csf.conf not rotating csf.deny entires?

Scott Galambos

Well-Known Member
Jul 13, 2016
125
8
68
Canada
cPanel Access Level
Root Administrator
I have a problem I think. I'm running cPanel 72.0.7. I have mod_security2 blocking wp-login.php hack attempts. It works fine. Entires are added to /etc/csf.deny automatically per the rule.

Problem is when my csf.deny hits the DENY_IP_LIMIT (set to 2000) defined in csf.conf, it does not rotate and remove the old entries automatically. I start to get flooded because its not blocking. As per the comment is it not suppose to remove old entries?

"if the limit is reached, the entries will be rotated so that the oldest
entries (i.e. the ones at the top) will be removed and the latest is added."

Any idea?
 
Last edited:

fuzzylogic

Well-Known Member
Nov 8, 2014
154
94
78
cPanel Access Level
Root Administrator
My idea is that you have misinterpreted the observation that an ip was not added to the cfs.deny list when you expected it to be.
If you have the cfs settings...
LF_MODSEC = 5
LF_MODSEC_PERM = 1
You may expect 5 hits from your modsec wp-login.php rule to be enough to satisfy the conditions to be added to the cfs.deny list.
That is not necessarily the case.

cfs uses the lfd to parse apache error_log lines for the line fragment "Access denied with code 40*"
If 5 lines with that fragment are present for a particular ip then it is added to the cfs.deny list.

For Modsecurity to write that line in the apace error_log either the ruleset default action must be set to log...
Code:
SecDefaultAction "phase:1,log,auditlog,pass"
Note the word log.

Or the rule in question must override the default action by including "log" in its actions.
Code:
SecRule REQUEST_FILENAME "@endsWith wp-login.php" \
        "msg:'wp-login rule is being hit',\
        id:1111111,\
        log,\
        deny"