Trigger csf to block IP based on modsec custom rule
Hello ,
I created a custom modsec rule that returns a 403 status code if there is a sql injection attempt, i want csf to block the ip that is triggering this rule by monitoring the log that modsec is logging in it , but it isnt blocking it at all
the log came up as either
/usr/local/apache/error_log or
/var/log/apache2/error_log
so in csf.conf i specified the MODSEC_LOG to be /var/log/apache2/error_log ,
and the in /etc/csf/regex.custom.pm i added the following line :
# Custom ModSecurity regex
if (($config{LF_MODSEC}) and ($lgfile eq $config{MODSEC_LOG}) and ($line =~ /\[client (\S+)\] ModSecurity: Access denied with code \d+/)) {
$ip = $1; $acc = ""; $ip =~ s/^::ffff://;
if (&checkip($ip)) {
return ("mod_security triggered by", "$ip|$acc", "mod_security");
} else {
return;
}
}
also in csf.conf i modified these two values :
LF_MODSEC = 5
LF_MODSEC_PERM = 1
This is a sample line from the error log :
[Mon Sep 16 15:58:21.985553 2024] [security2:error] [pid 2443232:tid 2443398] [remote remote_ip:60395] [client remote_ip] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|--|OR|AND|FROM|WHERE|HAVING|1=1)\\\\b" at ARGS:id. [file "/etc/apache2/conf.d/modsec/modsec2.user.conf"] [line "3"] [id "10000000"] [msg "SQL Injection Attempt Detected in Parameters or URI"] [hostname "HOSTNAME"] [uri "/index.php"] [unique_id "ZugrbZGyKRlvLTJSUAnqiQABExY"]
and this is the custom rule :
What could I change or improve so it will work ?
Thank you ,
Best Regards
-
Hey there! It would be best to reach out to their team directly as we don't provide support for that tool on our end. You can reach them at https://configserver.com/technical-support/
0 -
Hello ,
Thank you for your replyYes I did that but i posted here in case anyone got into the same issue before .
Thank you
Best Regards1
Please sign in to leave a comment.
Comments
2 comments