Change permanent ModSecuity block to temporary
I'm using mod_security with a subset of the OWASP ruleset, and I'm still getting lots of false positives. Almost every time that happens, the IP responsible gets a permanent block in iptables, which I think is a little strict even if they were trying to attack the server.
I've tried Googling around a bit, and I can't find a way to make bans temporary. I think a block of 5~30 minutes would be reasonable.
-
Hello :) Are you using additional third-party applications on your system such as Fail2Ban and CSF? Thank you. 0 -
I've got CSF installed, and I'm also using CS ModSec Control to make mod_security easier to manage. 0 -
Assuming CSF/LFD: # If LF_TRIGGER is > "0" then LF_TRIGGER_PERM can be set to "1" to permanently # block the IP address, or LF_TRIGGER_PERM can be set to a value greater than # "1" and the IP address will be blocked temporarily for that value in seconds. # For example: # LF_TRIGGER_PERM = "1" => the IP is blocked permanently # LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour Set something like this: # - Enable failure detection of repeated Apache mod_security rule triggers LF_MODSEC = "10" LF_MODSEC_PERM = "300" this would block for 5 minutes (300 seconds) after modsec rules being triggered. Restart csf/lfd and you should be good. Edit: these settings are in /etc/csf/csf.conf, you might be able to edit them through WHM too in the CSF panel.
0 -
Nice catch! For some reason, I didn't think to look in CSF's config; only ModSec's. 0
Please sign in to leave a comment.
Comments
4 comments