From which file CPanel reads the logs for mod_security?

[chris_j]

In my WHM, when I click on the addon "Mod Security", I see the list of denied items as expected. I wish to know from which file exactly CPanel reads these info? I am using FreeBSD-5.4. Basically, I am trying to block the IPs that frequently show up in this "hacking" list. Thanks for your help in advance.

 

[Beermonster]

Click on the mod_security link in WHM then at the top you will see a Edit Config button click on that and in the text box put this

SecFilterSelective "REMOTE_ADDR" "^xx.xx.xx.xx" "deny,log,status:412"

xx.xx.xx.xx = IP of cause or for a range change it to xx.xx.*$.*$

 

[chris_j]

Actually, I am trying to deny the hacking attempts at the firewall (IPFW) level, so that the hacker's IP never reaches the box again to try his new tricks. So, I was looking for the file from which CPanel actually reads the list. Any idea??

 

[avijit]

An hourly cron /etc/cron.hourly/modsecparse.pl checks the /usr/local/apache/logs/audit_log and parses it for the banning the ips/hosts.

 

[chris_j]

An hourly cron /etc/cron.hourly/modsecparse.pl checks the /usr/local/apache/logs/audit_log and parses it for the banning the ips/hosts.

Thanks, that's exactly what I was looking for.