The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Custom rule not being blocked in CSF

Discussion in 'Security' started by kernow, Mar 4, 2016.

  1. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Just added a custom rule I found from @quizknows to stop posts to wp with no referer:
    Code:
    SecRule REQUEST_METHOD "POST"  "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'"
    SecRule &HTTP_REFERER "@eq 0"
    It logs lots of hits but LF_MODSEC doesn't block the IP as it does with other rules in our Comodo WAF rule set.
    Any idea why?
     
  2. rregister

    rregister Member

    Joined:
    Aug 10, 2015
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    I use...

    Code:
    #Block WP logins with no referring URL
    <Locationmatch "/wp-login.php">
    SecRule REQUEST_METHOD "POST"  "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'"
    SecRule &HTTP_REFERER "@eq 0"
    </Locationmatch>
    Are you missing the locationmatch?

    I'm also going to assume that the MODSEC setting in CSF isn't set to 0 if your other rules are working, but I would be remiss not to mention it. The default value is 5, but I've seen some hosting providers set it to 0, which disables it.

    Cheers.
     
  3. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Thanks for a reply.
    The <Locationmatch> open and close are there as is the default MODSEC value of 5
    Further investigation now shows that although the offending IP is listed in WHM>>mod-security tools, in the LFD log its recording the server IP and is ignored.
    Example;
    Code:
    lfd[838779]: mod_security (id:5000130) triggered by 192.X.X.X - ignored
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Are you behind a load balancer? Also, check your csf.allow and csf.ignore files.

    LFD parses the apache error log to look for modsec hits. As long as the entries are logging there with the deny status from apache, then it's on CSF at that point. I can provide further details but that's the gist of it.
     
  5. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    No load balancer, I think the problem is with varnish because if we disable it, lfd then records the correct IP but enabled it shows servers own IP
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I am happy to see you were able to narrow down the issue. Feel free to update this thread with the outcome should you find any custom workarounds so it works with Varnish.

    Thank you.
     
Loading...

Share This Page