Skip to main content

adding 401's to csf block list

Comments

19 comments

  • Infopro
    This might be better asked over on the CSF forums.
    0
  • keat63
    The CSF forum's are a waste of time in my opinion. Too many views, and not enough answers, so i've given up with it.
    0
  • Infopro
    I don't see that over there. I see users that don't bother looking up answers already posted though, all the time. There are 2 pages of results when searching for only: 401 Here's one of them (although I have not read it fully :p ):
    0
  • quizknows
    This is a builtin in csf.conf, though not as clearly labelled as the 404 or 403 protections. #
  • Enable login failure detection of Apache .htpasswd connections # Due to the often high logging rate in the Apache error log, you might want to # enable this option only if you know you are suffering from attacks against # password protected directories LF_HTACCESS = "5" LF_HTACCESS_PERM = "1" I tested this by failing some logins to force 401's and I was blocked from my server. Jun 19 13:24:13 new lfd[7539]: (htpasswd) Failed web page login from MY.IP.ADDR (NL/Netherlands/xxxxxx.static.myprovider.com): 5 in the last 300 secs - *Blocked in csf* [LF_HTACCESS]
  • 0
  • keat63
    It seems that this is already enabled, but isn't blocking the hackers. I see a number of these entries in cpanel access.log I suspect because host access control is stopping them, CSF doesn't see this as a failed login ?
    92.222.xxx.xxx - - [06/21/2015:18:13:34 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:18:13:34 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:18:13:35 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:18:13:35 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:18:13:35 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:18:13:35 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:18:13:36 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:18:13:37 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:18:13:37 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:18:13:38 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:18:13:38 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:21:52:29 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:21:52:29 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:21:52:30 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:21:52:30 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:21:52:31 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:21:52:31 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:21:52:32 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:21:52:32 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:21:52:33 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:21:52:33 -0000] "" 401 0 "" "" "-" "-" 92.222.xxx.xxx - - [06/21/2015:21:52:33 -0000] "" 401 0 "" "" "-" "-"
    0
  • quizknows
    Yes that is possible. You could look in /usr/local/csf/bin/regex.pm to see what logs are monitored and what regular expressions are searched for. I tried some modsec stuff but because the 401 is returned in a later phase of processing, you can't execute disruptive actions based on response status (because the request is already processed). A more complex rule however could be made similar to the wp-login brute force that sets a variable and adds to it per IP, to block IPs after a certain number of 401s. If I have some time later I can try to write one for you.
    0
  • quizknows
    OK here you go, you will probably want to add these to modsec2.user.conf yourself or using the "edit rules" feature in WHM (Not add rule, edit rules).
    # If you are already using wp brute rules, leave the next line commented out. Otherwise uncomment it to enable IP tracking. #SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134 #rate limiting per IP. Deprecate var at 1/60 means the count for each IP drops by 1 every 60 sec. Each hit is +1. SecRule RESPONSE_STATUS "^401" "phase:5,pass,log,id:1384,setvar:ip.401=+1,deprecatevar:ip.401=1/8" #threshhold for blocking. Count greater than 15 hits means the IP is blocked until it counts back down, as set above. SecRule ip:401 "@gt 15" "deny,id:1385,deprecatevar:ip.401=1/8"
    Once someone reaches this limit (15 401's in a short time) then modsec will block them from all sites on the server. If you have LF_MODSEC enabled, then they will be banned by CSF if they continue hitting the server.
    0
  • keat63
    How would i know if i'm using WP brute rules ? I have no sites using WordPress, but i do have OWASP installed.
    0
  • quizknows
    You would know if you were using them, I do not believe any commercial providers have them. Unless you get an error for duplicate rule ID with that line uncommented you should be fine to uncomment it.
    0
  • keat63
    I applied the rules last night, and reconfigured it for 3 hits. (very strict i know) However, i see this morning 5 attempts and nothing logged in CSF. 195.154.105.xx - - [06/24/2015:03:21:22 -0000] "" 401 0 "" "" "-" "-" 195.154.105.xx - - [06/24/2015:03:21:29 -0000] "" 401 0 "" "" "-" "-" 195.154.105.xx - - [06/24/2015:03:21:36 -0000] "" 401 0 "" "" "-" "-" 195.154.105.xx - - [06/24/2015:03:21:43 -0000] "" 401 0 "" "" "-" "-" 195.154.105.xx - - [06/24/2015:03:21:49 -0000] "" 401 0 "" "" "-" "-"
    0
  • quizknows
    That's really odd. Can you test by forcing some 401's yourself to see if they are logged by apache in the error log?
    0
  • keat63
    All my IP's are whitelisted, so i'm not really sure how i'll create these myself. I see lat night, another attempt to gain access. 198.154.254.xx - - [06/25/2015:05:24:08 -0000] "" 401 0 "" "" "-" "-" (plus 9 more entries) But i see nothing in Apache errors around this time. I'm guessing becuase Host Access Control is denying access, then it never gets as far as apache ??
    0
  • quizknows
    Yes, that is possible. Host access control can take precedent over modsecurity. If the attempts are not causing load on your server I'd honestly ignore it, if you do want them banned you might have to try removing that host access control rule to see if modsecurity and lfd take over.
    0
  • keat63
    I think i'd rather keep the HAC rule, knowing that should they somehow bypass this, LFD would offer me secondary protection.
    0
  • keat63
    Hi Quizknows Could this rule be applied to "Rejected Recipient" as seen in exim_rejectlog If so then this would help alleviate a problem that seems to crop up frequently, whereby spammers are sending 100's of emails or virus to accounts that don't exist. If this could be applied, then it could help stop the odd one which happens to get delivered to a valid account.
    0
  • quizknows
    You could probably block for invalid recipients as long as the offending connecting IP is logged on the same line as that message. To do it would require a custom LFD regex. It could be configured in /etc/csf/regex.custom.pm but this is an extremely advanced configuration and unless you are very good with regular expressions you are going to have a very tough time configuring it. You would also have to set the exim_rejectlog as a CUSTOM#_LOG in csf.conf to configure the regex for it.
    0
  • keat63
    :) "unless you are very good with regular expressions you are going to have a very tough time configuring it" I can't even say it, let alone configure it. Not to worry.
    0
  • cPanelMichael
    I can't even say it, let alone configure it.

    Hello :) The following document is a good place to get started if you would like to learn:
    0
  • keat63
    Looks like fun, however, i'm not sure that i have the will power to start and learn regex to be honest
    0

Please sign in to leave a comment.