ModSecurity & CSF Tweak For Returning Attackers When Restarting CSF / LFD


This article is based on a discussion at Sandeep’s AlphaGNU.
Solution for returning attackers when restarting CSF – CWP – Control WEB Panel – AlphaGNU

It is meant to be a backup, just in case the other site gives an error.


INTRODUCTION

In this tutorial we’ll see how create an additional ModSecurity CSF Regex, so CSF can restart a little faster.

Example uses mod_security events on Ports 80 & 443.


READ ME FIRST

This article is provided as a courtesy.
Installing, configuring, and troubleshooting third-party applications is outside the scope of basic support provided by Starburst Services.

We are not liable for any damages and/or data loss.


REQUIRMENTS

  • SSH credentials or File Manager access Logged In as Root
  • Nano Text Editor (or another that you are comfortable using)
  • ModSecurity Installed and Running

STEP 1

Open the CSF regex file:

nano /etc/csf/regex.custom.pm

STEP 2

ABOVE:

# Do not edit beyond this point
return 0;
}
1;

AND BELOW THE PREVIOUS “}

Add the following lines:

if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^[\S+ \S+ \S+ \S+ \S+] [(\w)?:error] ([pid \d+(:tid \d+)]) [client \S+:\S+] [client (\S+)] ModSecurity:(( [[^]]+]))? Access denied/)) {
my $ip = $4;
$ip =~ s/^::ffff://;
if (split(/:/,$ip) == 2) {$ip =~ s/:\d+$//}
my $ruleid = “unknown”;
if ($line =~ /[id “(\d+)”]/) {$ruleid = $1}
if (checkip(\$ip)) {return (“mod_security (id:$ruleid) triggered by”,”$ip”,”mod_security-custom”,”1″,”80,443″,”1″)} else {return}
}


Thanks for learning with Starburst Services.

Make sure to visit AlphaGNU at: https://www.alphagnu.com/

Learn more about our services


KB Article Created: 2024-09-01

people found this article helpful. What about you?