Custom rule not being blocked in CSF

kernow

Well-Known Member
Jul 23, 2004
1,015
61
178
cPanel Access Level
Root Administrator
Just added a custom rule I found from @quizknows to stop posts to wp with no referer:
Code:
SecRule REQUEST_METHOD "POST"  "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0"
It logs lots of hits but LF_MODSEC doesn't block the IP as it does with other rules in our Comodo WAF rule set.
Any idea why?
 

rregister

Member
Aug 10, 2015
12
0
1
Texas
cPanel Access Level
Root Administrator
I use...

Code:
#Block WP logins with no referring URL
<Locationmatch "/wp-login.php">
SecRule REQUEST_METHOD "POST"  "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0"
</Locationmatch>
Are you missing the locationmatch?

I'm also going to assume that the MODSEC setting in CSF isn't set to 0 if your other rules are working, but I would be remiss not to mention it. The default value is 5, but I've seen some hosting providers set it to 0, which disables it.

Cheers.
 

kernow

Well-Known Member
Jul 23, 2004
1,015
61
178
cPanel Access Level
Root Administrator
Thanks for a reply.
The <Locationmatch> open and close are there as is the default MODSEC value of 5
Further investigation now shows that although the offending IP is listed in WHM>>mod-security tools, in the LFD log its recording the server IP and is ignored.
Example;
Code:
lfd[838779]: mod_security (id:5000130) triggered by 192.X.X.X - ignored
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Are you behind a load balancer? Also, check your csf.allow and csf.ignore files.

LFD parses the apache error log to look for modsec hits. As long as the entries are logging there with the deny status from apache, then it's on CSF at that point. I can provide further details but that's the gist of it.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,245
463
No load balancer, I think the problem is with varnish because if we disable it, lfd then records the correct IP but enabled it shows servers own IP
Hello :)

I am happy to see you were able to narrow down the issue. Feel free to update this thread with the outcome should you find any custom workarounds so it works with Varnish.

Thank you.