ModSec, CSF, AbuseIPDB and IPBlocklists!

[WorkinOnIt]

Hello folks;

CENTOS 7.8 Apache WHM v86.0.21

1) Using ModSec OWASP v3 in WHM and also have CSF installed. Just to clarify my understanding - if modsec picks up an abusive IP for bad behaviour, it will block it right (including IPV6 addresses?)? Since CSF does pretty much the same thing.... is there any point to have both?

2) RE IP blocklists: I would like to hear thoughts on which is best to implement to reduce abusive connections.

I'm aware of e.g. CSF Block Lists including DShield Block List and Spamhaus DROP List plus ModSec uses the ProjectHoneyPot. Plus there is AbuseIPDB .....

- which blocklist is most efficient in WHM and will have negligible effect on loading time of sites / server processes
- which blocklist one is maintained the best and kept up to date?
- any other considerations?

Thanks

 

[cPanelLauren]

1) Using ModSec OWASP v3 in WHM and also have CSF installed. Just to clarify my understanding - if modsec picks up an abusive IP for bad behaviour, it will block it right (including IPV6 addresses?)? Since CSF does pretty much the same thing.... is there any point to have both?

There definitely is. CSF is what's best described as a management tool for iptables. CSF/iptables is working on a lower network layer than a WAF (Web Application Firewall) like ModSecurity. CSF/iptables can block network traffic to a specific port or from particular sources, but it doesn’t inspect traffic to see if it might be an attempt to exploit a security vulnerability. This is where ModSecurity ultimately comes into play especially when you have an OS commerce store or CMS driven site. ModSecurity examines incoming network requests to see if they match patterns associated with common attacks against web applications. ModSecurity is a real-time filter for malicious activity. It essentially picks up where CSF/iptables stops and fills a gap.

2) RE IP blocklists: I would like to hear thoughts on which is best to implement to reduce abusive connections.

My honest opinion is I don't know much about them, maybe someone else has more information but I believe you'd want to do your own outside research on this. I know that a lot of people utilize ProjectHoneyPot with ModSecurity but you need to sign up and enter your key, but once this is done it is a useful tool. I know also that SpamHaus is very widely used

 

[RadWebHosting]

Hi @WorkinOnIt,

You can minimize impact on performance and maximize effectiveness of blocking dubious hosts/networks by compiling a single aggregate list.

In practice, this should give the best security with least performance penalty to your server.

You can check Boiler Room’s IP Blocklist – The Boiler Room for ideas.