Custom rule not being blocked in CSF
Just added a custom rule I found from @quizknows to stop posts to wp with no referer:
It logs lots of hits but LF_MODSEC doesn't block the IP as it does with other rules in our Comodo WAF rule set. Any idea why?
SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0"It logs lots of hits but LF_MODSEC doesn't block the IP as it does with other rules in our Comodo WAF rule set. Any idea why?
-
I use... #Block WP logins with no referring URL SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'" SecRule &HTTP_REFERER "@eq 0"
Are you missing the locationmatch? I'm also going to assume that the MODSEC setting in CSF isn't set to 0 if your other rules are working, but I would be remiss not to mention it. The default value is 5, but I've seen some hosting providers set it to 0, which disables it. Cheers.0 -
Thanks for a reply. The open and close are there as is the default MODSEC value of 5 Further investigation now shows that although the offending IP is listed in WHM>>mod-security tools, in the LFD log its recording the server IP and is ignored. Example; lfd[838779]: mod_security (id:5000130) triggered by 192.X.X.X - ignored0 -
Are you behind a load balancer? Also, check your csf.allow and csf.ignore files. LFD parses the apache error log to look for modsec hits. As long as the entries are logging there with the deny status from apache, then it's on CSF at that point. I can provide further details but that's the gist of it. 0 -
No load balancer, I think the problem is with varnish because if we disable it, lfd then records the correct IP but enabled it shows servers own IP 0 -
No load balancer, I think the problem is with varnish because if we disable it, lfd then records the correct IP but enabled it shows servers own IP
Hello :) I am happy to see you were able to narrow down the issue. Feel free to update this thread with the outcome should you find any custom workarounds so it works with Varnish. Thank you.0
Please sign in to leave a comment.
Comments
5 comments