fuzzylogic

  • Total activity 235
  • Last activity
  • Member since
  • Following 0 users
  • Followed by 0 users
  • Votes 0
  • Subscriptions 81

Comments

Recent activity by fuzzylogic Recent activity Votes
    1. Community
    2. Security
    3. csf.conf not rotating csf.deny entires?

    My idea is that you have misinterpreted the observation that an ip was not added to the cfs.deny list when you expected it to be. If you have the cfs settings... LF_MODSEC = 5 LF_MODSEC_PERM = 1 Yo...

    1. Community
    2. Security
    3. Website Flood and with Wordpress PingBack

    To prevent ConfigServer LFD from adding these IPs to the Firewall deny list you must stop Modsecurity from writing 40* errors in the Apache error_log for these rules. To do this is easy. You only ...

    1. Community
    2. Security
    3. Entry in Mod Security Log question

    You should not need to write rules for requests like these. I would expect the OWASP CRS to block requests like this if it is set up properly and working. In my test using cPanel provided rules OW...

    1. Community
    2. Security
    3. OWASP rule set blocking smtp

    OK. With the logs you supplied I was able to almost duplicate the problem request to one of my virtual hosts. The rules in question operate in the Request phase of the http request (phase 1 - requ...

    1. Community
    2. Security
    3. OWASP rule set blocking smtp

    OK. Seems you have a non standard setup. In my testing of cPanel RoundCube Modsecurity does not operate for users on the same server as the RoundCube. What I mean by that is when I post strings in ...

    1. Community
    2. Security
    3. OWASP rule set blocking smtp

    I will assist in writing an exclusion rule if OP will provide relevant log excerpts. The required logs are from /usr/local/apache/logs/modsec_audit.log Each http request that hits a modsec rule is ...

    1. Community
    2. Security
    3. Help with CSF custom regex

    Found another issue... ("Blocked SMTP connection lost from",$1,"customsmtp1","10","25,465,587","1","0") Should be... ("Blocked SMTP connection lost from",$1,"customsmtp1","10","25,465,587","1")

    1. Community
    2. Security
    3. Help with CSF custom regex

    On closer inspection the ip would be in $3. Here is a different regex (simpler) that will capture the ip to $1 I would also stick to using the CUSTOM1_LOG log file definitions untill its working be...

    1. Community
    2. Security
    3. Help with CSF custom regex

    No time to test this for you, but I see an error in the logic of your regex. The ip would be stored in the $2 variable because it is the 2nd capture in the expression. So try... if (($lgfile eq $...

    1. Community
    2. Security
    3. Blocking bad bots

    If you want to match a fragment of the User-Agent you require a looser regular expression. SecRule REQUEST_HEADERS:User-Agent "@rx (?:MJ12bot|AhrefsBot)" "msg:'Spiderbot blocked',phase:1,log,id:777...