The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

adding 401's to csf block list

Discussion in 'Security' started by keat63, Jun 19, 2015.

  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Guys.

    I've been away from work for a few days and come back to find a number of attempted logins to cpanel.
    Host access control has these covered, however, i'd be happier if CSF also blocked these, to block repeated attempts.

    Does anyone know if this is possible to do on an automatic basis.

    Code:
    107.150.xx.xxx - - [06/19/2015:02:56:22 -0000] "" 401 0 "" "" "-" "-"
    
    
    I guess it's going to be tricky for anyone to actually connect with Host Acess control blocking them and then the secure password followed by three strikes and your out rule, but i'd prefer belt and braces.
     
    #1 keat63, Jun 19, 2015
    Last edited: Jun 19, 2015
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,460
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    This might be better asked over on the CSF forums.
     
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    The CSF forum's are a waste of time in my opinion.
    Too many views, and not enough answers, so i've given up with it.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,460
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    This is a builtin in csf.conf, though not as clearly labelled as the 404 or 403 protections.

    # [*]Enable login failure detection of Apache .htpasswd connections
    # Due to the often high logging rate in the Apache error log, you might want to
    # enable this option only if you know you are suffering from attacks against
    # password protected directories
    LF_HTACCESS = "5"
    LF_HTACCESS_PERM = "1"

    I tested this by failing some logins to force 401's and I was blocked from my server.

    Jun 19 13:24:13 new lfd[7539]: (htpasswd) Failed web page login from MY.IP.ADDR (NL/Netherlands/xxxxxx.static.myprovider.com): 5 in the last 300 secs - *Blocked in csf* [LF_HTACCESS]
     
    #5 quizknows, Jun 19, 2015
    Last edited: Jun 19, 2015
  6. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    It seems that this is already enabled, but isn't blocking the hackers.
    I see a number of these entries in cpanel access.log

    I suspect because host access control is stopping them, CSF doesn't see this as a failed login ?



    Code:
    92.222.xxx.xxx - - [06/21/2015:18:13:34 -0000] "" 401 0 "" "" "-" "-"
    92.222.xxx.xxx - - [06/21/2015:18:13:34 -0000] "" 401 0 "" "" "-" "-"
    92.222.xxx.xxx - - [06/21/2015:18:13:35 -0000] "" 401 0 "" "" "-" "-"
    92.222.xxx.xxx - - [06/21/2015:18:13:35 -0000] "" 401 0 "" "" "-" "-"
    92.222.xxx.xxx - - [06/21/2015:18:13:35 -0000] "" 401 0 "" "" "-" "-"
    92.222.xxx.xxx - - [06/21/2015:18:13:35 -0000] "" 401 0 "" "" "-" "-"
    92.222.xxx.xxx - - [06/21/2015:18:13:36 -0000] "" 401 0 "" "" "-" "-"
    92.222.xxx.xxx - - [06/21/2015:18:13:37 -0000] "" 401 0 "" "" "-" "-"
    92.222.xxx.xxx - - [06/21/2015:18:13:37 -0000] "" 401 0 "" "" "-" "-"
    92.222.xxx.xxx - - [06/21/2015:18:13:38 -0000] "" 401 0 "" "" "-" "-"
    92.222.xxx.xxx - - [06/21/2015:18:13:38 -0000] "" 401 0 "" "" "-" "-"
    
    92.222.xxx.xxx - - [06/21/2015:21:52:29 -0000] "" 401 0 "" "" "-" "-"
    92.222.xxx.xxx - - [06/21/2015:21:52:29 -0000] "" 401 0 "" "" "-" "-"
    92.222.xxx.xxx - - [06/21/2015:21:52:30 -0000] "" 401 0 "" "" "-" "-"
    92.222.xxx.xxx - - [06/21/2015:21:52:30 -0000] "" 401 0 "" "" "-" "-"
    92.222.xxx.xxx - - [06/21/2015:21:52:31 -0000] "" 401 0 "" "" "-" "-"
    92.222.xxx.xxx - - [06/21/2015:21:52:31 -0000] "" 401 0 "" "" "-" "-"
    92.222.xxx.xxx - - [06/21/2015:21:52:32 -0000] "" 401 0 "" "" "-" "-"
    92.222.xxx.xxx - - [06/21/2015:21:52:32 -0000] "" 401 0 "" "" "-" "-"
    92.222.xxx.xxx - - [06/21/2015:21:52:33 -0000] "" 401 0 "" "" "-" "-"
    92.222.xxx.xxx - - [06/21/2015:21:52:33 -0000] "" 401 0 "" "" "-" "-"
    92.222.xxx.xxx - - [06/21/2015:21:52:33 -0000] "" 401 0 "" "" "-" "-"
    
     
    #6 keat63, Jun 22, 2015
    Last edited: Jun 22, 2015
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Yes that is possible. You could look in /usr/local/csf/bin/regex.pm to see what logs are monitored and what regular expressions are searched for.

    I tried some modsec stuff but because the 401 is returned in a later phase of processing, you can't execute disruptive actions based on response status (because the request is already processed). A more complex rule however could be made similar to the wp-login brute force that sets a variable and adds to it per IP, to block IPs after a certain number of 401s. If I have some time later I can try to write one for you.
     
  8. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    OK here you go, you will probably want to add these to modsec2.user.conf yourself or using the "edit rules" feature in WHM (Not add rule, edit rules).

    Code:
    # If you are already using wp brute rules,  leave the next line commented out. Otherwise uncomment it to enable IP tracking.
    
    #SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134
    
    #rate limiting per IP.  Deprecate var at 1/60 means the count for each IP drops by 1 every 60 sec. Each hit is +1.
    SecRule RESPONSE_STATUS "^401" "phase:5,pass,log,id:1384,setvar:ip.401=+1,deprecatevar:ip.401=1/8"
    
    #threshhold for blocking. Count greater than 15 hits means the IP is blocked until it counts back down, as set above.
    SecRule ip:401 "@gt 15" "deny,id:1385,deprecatevar:ip.401=1/8"
    
    Once someone reaches this limit (15 401's in a short time) then modsec will block them from all sites on the server. If you have LF_MODSEC enabled, then they will be banned by CSF if they continue hitting the server.
     
  9. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    How would i know if i'm using WP brute rules ?
    I have no sites using WordPress, but i do have OWASP installed.
     
  10. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You would know if you were using them, I do not believe any commercial providers have them. Unless you get an error for duplicate rule ID with that line uncommented you should be fine to uncomment it.
     
  11. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I applied the rules last night, and reconfigured it for 3 hits. (very strict i know)
    However, i see this morning 5 attempts and nothing logged in CSF.

    195.154.105.xx - - [06/24/2015:03:21:22 -0000] "" 401 0 "" "" "-" "-"
    195.154.105.xx - - [06/24/2015:03:21:29 -0000] "" 401 0 "" "" "-" "-"
    195.154.105.xx - - [06/24/2015:03:21:36 -0000] "" 401 0 "" "" "-" "-"
    195.154.105.xx - - [06/24/2015:03:21:43 -0000] "" 401 0 "" "" "-" "-"
    195.154.105.xx - - [06/24/2015:03:21:49 -0000] "" 401 0 "" "" "-" "-"
     
  12. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    That's really odd. Can you test by forcing some 401's yourself to see if they are logged by apache in the error log?
     
  13. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    All my IP's are whitelisted, so i'm not really sure how i'll create these myself.

    I see lat night, another attempt to gain access.
    198.154.254.xx - - [06/25/2015:05:24:08 -0000] "" 401 0 "" "" "-" "-"
    (plus 9 more entries)


    But i see nothing in Apache errors around this time.


    I'm guessing becuase Host Access Control is denying access, then it never gets as far as apache ??
     
  14. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Yes, that is possible. Host access control can take precedent over modsecurity. If the attempts are not causing load on your server I'd honestly ignore it, if you do want them banned you might have to try removing that host access control rule to see if modsecurity and lfd take over.
     
  15. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I think i'd rather keep the HAC rule, knowing that should they somehow bypass this, LFD would offer me secondary protection.
     
  16. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Hi Quizknows

    Could this rule be applied to "Rejected Recipient" as seen in exim_rejectlog
    If so then this would help alleviate a problem that seems to crop up frequently, whereby spammers are sending 100's of emails or virus to accounts that don't exist.
    If this could be applied, then it could help stop the odd one which happens to get delivered to a valid account.
     
  17. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You could probably block for invalid recipients as long as the offending connecting IP is logged on the same line as that message. To do it would require a custom LFD regex. It could be configured in /etc/csf/regex.custom.pm but this is an extremely advanced configuration and unless you are very good with regular expressions you are going to have a very tough time configuring it. You would also have to set the exim_rejectlog as a CUSTOM#_LOG in csf.conf to configure the regex for it.
     
  18. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    :)

    "unless you are very good with regular expressions you are going to have a very tough time configuring it"

    I can't even say it, let alone configure it.
    Not to worry.
     
  19. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,744
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The following document is a good place to get started if you would like to learn:

    http://regexone.com/

    Thank you.
     
  20. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Looks like fun, however, i'm not sure that i have the will power to start and learn regex to be honest
     
Loading...

Share This Page