The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Change permanent ModSecuity block to temporary

Discussion in 'Security' started by DanH42, Jun 10, 2014.

  1. DanH42

    DanH42 Active Member

    Joined:
    Sep 11, 2011
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Bloomington, IL
    cPanel Access Level:
    Root Administrator
    I'm using mod_security with a subset of the OWASP ruleset, and I'm still getting lots of false positives. Almost every time that happens, the IP responsible gets a permanent block in iptables, which I think is a little strict even if they were trying to attack the server.

    I've tried Googling around a bit, and I can't find a way to make bans temporary. I think a block of 5~30 minutes would be reasonable.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. DanH42

    DanH42 Active Member

    Joined:
    Sep 11, 2011
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Bloomington, IL
    cPanel Access Level:
    Root Administrator
    I've got CSF installed, and I'm also using CS ModSec Control to make mod_security easier to manage.
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Assuming CSF/LFD:

    # If LF_TRIGGER is > "0" then LF_TRIGGER_PERM can be set to "1" to permanently
    # block the IP address, or LF_TRIGGER_PERM can be set to a value greater than
    # "1" and the IP address will be blocked temporarily for that value in seconds.
    # For example:
    # LF_TRIGGER_PERM = "1" => the IP is blocked permanently
    # LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour

    Set something like this:

    # [*]Enable failure detection of repeated Apache mod_security rule triggers
    LF_MODSEC = "10"
    LF_MODSEC_PERM = "300"

    this would block for 5 minutes (300 seconds) after modsec rules being triggered. Restart csf/lfd and you should be good.

    Edit: these settings are in /etc/csf/csf.conf, you might be able to edit them through WHM too in the CSF panel.
     
    #4 quizknows, Jun 10, 2014
    Last edited: Jun 10, 2014
  5. DanH42

    DanH42 Active Member

    Joined:
    Sep 11, 2011
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Bloomington, IL
    cPanel Access Level:
    Root Administrator
    Nice catch! For some reason, I didn't think to look in CSF's config; only ModSec's.
     
Loading...

Share This Page