The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSec shows security scanner scanning 127.0.0.1

Discussion in 'Security' started by Spork Schivago, Jun 21, 2017.

Tags:
  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    481
    Likes Received:
    53
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm a bit worried here. I'm looking at the logs in ModSec and I see a whole bunch of these!

    Code:
    2017-06-21 11:19:03 127.0.0.1 170.81.59.28 CRITICAL 403
    2017-06-21 11:19:03 127.0.0.1 170.81.59.28 CRITICAL 403
    2017-06-21 11:19:03 127.0.0.1 170.81.59.28 403
    2017-06-21 11:19:02 170.81.59.28 WARNING 200
    2017-06-21 11:18:33 170.81.59.28 CRITICAL 403
    2017-06-21 11:18:33 170.81.59.28 WARNING 403
    2017-06-21 11:18:33 170.81.59.28 CRITICAL 403
    2017-06-21 11:18:33 170.81.59.28 403
    2017-06-21 11:18:22 170.81.59.28 CRITICAL 403
    2017-06-21 11:18:22 170.81.59.28 WARNING 403
    2017-06-21 11:18:22 170.81.59.28 CRITICAL 403
    2017-06-21 11:18:22 170.81.59.28 403
    2017-06-21 11:18:19 170.81.59.28 CRITICAL 403
    2017-06-21 11:18:19 170.81.59.28 WARNING 403
    2017-06-21 11:18:19 170.81.59.28 CRITICAL 403
    2017-06-21 11:18:19 170.81.59.28 403
    2017-06-21 11:18:10 170.81.59.28 CRITICAL 403
    2017-06-21 11:18:10 170.81.59.28 WARNING 403
    2017-06-21 11:18:10 170.81.59.28 CRITICAL 403
    2017-06-21 11:18:10 170.81.59.28 403
    
    2017-06-21 10:59:36 177.19.152.77 WARNING 200
    2017-06-21 10:59:36 127.0.0.1 177.19.152.77 CRITICAL 403
    2017-06-21 10:59:36 127.0.0.1 177.19.152.77 CRITICAL 403
    2017-06-21 10:59:36 127.0.0.1 177.19.152.77 403
    2017-06-21 10:59:16 177.19.152.77 CRITICAL 403
    2017-06-21 10:59:16 177.19.152.77 WARNING 403
    2017-06-21 10:59:16 177.19.152.77 CRITICAL 403
    2017-06-21 10:59:16 177.19.152.77 403
    2017-06-21 10:59:05 177.19.152.77 CRITICAL 403
    2017-06-21 10:59:05 177.19.152.77 WARNING 403
    ...
    
    For the majority of them, the host address is blank, it's just the last three that show a host address of 127.0.0.1. How is that possible, unless the hacker got in?

    I have ConfigServer Firewall running and it shows the IP address has been blocked in csf.deny
    Code:
    csf.deny:170.81.59.28 # lfd: (mod_security) mod_security (id:949110) triggered by 170.81.59.28 (BR/Brazil/-): 5 in the last 3600 secs - Wed Jun 21 11:19:08 2017
    
    csf.deny:177.19.152.77 # lfd: (mod_security) mod_security (id:949110) triggered by 177.19.152.77 (BR/Brazil/177.19.152.77.static.adsl.gvt.net.br): 5 in the last 3600 secs - Wed Jun 21 10:59:37 2017
    
    There's a lot more than 5 hits in ModSec within an hour there, so I don't see how they could connect so many times before CSF blocked them.

    It seems after a bit there, they change IP addresses or maybe they're behind some sort of proxy, I'm just really worried that they were able to scan my site sooo many times from a single IP address. They should have been banned after 5 attempts, not after 20. I'm wondering if maybe ModSec isn't configured the best way. What do you guys think?

    Thanks!
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,204
    Likes Received:
    1,296
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Do you see any corresponding entries in /usr/local/apache/logs/error_log?

    Thank you.
     
  3. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    481
    Likes Received:
    53
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Only the ModSec warnings and access denied messages. So ModSec definitely seemed to have caught everything. I checked by running:
    Code:
    cat /usr/local/apache/logs/error_log |grep "170.81.59.28"
    cat /usr/local/apache/logs/error_log |grep "177.19.152.77"
    
    Here's one such error:
    Code:
    [Wed Jun 21 10:59:36.828168 2017] [:error] [pid 22405] [client 177.19.152.77] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Found User-Agent associated with security scanner"] [tag "event-correlation"] [hostname "127.0.0.1"] [uri "/403.shtml"] [unique_id "WUqJ2FOPZK5TZCwIZnIQsAAAAAU"]
    
    I just don't see how they were able to connect to hostname 127.0.0.1. This really worries me. I know I didn't run any security auditing programs on my server today. The logs go back to Apr 18th, 2017. I think I need to configure logrotate to rotate the Apache log files. This file has 137,912 lines of text. Kinda hard to just search through it line-by-line. I didn't realize it wasn't getting rotated until now.

    **EDIT:
    I just did a cat /etc/apache2/logs/error_log |grep "Jun 21" and was looking through the logs for today. I see this:
    Code:
    [Wed Jun 21 03:18:33.951543 2017] [:error] [pid 9187] [client 189.243.215.32] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "286"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "<my IPv4 address>"] [uri "/"] [unique_id "WUodyUfdaYpceMtB-IrhegAAAAM"]
    
    [Wed Jun 21 03:40:02.730963 2017] [mpm_prefork:notice] [pid 31398] AH00169: caught SIGTERM, shutting down
    
    It looks like mpm_prefork caught a SIGTERM from something.

    Then, further down, I see where they're attacking the cPanel stuff, like webmail, webdisk, etc:
    Code:
    [Wed Jun 21 04:24:23.871687 2017] [:error] [pid 20975] [client 150.255.241.72] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "webdisk.mydomain.com"] [uri "/"] [unique_id "WUotNwSJtbjWrgTJqD3L8QAAAAA"]
    
    [Wed Jun 21 04:24:23.871954 2017] [:error] [pid 20975] [client 150.255.241.72] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Found User-Agent associated with security scanner"] [tag "event-correlation"] [hostname "webdisk.mydomain.com"] [uri "/403.shtml"] [unique_id "WUotNwSJtbjWrgTJqD3L8QAAAAA"]
    
    [Wed Jun 21 05:05:26.748170 2017] [mpm_prefork:notice] [pid 20973] AH00171: Graceful restart requested, doing restart
    
    [Wed Jun 21 05:05:26.813155 2017] [mpm_prefork:notice] [pid 20973] AH00163: Apache/2.4.25 (cPanel) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 configured -- resuming normal operations
    
    [Wed Jun 21 05:05:26.813176 2017] [core:notice] [pid 20973] AH00094: Command line: '/usr/sbin/httpd'
    
    [Wed Jun 21 07:02:11.015617 2017] [mpm_prefork:notice] [pid 20973] AH00171: Graceful restart requested, doing restart
    
    [Wed Jun 21 07:02:11.127054 2017] [mpm_prefork:notice] [pid 20973] AH00163: Apache/2.4.25 (cPanel) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 configured -- resuming normal operations
    
    [Wed Jun 21 07:02:11.127080 2017] [core:notice] [pid 20973] AH00094: Command line: '/usr/sbin/httpd'
    
    [Wed Jun 21 08:00:53.339555 2017] [mpm_prefork:notice] [pid 20973] AH00171: Graceful restart requested, doing restart
    
    [Wed Jun 21 08:00:53.406388 2017] [mpm_prefork:notice] [pid 20973] AH00163: Apache/2.4.25 (cPanel) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 configured -- resuming normal operations
    
    [Wed Jun 21 08:00:53.406407 2017] [core:notice] [pid 20973] AH00094: Command line: '/usr/sbin/httpd'
    
    [Wed Jun 21 09:00:04.625748 2017] [mpm_prefork:notice] [pid 20973] AH00171: Graceful restart requested, doing restart
    
    [Wed Jun 21 09:00:04.741106 2017] [mpm_prefork:notice] [pid 20973] AH00163: Apache/2.4.25 (cPanel) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 configured -- resuming normal operations
    
    [Wed Jun 21 09:00:04.741123 2017] [core:notice] [pid 20973] AH00094: Command line: '/usr/sbin/httpd'
    
    [Wed Jun 21 10:59:05.086834 2017] [:error] [pid 22405] [client 177.19.152.77] ModSecurity: Warning. Matched phrase "masscan" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-913-SCANNER-DETECTION.conf"] [line "33"] [id "913100"] [rev "2"] [msg "Found User-Agent associated with security scanner"] [data "Matched Data: masscan found within REQUEST_HEADERS:User-Agent: masscan/1.0"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-reputation-scanner"] [tag "OWASP_CRS/AUTOMATION/SECURITY_SCANNER"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "<my IPv4 address>"] [uri "/"] [unique_id "WUqJuVOPZK5TZCwIZnIQrwAAAAU"]
    
    That's a lot of Apache graceful restarts. Do you think they found some way into cPanel / WHM or something? This was just a snippet, they seemed to have tried attacking or scanning every single cPanel subdomain.
     
    #3 Spork Schivago, Jun 21, 2017
    Last edited: Jun 21, 2017
  4. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    481
    Likes Received:
    53
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    And here's where the hostname changes to 127.0.0.1.

    Code:
    [Wed Jun 21 10:59:16.225079 2017] [:error] [pid 21522] [client 177.19.152.77] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "286"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "<my IPv4 address>"] [uri "/"] [unique_id "WUqJxJSC2DOM-OoSVKnYtgAAAAI"]
    
    [Wed Jun 21 10:59:16.225376 2017] [:error] [pid 21522] [client 177.19.152.77] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "<my IPv4 address>"] [uri "/"] [unique_id "WUqJxJSC2DOM-OoSVKnYtgAAAAI"]
    
    [Wed Jun 21 10:59:16.226031 2017] [:error] [pid 21522] [client 177.19.152.77] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Request Missing a Host Header"] [tag "event-correlation"] [hostname "<my IPv4 address>"] [uri "/403.shtml"] [unique_id "WUqJxJSC2DOM-OoSVKnYtgAAAAI"]
    
    [Wed Jun 21 10:59:36.555645 2017] [:error] [pid 21520] [client 177.19.152.77] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "286"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "<my IPv4 address>"] [uri "/"] [unique_id "WUqJ2C4i6EArRCVMjk-sRgAAAAA"]
    
    [Wed Jun 21 10:59:36.827060 2017] [:error] [pid 22405] [client 177.19.152.77] ModSecurity: Warning. Matched phrase "masscan" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-913-SCANNER-DETECTION.conf"] [line "33"] [id "913100"] [rev "2"] [msg "Found User-Agent associated with security scanner"] [data "Matched Data: masscan found within REQUEST_HEADERS:User-Agent: masscan/1.0"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-reputation-scanner"] [tag "OWASP_CRS/AUTOMATION/SECURITY_SCANNER"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "127.0.0.1"] [uri "/"] [unique_id "WUqJ2FOPZK5TZCwIZnIQsAAAAAU"]
    
    [Wed Jun 21 10:59:36.827493 2017] [:error] [pid 22405] [client 177.19.152.77] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "127.0.0.1"] [uri "/"] [unique_id "WUqJ2FOPZK5TZCwIZnIQsAAAAAU"]
    
    [Wed Jun 21 10:59:36.828168 2017] [:error] [pid 22405] [client 177.19.152.77] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Found User-Agent associated with security scanner"] [tag "event-correlation"] [hostname "127.0.0.1"] [uri "/403.shtml"] [unique_id "WUqJ2FOPZK5TZCwIZnIQsAAAAAU"]
    
    [Wed Jun 21 11:13:29.516890 2017] [mpm_prefork:notice] [pid 20973] AH00171: Graceful restart requested, doing restart
    
    [Wed Jun 21 11:13:29.623630 2017] [mpm_prefork:notice] [pid 20973] AH00163: Apache/2.4.25 (cPanel) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 configured -- resuming normal operations
    
    [Wed Jun 21 11:13:29.623659 2017] [core:notice] [pid 20973] AH00094: Command line: '/usr/sbin/httpd'
    
    [Wed Jun 21 11:18:10.224818 2017] [:error] [pid 28836] [client 170.81.59.28] ModSecurity: Warning. Matched phrase "masscan" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-913-SCANNER-DETECTION.conf"] [line "33"] [id "913100"] [rev "2"] [msg "Found User-Agent associated with security scanner"] [data "Matched Data: masscan found within REQUEST_HEADERS:User-Agent: masscan/1.0"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-reputation-scanner"] [tag "OWASP_CRS/AUTOMATION/SECURITY_SCANNER"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "<my IPv4 address>"] [uri "/"] [unique_id "WUqOMiNGw7k3KFp1zwRbAwAAAAI"]
    
     
  5. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    481
    Likes Received:
    53
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I should add that I do have some IP addresses whitelisted in CSF and ModSec, but they belong to ScanMyServer....
    Code:
    # CSF Whitelisted IP addresses
    <home IPv4 address>             # Our home IPv4 address - Thu Apr 20 22:56:20 2017
    <home IPv6 address (8-bytes)>::/64  # Our home IPv6 address - Sun Jun 18 12:48:32 2017
    64.41.200.0/24            # SSL Lab's server (for scanning our SSL certs)
    54.215.13.26              # scanmyserver
    54.235.163.229            # scanmyserver
    162.213.1.246             # scanmyserver
    
    Include /etc/csf/cpanel.comodo.allow
    Include /etc/csf/cpanel.allow
    
    
    Code:
    #ModSec Whitelisted IP addresses
    # Rule to allow cPanel whm-server-status requests with missing mandatory headers.
      SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" \
      "msg:'Matched 127.0.0.1 and matched whm-server-status. Disabling rules 920280 and 920350',\
      phase:1,\
      id:8888777,\
      t:none,\
      pass,\
      nolog,\
      chain"
        SecRule REQUEST_FILENAME "whm-server-status$" \
          "t:none,\
            ctl:ruleRemoveById=920280,\
            ctl:ruleRemoveById=920350"
    
    # Rule to whitelist our home IPv4.
      SecRule REMOTE_ADDR "@ipMatch <home IPv4 address>" \
      "msg:'Matched Home IPv4 Address (<home IPv4 address>).  Disabling ModSec',\
      phase:1,\
      t:none,\
      pass,\
      log,\
      ctl:ruleEngine=Off,\
      id:8888778"
    
    # Rule to whitelist our home IPv6 address.
      SecRule REMOTE_ADDR "@ipMatch <home IPv6 address range (8-bytes)>::/64" \
      "msg:'Matched Home IPv6 Address (<home IPv6 address range (8-bytes)>::/64).  Disabling ModSec',\
      phase:1,\
      t:none,\
      pass,\
      log,\
      ctl:ruleEngine=Off,\
      id:8888779"
    
    # Rule to whitelist scan my server.
      SecRule REMOTE_ADDR "@ipMatch 54.215.13.26,54.235.163.229,162.213.1.246" \
      "msg:'ScanMyServer.com is scanning our server.  Disabling ModSec',\
      phase:1,\
      t:none,\
      pass,\
      nolog,\
      ctl:ruleEngine=Off,\
      id:8888780"
    
    I majored in networking up at the local college, and I just don't see how it's possible for a user to connect to the hostname 127.0.0.1 without having access to the actual server. All I can think is somehow, they got in. It doesn't make sense though, I mean the remote address is still showing....it's like somehow they broke something and made Apache or something else try connecting to the local host. This worries me. It makes me think they didn't gain root access or remote access, but they found some sort of weakness in my security system and was able to get my server to do stuff it wasn't meant to do....
     
    #5 Spork Schivago, Jun 21, 2017
    Last edited: Jun 21, 2017
  6. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    481
    Likes Received:
    53
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I see some stuff in the access_log as well:
    Code:
    41.209.71.187 - - [21/Jun/2017:00:08:27 -0400] "GET login.cgi HTTP/1.0" 400 10084 "-" "-"
    
    127.0.0.1 - - [21/Jun/2017:11:15:32 -0400] "GET /whm-server-status?auto HTTP/1.1" 200 1157 "-" "csf/"
    ::1 - - [21/Jun/2017:11:16:05 -0400] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (cPanel) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
    ::1 - - [21/Jun/2017:11:16:06 -0400] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.25 (cPanel) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 (internal dummy connection)"
    
    
    164.52.7.132 - - [21/Jun/2017:15:27:41 -0400] "\x16\x03\x01\x01\"\x01" 400 10066 "-" "-"
    164.52.7.132 - - [21/Jun/2017:15:27:48 -0400] "USER test +iw test :Test Wuz Here" 400 10074 "-" "-"
    164.52.7.132 - - [21/Jun/2017:15:27:48 -0400] "GET / HTTP/1.1" 200 111 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
    
    I don't understand the first one there, ip 41.209.71.187. I don't have a login.cgi script, but it shows it returned a 400 and sent 10084 bytes of data. When I tried going to mydomain.com/login.cgi, I get a 404, not a 400.

    I think with 164.52.7.132, they sent some sort of payload (the "\x16\x03\x01\x01"x01"). Wonder what the 10066 bytes were that got returned there.
     
  7. fuzzylogic

    fuzzylogic Active Member

    Joined:
    Nov 8, 2014
    Messages:
    39
    Likes Received:
    13
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    What is missing here is any reference to details of requests. Modsecurity does what it does based on the details of individual http requests.
    These details are logged at /usr/local/apache/logs/modsec_audit.log
    I think the best help I can give is to describe how I analyze concerning modsec hits.
    1) Start with cPanel's ui "WHM >> Security Center >> ModSecurity Tools >> Hits" and find a concerning modsec rule hit.
    You will commonly find multiple (about 4) hits with identical Date-Time, Host and Source and Request (click the "More" link to see the Request).
    These are 4 rules hit by the one request.
    I believe this is the data you put in your first post.
    This explains the miss-count by you of the number of 403 responses to an IP before CSF blocked the IP (CSF correctly counted 5 requests).
    2) The data in the Hits list is a summary of data in the modsec_audit.log,
    The next step is to investigate the concerning modsec rule hit by finding it in the modsec_audit.log.
    Copy its Source IP or the Time portion of the Date/Time.
    The most convenient way I have to do this is to use CSF >> Watch System Logs >> /usr/local/apache/logs/modsec_audit.log
    I Pause the Refresh button and increase the number of lines to 10000.
    I use a browser search (CTRL+F) and paste the source IP of the concerning modsec rule hit (CTRL+V) (ENTER).
    If the IP has multiple requests in the log you may have to (F3) through the results to find the request you want.
    The data you want is 30 or more lines per request. It includes the request headers, response headers, post and get vars(sometimes), multiple rules hit.
    If you do not have modsec_audit.log listed in the CSF log files then add the line...
    /usr/local/apache/logs/modsec_audit.log
    to /etc/csf/csf.syslogs
    3)Start analyzing the the request types one at a time. For Example;
    a) The Requests from 127.0.0.1, what were the requests?
    I suspect they were for /whm-server-status/
    The exclusion rule id:8888777 you posted has been updated to also catch requests to /whm-server-status/
    SecRule REQUEST_FILENAME "whm-server-status$" \
    should be
    SecRule REQUEST_FILENAME "^/whm-server-status\/?$" \
    b) What you called attack from 177.19.152.77. (I would call it a scan by an exploit scanner)
    177.19.152.77 is in Brazil.
    In the request header it named itself as masscan in the User-Agent header and OWASP_CRS rule id:913100 blocked the request because of that User-Agent header.
    c) What you called attack from 150.255.241.72. (I would call it a scan by an exploit scanner)
    150.255.241.72 is in China.
    "Found User-Agent associated with security scanner"
    You posted 2 modsec rule hits for this ip with times within milliseconds of each other. These are for the one request or a redirect to /403.shtml from the blocked request. There would have been other rule hits for this request.
    d) 400 errors.
    This are a good hint (but not an indicator) that Apache (not modsecurity) blocked a bad (malformed/non-spec) request.
    The output would be the content of a 400 error page or 404 error page if 400 error was not found.
    This type of blocking happens before modsecurity is loaded so no modsecurity logging occurs for them by default.

    Hope this helps.
     
    #7 fuzzylogic, Jun 21, 2017
    Last edited: Jun 21, 2017
  8. fuzzylogic

    fuzzylogic Active Member

    Joined:
    Nov 8, 2014
    Messages:
    39
    Likes Received:
    13
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    a) The Requests from 127.0.0.1.
    I did not address this very well.
    All the logs you posted regarding the [hostname "127.0.0.1"] issue were about log events that occurred within one second of each other. I strongly suspect that all 4 of the modsec rule hits are for the same request but due to some fault or interuption or redirect they were logged as separate requests and in the process the hostname variable was loaded incorrectly.
    Code:
    2017-06-21 10:59:36.555645 myIPv4addr 177.19.152.77 WARNING 200  [unique_id "WUqJ2C4i6EArRCVMjk-sRgAAAAA"]
    2017-06-21 10:59:36.827060 127.0.0.1 177.19.152.77 CRITICAL 403  [unique_id "WUqJ2FOPZK5TZCwIZnIQsAAAAAU"]
    2017-06-21 10:59:36.827493 127.0.0.1 177.19.152.77 CRITICAL 403  [unique_id "WUqJ2FOPZK5TZCwIZnIQsAAAAAU"]
    2017-06-21 10:59:36.828168 127.0.0.1 177.19.152.77 403           [unique_id "WUqJ2FOPZK5TZCwIZnIQsAAAAAU"]
    
    2017-06-21 10:59:37.?????? csf.deny:177.19.152.77 # lfd: (mod_security)
    Could you search /usr/local/apache/logs/modsec_audit.log for the request unique_id WUqJ2FOPZK5TZCwIZnIQsAAAAAU and
    WUqJ2FOPZK5TZCwIZnIQsAAAAAU which should be directly below it?
    Could you post the logs for these requests? It will be about 30 lines?
     
    Spork Schivago likes this.
  9. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    481
    Likes Received:
    53
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I'm sorry it's taken so long to get back to you. My mum and dad are very sick. I've searched modsec_audit.log for the first query there, and it shows a one liner. I tried loading the file into nano, but there's over a million lines. It's hard to search through that many lines in nano.

    Code:
    --88f23d36-A--
    [21/Jun/2017:10:59:36 --0400] WUqJ2C4i6EArRCVMjk-sRgAAAAA 177.19.152.77 12054 <my IPv4 address> 80
    
    --88f23d36-B--
    GET / HTTP/1.0
    
    --88f23d36-F--
    HTTP/1.1 200 OK
    Last-Modified: Mon, 15 May 2017 16:28:41 GMT
    Accept-Ranges: bytes
    Content-Length: 111
    Connection: close
    Content-Type: text/html
    
    --88f23d36-E--
    
    --88f23d36-H--
    Message: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "286"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
    Stopwatch: 1498057176554839 1650 (- - -)
    Stopwatch2: 1498057176554839 1650; combined=950, p1=392, p2=365, p3=35, p4=117, p5=41, sr=56, sw=0, l=0, gc=0
    Response-Body-Transformed: Dechunked
    Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
    Server: Apache
    Engine-Mode: "ENABLED"
    
    --88f23d36-Z--
    
    
    
    
    --88f23d36-A--
    [21/Jun/2017:10:59:36 --0400] WUqJ2FOPZK5TZCwIZnIQsAAAAAU 177.19.152.77 12131 <my IPv4 address> 80
    
    --88f23d36-B--
    GET / HTTP/1.1
    Host: 127.0.0.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    User-Agent: masscan/1.0
    
    --88f23d36-F--
    HTTP/1.1 403 Forbidden
    Accept-Ranges: bytes
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html
    
    --88f23d36-H--
    Message: Warning. Matched phrase "masscan" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-913-SCANNER-DETECTION.conf"] [line "33"] [id "913100"] [rev "2"] [msg "Found User-Agent associated with security scanner"] [data "Matched Data: masscan found within REQUEST_HEADERS:User-Agent: masscan/1.0"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-reputation-scanner"] [tag "OWASP_CRS/AUTOMATION/SECURITY_SCANNER"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
    
    Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
    
    Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Found User-Agent associated with security scanner"] [tag "event-correlation"]
    
    Action: Intercepted (phase 2)
    Apache-Handler: default-handler
    Stopwatch: 1498057176826307 1968 (- - -)
    Stopwatch2: 1498057176826307 1968; combined=1045, p1=370, p2=506, p3=0, p4=0, p5=134, sr=56, sw=35, l=0, gc=0
    Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
    Server: Apache
    Engine-Mode: "ENABLED"
    
    --88f23d36-Z--
    
    
    
    
    --e6812b0b-A--
    [21/Jun/2017:11:18:10 --0400] WUqOMiNGw7k3KFp1zwRbAwAAAAI 170.81.59.28 4956 <my IPv4 address> 80
    
    --e6812b0b-B--
    GET / HTTP/1.0
    Cache-Control: no-cache
    Connection: close
    Pragma: no-cache
    User-Agent: masscan/1.0
    
    --e6812b0b-F--
    HTTP/1.1 403 Forbidden
    Accept-Ranges: bytes
    Connection: close
    Content-Type: text/html
    
    --e6812b0b-H--
    Message: Warning. Matched phrase "masscan" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-913-SCANNER-DETECTION.conf"] [line "33"] [id "913100"] [rev "2"] [msg "Found User-Agent associated with security scanner"] [data "Matched Data: masscan found within REQUEST_HEADERS:User-Agent: masscan/1.0"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-reputation-scanner"] [tag "OWASP_CRS/AUTOMATION/SECURITY_SCANNER"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
    
    Message: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "286"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
    
    Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
    
    Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Request Missing a Host Header"] [tag "event-correlation"]
    
    Action: Intercepted (phase 2)
    Apache-Handler: default-handler
    Stopwatch: 1498058290224065 1992 (- - -)
    Stopwatch2: 1498058290224065 1992; combined=1114, p1=378, p2=563, p3=0, p4=0, p5=136, sr=61, sw=37, l=0, gc=0
    Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
    Server: Apache
    Engine-Mode: "ENABLED"
    
    --e6812b0b-Z--
    
    It looks like we're good and you explained everything. Thank you! So, I think there's a bug in Apache. Apache's error_log shows the hostname[127.0.0.1], which is probably where WHM pulls them from. The ModSec shows the proper hostname.

    Also, thank you for taking the time to explain how I was miscounting. Because of you, I now have a much better understanding of the ModSec log files!

    I see the whm-server-status stuff is no longer being logged, except for the in the acccess_log file for Apache. I wonder if there's away to get Apache not to log entries for that if they're from 127.0.0.1. That's something I'll start googling tomorrow.
     
    #9 Spork Schivago, Jun 22, 2017
    Last edited: Jun 22, 2017
  10. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    481
    Likes Received:
    53
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    This helped a lot, you sharing how you analyze the logs. I've been analyzing them incorrectly. This was invaluable information that you shared with me and it's much appreciated.

    Yes, they're exploit scanners / auditing software / etc. I just personally consider them an attack. I know this is wrong though. I remember when I was young and was exploring and got in a lot of trouble because of it. I wasn't actually trying to attack anyone, I was just exploring. But now, I don't know, I guess when I see someone actively looking for exploits on my system, I assume they're trying to break in and they're just at the beginning. Trying to figure out what's on my server, then trying to find out what version of the software and seeing if there's any known exploits, and then executing those exploits. I'll be sure to use the proper terminology in the future.

    There's still something I don't understand. Why did Apache restart so many times? All the ones that looked like this:
    [Wed Jun 21 20:02:09.896757 2017] [mpm_prefork:notice] [pid 13513] AH00169: caught SIGTERM, shutting down

    Now that doesn't mean Apache is actually receiving the SIGTERM, right? Just the mpm_prefork module?

    Also, I was looking at the logrotate.d files and I guess the modsec_audit.log file is being rotated. With over a million lines, it's only 83MB. It rotates at 300MB! I'm thinking of maybe doing daily rotates and saving a total of two weeks worth. Does that sound good? Then I can just setup a script on my home Linux box to download the files every night or so...
     
    #10 Spork Schivago, Jun 22, 2017
    Last edited: Jun 22, 2017
  11. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    481
    Likes Received:
    53
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Maybe something like:
    Code:
    /usr/local/apache/logs/modsec_audit.log {
        rotate 15
        daily
        missingok
        compress
        postrotate
            /usr/local/cpanel/scripts/restartsrv_httpd 2> /dev/null > /dev/null || true
        endscript
    }
    
    I don't know if it's possible or not, but I'd like them to get moved to the /var/log/modsec/ directory. /usr/local/apache/logs is a symbolic link to /etc/apache2/logs, which is a symbolic link to /var/log/apache2. I think the only way to do it would be change where the modsec logs get saved too (in Apache), but I didn't really want to do that. In the postrotate, maybe I could find some fancy scripting to do it, like if statements to see if a compressed modsec_audit.log file exists, and if it does, move it to the /var/log/modsec directory....I dunno.
     
  12. fuzzylogic

    fuzzylogic Active Member

    Joined:
    Nov 8, 2014
    Messages:
    39
    Likes Received:
    13
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    About caught SIGTERM, shutting down see...
    Apache is OK, but what is this in error.log - [mpm_prefork:notice]?
    for explanation.

    I would be cautious moving files in an application other people develop.
    Its very easy for things to break with an update happens if the files are not where the developers expect them to be.

    My modsec_audit.log is 108MB and goes back to Feb. and I have no problems with that.
    It is only a problem if you try to open it in an editor.
    If you check logs with ssh then commands like
    grep "13:03:40" -B 10 -A 30 /usr/local/apache/logs/modsec_audit.log
    and
    tail --lines=1000 /usr/local/apache/logs/modsec_audit.log
    can be helpful.

    My point about exploit scanners are that we should expect them to visit, and from new ips all the time.
    Best we can do is that when they identify themselves by their behavior that we efficiently block them in a way that prevents them from having a free run at scanning and that protects the servers resources from being wasted.
     
    Spork Schivago likes this.
  13. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    481
    Likes Received:
    53
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    This makes sense. I bet there were so many forks because of how many times they were connecting. I've researched masscan and I don't really think they were targeting my server directly. I think they were just scanning a range of IPs and I just happened to be one of them. For what it's worth, there were two IP addresses from Brazil using Masscan and that one from I think Japan (the IRC stuff). I think the Brazil guy, once he got blocked, had another IP address he was using or was behind some sort of proxy.

    Even just the logrotated log files? Okay. Maybe I can setup some sort of symbolic link. I have to learn a little more about the logrotate config files. I want to see if there's some sort of variable that tells me the name of the rotated file. For example, the first day, it might be something like modsec_audit.log, but the second day, it might be something like modsec_audit.log-20170619.gz. If that's the case, maybe I can just use the date command to setup the symbolic link, something like:
    Code:
    /usr/local/apache/logs/modsec_audit.log {
        rotate 15
        daily
        missingok
        compress
        postrotate
            ln -s modsec_audit.log-`date +"%Y%m%d".gz` /var/log/modsec/modsec_audit.log-`date +"%Y%m%d".gz`
            /usr/local/cpanel/scripts/restartsrv_httpd 2> /dev/null > /dev/null || true
        endscript
    }
    
    So, let's say I want to see everything from Jun 24 in modsec_audit.log. I've read the manpage and see the -B 10 will show me 10 lines before the matching string, and -A 30 will show me 30 lines after the matching string. Would something like
    grep "24/Jun" -B 10 -A 30 /usr/local/apache/logs/modsec_audit.log show me everything from June 24? Because of the size of the file, it's a bit hard to check. I've ran the command and then I ran:
    Code:
    cat modsec_audit.log |grep "24/Jun" -B 10 -A 30 | wc -l
    
    and see 107 lines. If I can be certain this will show me everything from Jun 24th, then I think I can just use the command you've shown me instead of trying to view it with nano. I'll also start using the CSF log viewer stuff, that should help a lot.

    [/QUOTE]
    Okay. I'm still fairly new to renting a VPS. I've ran Linux for years, but I've never really had a computer that was opened up for visitors on the net. I see the logs and I'm like oh no! Someone's trying to break in! When in reality, it's probably just someone messing around or having some fun, or even just completely unaware of my server and just using some script to scan a bunch of IP addresses, trying to find ways in.

    When I worked in Deposit, we got hacked. I was the one to notice. There was this false sense of security. All the banking information (social security numbers, credit card numbers, addresses, security questions, etc) were stored on an old Novell server that was using the IPX protocol. The head IT guy was saying it couldn't be accessed through the internet because of this. However, the PCs on the network that were accessing this Novell server, they had the IPX protocol and the TCP/IP protocol. Someone hacked one of our servers that contained the website for our company. They used a script that found a vulnerability in some software. The software had a patch that should have been applied years ago, but the main IT guy didn't know much about Linux and felt updating the system was a horrible idea. He'd say if it ain't broke, don't fix it! If we update it, who knows what will break. I always felt this is why we needed two systems. One for production, one for development. Anyways, they got in and we got lucky. They just defaced the website and uploaded this executable file that connected back to them saying we're in, the name of the domain, and what time it was hacked. I was the one assigned to dissect the program. I found where it was connecting back to them and traced the IP. It was this college where they were having this hacking contest. The person who had hacked us had already hacked like 500 servers. They'd keep track of what type of hack it was (for us, a defacement) and how long it took for the company to notice. We didn't have diplomatic relations with the country or anything and the owner said there wasn't much we could do, legally. But after that, they put me in charge of the Linux boxes and I made sure they were updated on a regular basis.
     
  14. fuzzylogic

    fuzzylogic Active Member

    Joined:
    Nov 8, 2014
    Messages:
    39
    Likes Received:
    13
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I usually approach modsec rule hits one at a time when at the modsec_audit.log level.
    To get the block of data you mentioned (all from 24/June) you could try...
    Code:
    awk '/24\/Jun/,/25\/Jun/' /usr/local/apache/logs/modsec_audit.log
    Notice escaped forward slashes within the 2 regex matches.

    To use grep for searches returning multiple blocks such as for the date or an ip then the group-separator may help see where a block ends or if the block is truncated.
    Code:
    grep --group-separator="========" -A 30 -B 2 "177\.19\.152\.77" /usr/local/apache/logs/modsec_audit.log
     
    Spork Schivago likes this.
  15. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    481
    Likes Received:
    53
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    This is perfect! Thank you! That --group-separator doesn't seem to do anything though. I see multiple groups returned, but I don't see the string "========" anywheres. I'll read the manpage, maybe I'm misunderstanding the purpose of the --group-separator option.

    I'm using blocklists in CSF. I have all of them enabled, except for OpenBL, which I believe is permanently gone now. I think these blocklists block a lot of known bad IP addresses. I wonder if there's any other ones that aren't listed in the csf.blocklists file that should be.

    Thanks!!!!!
     
Loading...

Share This Page