crazyaboutlinux

Well-Known Member
Nov 3, 2007
939
1
66
one of my client is facing to connect FTP server everyday.

they have Dynamic ISP of BSNL
BSNL is the India's Largest ISP provider

we are using CSF 4.63 firewall so i just put their local ISP's IP addresss into etc/csf.allow/ file & they can able to login to FTP server

but this problem is causing again once their local ISP's IP address gets changed it self

so i just tell them that buy a new static IP instead of dyanmic but they do not agree with us & we don't want to add whole BSNL IP range in our server firewall this may cause problem to our server performance

so whats the solutions for this
 

big_bull

Well-Known Member
Nov 19, 2006
150
0
166
cPanel Access Level
Root Administrator
no need of any static IP, they must be using wrong credentials thats why their local IP got banned frequently.
 

crazyaboutlinux

Well-Known Member
Nov 3, 2007
939
1
66
sounds like good.
might be but i don't believe that they using wrong credentials everyday ???

it could possible for 1 time , 2nd time , 3rd time but everyday it's not possible
 

big_bull

Well-Known Member
Nov 19, 2006
150
0
166
cPanel Access Level
Root Administrator
Yes Nilesh, you are right :)

You must have forwarded root emails to specific email address.Please search the IP there and check the reason for getting blocked everytime.


:) hope you will get the reason for IP block.
 

crazyaboutlinux

Well-Known Member
Nov 3, 2007
939
1
66
Hi Bull,

You must have forwarded root emails to specific email address.Please search the IP there and check the reason for getting blocked everytime.
how can i come to know this thing ? where can i put root email

One more thing
i got below details from /etc/csf.deny file

59.96.145.59 # lfd: 5 (mod_security) login failures from 59.96.145.59 in the last 300 secs - Tue Apr 14 19:01:02 2009

it may can help us guy's to resolve this issue
 

crazyaboutlinux

Well-Known Member
Nov 3, 2007
939
1
66
also i got below details from mod_security under plugins menu

Date - 2009-04-15
Time - 16:12:59
IP - 59.95.202.17
GET - /type=text/javascript HTTP/1.1
Host - domain.com
Message - Access denied with code 406 (phase 2). Pattern match "(?:\b(?:eek:n(?:(?:mo(?:use(?:eek:(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:eek:wsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:j ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "79"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack. Matched signature <type=text/javascript>"] [severity "CRITICAL"]

Action - 406
 

big_bull

Well-Known Member
Nov 19, 2006
150
0
166
cPanel Access Level
Root Administrator
In WHM >> Server Contacts >> Change System Mail Preferences >> root's mail and forward to your desired email address so that you can monitor activities.

For mod security, just delete the code in /etc/httpd/conf/modsec2.conf
 

thewebhosting

Well-Known Member
May 9, 2008
1,199
1
68
Hi Bull,
59.96.145.59 # lfd: 5 (mod_security) login failures from 59.96.145.59 in the last 300 secs - Tue Apr 14 19:01:02 2009
Try after disabling mod_security for your client's domain. To disable it just add below code in .htaccess file:

SecFilterEngine Off
SecFilterScanPOST Off

It is not recommended to disable it for the security reasons.
 

crazyaboutlinux

Well-Known Member
Nov 3, 2007
939
1
66
Try after disabling mod_security for your client's domain. To disable it just add below code in .htaccess file:

SecFilterEngine Off
SecFilterScanPOST Off
is there any problem create to mt server if do this ??

It is not recommended to disable it for the security reasons.
yes mod_security can not be disable for security reason.
 

tuxicans

Active Member
Oct 16, 2008
38
0
56
if you are using mod_security 2 try the following method.

create the file,

/usr/local/apache/conf/userdata/std/2/username/domain.com/mod_security.conf

replace domain.com with your domain name and add,

<IfModule mod_security.c>
SecRuleEngine Off
</IfModule>

Save it.

Then run:

/scripts/ensure_vhost_includes –user=username
 
Last edited:

crazyaboutlinux

Well-Known Member
Nov 3, 2007
939
1
66
thanks for your support but i think its very difficult to use


As per thewebhosting comments

SecFilterEngine Off
SecFilterScanPOST Off

it s not to hard
 

tuxicans

Active Member
Oct 16, 2008
38
0
56
Hi Nilesh,

thanks for your support but i think its very difficult to use


As per thewebhosting comments

SecFilterEngine Off
SecFilterScanPOST Off

it s not to hard
As I mentioned those steps are required when you are using mod_security version 2. The steps provided by thewebhosting is for modsec version one. The settings for each versions are different.
 

crazyaboutlinux

Well-Known Member
Nov 3, 2007
939
1
66
Hi Tuxicans

Thank you so much for the clarification.

we are using mod security 2

can you please elaborate your suggestion

create the file,

/usr/local/apache/conf/userdata/std/2/username/domain.com/mod_security.conf

replace domain.com with your domain name and add,

<IfModule mod_security.c>
SecRuleEngine Off
</IfModule>

Save it.

Then run:

/scripts/ensure_vhost_includes –user=username
i am very confused in this please explain more about this
 

crazyaboutlinux

Well-Known Member
Nov 3, 2007
939
1
66
if you are using mod_security 2 try the following method.

create the file,

/usr/local/apache/conf/userdata/std/2/username/domain.com/mod_security.conf

replace domain.com with your domain name and add,

<IfModule mod_security.c>
SecRuleEngine Off
</IfModule>

Save it.

Then run:

/scripts/ensure_vhost_includes –user=username
Hi Tuxican,

please explain me how to create this file ????????
 

tuxicans

Active Member
Oct 16, 2008
38
0
56
Hi Nilesh,

mkdir -p /usr/local/apache/conf/userdata/std/2/USERNAME/DOMAIN.COM
Then create a mod_security conf file:

touch /usr/local/apache/conf/userdata/std/2/USERNAME/DOMAIN.COM/mod_security.conf
Now add the following directives,

<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
Save the file and then run:

/scripts/ensure_vhost_includes –user=USERNAME
 

crazyaboutlinux

Well-Known Member
Nov 3, 2007
939
1
66
Hi Tuxicans,

this is really really very easy to use & you are doing fantastic job

Thank you so much for this

let me ask you one thing

will it effect for one domain or all ??
 

tuxicans

Active Member
Oct 16, 2008
38
0
56
Hi Nilesh,

Thanks !

This is only for one domain which you are mentioning while creating the directory structure.