adding 401's to csf block list
Guys.
I've been away from work for a few days and come back to find a number of attempted logins to cpanel.
Host access control has these covered, however, i'd be happier if CSF also blocked these, to block repeated attempts.
Does anyone know if this is possible to do on an automatic basis.
I guess it's going to be tricky for anyone to actually connect with Host Acess control blocking them and then the secure password followed by three strikes and your out rule, but i'd prefer belt and braces.
107.150.xx.xxx - - [06/19/2015:02:56:22 -0000] "" 401 0 "" "" "-" "-"
I guess it's going to be tricky for anyone to actually connect with Host Acess control blocking them and then the secure password followed by three strikes and your out rule, but i'd prefer belt and braces.
-
This might be better asked over on the CSF forums. 0 -
The CSF forum's are a waste of time in my opinion. Too many views, and not enough answers, so i've given up with it. 0 -
This is a builtin in csf.conf, though not as clearly labelled as the 404 or 403 protections. # - Enable login failure detection of Apache .htpasswd connections # Due to the often high logging rate in the Apache error log, you might want to # enable this option only if you know you are suffering from attacks against # password protected directories LF_HTACCESS = "5" LF_HTACCESS_PERM = "1" I tested this by failing some logins to force 401's and I was blocked from my server. Jun 19 13:24:13 new lfd[7539]: (htpasswd) Failed web page login from MY.IP.ADDR (NL/Netherlands/xxxxxx.static.myprovider.com): 5 in the last 300 secs - *Blocked in csf* [LF_HTACCESS]
0 -
It seems that this is already enabled, but isn't blocking the hackers. I see a number of these entries in cpanel access.log I suspect because host access control is stopping them, CSF doesn't see this as a failed login ? 92.222.xxx.xxx - - [06/21/2015:18:13:34 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:18:13:34 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:18:13:35 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:18:13:35 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:18:13:35 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:18:13:35 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:18:13:36 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:18:13:37 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:18:13:37 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:18:13:38 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:18:13:38 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:21:52:29 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:21:52:29 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:21:52:30 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:21:52:30 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:21:52:31 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:21:52:31 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:21:52:32 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:21:52:32 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:21:52:33 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:21:52:33 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:21:52:33 -0000] "" 401 0 "" "" "-" "-"0 -
Yes that is possible. You could look in /usr/local/csf/bin/regex.pm to see what logs are monitored and what regular expressions are searched for. I tried some modsec stuff but because the 401 is returned in a later phase of processing, you can't execute disruptive actions based on response status (because the request is already processed). A more complex rule however could be made similar to the wp-login brute force that sets a variable and adds to it per IP, to block IPs after a certain number of 401s. If I have some time later I can try to write one for you. 0 -
OK here you go, you will probably want to add these to modsec2.user.conf yourself or using the "edit rules" feature in WHM (Not add rule, edit rules). # If you are already using wp brute rules, leave the next line commented out. Otherwise uncomment it to enable IP tracking. #SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134 #rate limiting per IP. Deprecate var at 1/60 means the count for each IP drops by 1 every 60 sec. Each hit is +1. SecRule RESPONSE_STATUS "^401" "phase:5,pass,log,id:1384,setvar:ip.401=+1,deprecatevar:ip.401=1/8" #threshhold for blocking. Count greater than 15 hits means the IP is blocked until it counts back down, as set above. SecRule ip:401 "@gt 15" "deny,id:1385,deprecatevar:ip.401=1/8"
Once someone reaches this limit (15 401's in a short time) then modsec will block them from all sites on the server. If you have LF_MODSEC enabled, then they will be banned by CSF if they continue hitting the server.0 -
How would i know if i'm using WP brute rules ? I have no sites using WordPress, but i do have OWASP installed. 0 -
You would know if you were using them, I do not believe any commercial providers have them. Unless you get an error for duplicate rule ID with that line uncommented you should be fine to uncomment it. 0 -
I applied the rules last night, and reconfigured it for 3 hits. (very strict i know) However, i see this morning 5 attempts and nothing logged in CSF. 195.154.105.xx - - [06/24/2015:03:21:22 -0000] "" 401 0 "" "" "-" "-" 195.154.105.xx - - [06/24/2015:03:21:29 -0000] "" 401 0 "" "" "-" "-" 195.154.105.xx - - [06/24/2015:03:21:36 -0000] "" 401 0 "" "" "-" "-" 195.154.105.xx - - [06/24/2015:03:21:43 -0000] "" 401 0 "" "" "-" "-" 195.154.105.xx - - [06/24/2015:03:21:49 -0000] "" 401 0 "" "" "-" "-" 0 -
That's really odd. Can you test by forcing some 401's yourself to see if they are logged by apache in the error log? 0 -
All my IP's are whitelisted, so i'm not really sure how i'll create these myself. I see lat night, another attempt to gain access. 198.154.254.xx - - [06/25/2015:05:24:08 -0000] "" 401 0 "" "" "-" "-" (plus 9 more entries) But i see nothing in Apache errors around this time. I'm guessing becuase Host Access Control is denying access, then it never gets as far as apache ?? 0 -
Yes, that is possible. Host access control can take precedent over modsecurity. If the attempts are not causing load on your server I'd honestly ignore it, if you do want them banned you might have to try removing that host access control rule to see if modsecurity and lfd take over. 0 -
I think i'd rather keep the HAC rule, knowing that should they somehow bypass this, LFD would offer me secondary protection. 0 -
Hi Quizknows Could this rule be applied to "Rejected Recipient" as seen in exim_rejectlog If so then this would help alleviate a problem that seems to crop up frequently, whereby spammers are sending 100's of emails or virus to accounts that don't exist. If this could be applied, then it could help stop the odd one which happens to get delivered to a valid account. 0 -
You could probably block for invalid recipients as long as the offending connecting IP is logged on the same line as that message. To do it would require a custom LFD regex. It could be configured in /etc/csf/regex.custom.pm but this is an extremely advanced configuration and unless you are very good with regular expressions you are going to have a very tough time configuring it. You would also have to set the exim_rejectlog as a CUSTOM#_LOG in csf.conf to configure the regex for it. 0 -
:) "unless you are very good with regular expressions you are going to have a very tough time configuring it" I can't even say it, let alone configure it. Not to worry. 0 -
Looks like fun, however, i'm not sure that i have the will power to start and learn regex to be honest 0
Please sign in to leave a comment.
Comments
19 comments