Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Custom rule not being blocked in CSF

Discussion in 'Security' started by kernow, Mar 4, 2016.

  1. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    920
    Likes Received:
    13
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Just added a custom rule I found from @quizknows to stop posts to wp with no referer:
    Code:
    SecRule REQUEST_METHOD "POST"  "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'"
    SecRule &HTTP_REFERER "@eq 0"
    It logs lots of hits but LF_MODSEC doesn't block the IP as it does with other rules in our Comodo WAF rule set.
    Any idea why?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. rregister

    rregister Member

    Joined:
    Aug 10, 2015
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    I use...

    Code:
    #Block WP logins with no referring URL
    <Locationmatch "/wp-login.php">
    SecRule REQUEST_METHOD "POST"  "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'"
    SecRule &HTTP_REFERER "@eq 0"
    </Locationmatch>
    Are you missing the locationmatch?

    I'm also going to assume that the MODSEC setting in CSF isn't set to 0 if your other rules are working, but I would be remiss not to mention it. The default value is 5, but I've seen some hosting providers set it to 0, which disables it.

    Cheers.
     
  3. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    920
    Likes Received:
    13
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Thanks for a reply.
    The <Locationmatch> open and close are there as is the default MODSEC value of 5
    Further investigation now shows that although the offending IP is listed in WHM>>mod-security tools, in the LFD log its recording the server IP and is ignored.
    Example;
    Code:
    lfd[838779]: mod_security (id:5000130) triggered by 192.X.X.X - ignored
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,011
    Likes Received:
    88
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Are you behind a load balancer? Also, check your csf.allow and csf.ignore files.

    LFD parses the apache error log to look for modsec hits. As long as the entries are logging there with the deny status from apache, then it's on CSF at that point. I can provide further details but that's the gist of it.
     
  5. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    920
    Likes Received:
    13
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    No load balancer, I think the problem is with varnish because if we disable it, lfd then records the correct IP but enabled it shows servers own IP
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    I am happy to see you were able to narrow down the issue. Feel free to update this thread with the outcome should you find any custom workarounds so it works with Varnish.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice