additional ModSecurity CSF Regex, so CSF can restart a little faster.
Example uses mod_security events on Ports 80 & 443.
READ ME FIRST
This article is provided as a courtesy.
Installing, configuring, and troubleshooting third-party applications is outside the scope of basic support provided by Starburst Services.
We are not liable for any damages and/or data loss.
REQUIRMENTS
- SSH credentials or File Manager access Logged In as Root
- Nano Text Editor (or another that you are comfortable using)
- ModSecurity Installed and Running
STEP 1
Open the CSF regex file:
nano /etc/csf/regex.custom.pm
STEP 2
ABOVE:
# Do not edit beyond this point
return 0;
}
1;
AND BELOW THE PREVIOUS “}“
Add the following lines:
if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^[\S+ \S+ \S+ \S+ \S+] [(\w)?:error] ([pid \d+(:tid \d+)]) [client \S+:\S+] [client (\S+)] ModSecurity:(( [[^]]+]))? Access denied/)) {
my $ip = $4;
$ip =~ s/^::ffff://;
if (split(/:/,$ip) == 2) {$ip =~ s/:\d+$//}
my $ruleid = “unknown”;
if ($line =~ /[id “(\d+)”]/) {$ruleid = $1}
if (checkip(\$ip)) {return (“mod_security (id:$ruleid) triggered by”,”$ip”,”mod_security-custom”,”1″,”80,443″,”1″)} else {return}
}
Thanks for learning with Starburst Services.
Make sure to visit AlphaGNU at: https://www.alphagnu.com/
KB Article Created: 2024-09-01