OWASP mod_security rules not triggering CSF IP block anymore...

CanSpace

Well-Known Member
PartnerNOC
Nov 25, 2011
66
58
68
cPanel Access Level
DataCenter Provider
CSF has the option to ban an IP address after multiple mod_security triggers:

[*]Enable failure detection of repeated Apache mod_security rule triggers
LF_MODSEC = Default: 5 [0-100]
LF_MODSEC_PERM = Default: 1 [0-604800]

This was working fine across all of our servers when we were using a custom version of the AtomiCorp delayed rules, but we've recently switched to the new OWASP rules provided by cPanel and the CSF detection seems to no longer be working - multiple triggers no longer result in an IP ban.

Anyone else encountered this?
 

CanSpace

Well-Known Member
PartnerNOC
Nov 25, 2011
66
58
68
cPanel Access Level
DataCenter Provider
We were suffering from the upcp bug but I've since re-enabled the rules. I'm seeing hits in the ModSecurity Tools page, and they are indeed showing up in the error_log

Is anyone else successfully using the csf modsecurity trigger with the new owasp rules?
 
Last edited:

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
If the hits are showing in error_log, check your CSF config. LFD actively parses the error_log. It's unlikely this is wrong, but ensure this setting is correct in /etc/csf/csf.conf:

MODSEC_LOG = "/usr/local/apache/logs/error_log"

Also ensure that LFD is running; for some reason csf -r doesn't restart lfd. If you're in doubt just run "csf -x ; csf -e" to quickly disable and re-enable CSF/LFD.

I'm taking a look to see if maybe CSF isn't parsing the apache logs correctly for the OWASP rules... I'll edit this in a minute with what I figure out.

EDIT: Ok, so, if I trip rules in my custom rule set (which is also still included) then CSF blocks the IP. But, if I trip rules in the OWASP rule set, it doesn't block the ip in CSF. So, it seems this has to do with CSF's processing of the error log itself.

The logs do look a bit different between the two types of hits (custom basic deny rule, and the OWASP XSS rule):
(note to mods, I used quote instead of "code" on purpose so that lines wrap)
# BASIC DENY RULE:
[Mon Feb 09 15:17:46.512448 2015] [:error] [pid 18584] [client $MY.IP.ADD.RESS] ModSecurity: Access denied with code 500 (phase 2). Pattern match "/\\\\.\\\\./" at REQUEST_URI. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "301"] [id "300004"] [rev "2"] [msg "Generic Path Recursion denied"] [severity "CRITICAL"] [hostname "$MYSITE.com"] [uri "/"] [unique_id "VNkV6kMrAkQAAEiYWvkAAAAB"]


#OWASP RULE:
[Mon Feb 09 15:20:35.891669 2015] [:error] [pid 20940] [client $MY.IP.ADD.RESS] ModSecurity: Access denied with redirection to http://www.$MYSITE.com/ using status 302 (phase 2). detected XSS using libinjection. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-41-APPLICATION-ATTACK-XSS.conf"] [line "23"] [id "973343"] [rev "2"] [msg "XSS Attack Detected via Libinjection"] [data "Matched Data: http://www.$MYSITE.com/blog/wp-admin/ found within ARGS:log: <script"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "Host: www.$MYSITE.com"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [tag "https://libinjection.client9.com/"] [hostname "$MYSITE.com"] [uri "/blog/wp-login.php"] [unique_id "VNkWk0MrAkQAAFHMaMAAAAAH"]
It appears to be CSF mishandling it. Let's look at their regex.pm for ModSecurity:

Code:
#mod_security v2 (apache)
        if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[(\w*:)?error\] (\[pid \d+(:tid \d+)?\] )?\[client (\S+)\] (\w+: )?ModSecurity:(( \[[^]]+\])*)? Access denied with (code|connection)/)) { ***SNIP***
So the issue here is the regex that LFD is using only covers log lines containing "Access denied with code" or "Access denied with connection." It would need to be (code|connection|redirection) to work with rules that redirect the attacker like the OWASP rules.

You should report this as a bug to configserver. In the mean time if you go into the file /usr/local/csf/bin/regex.pm you can make the edit to change (code|connection) to (code|connection|redirection) and it will work. I just tested this and it works great after restarting CSF/LFD.
 
Last edited:

CanSpace

Well-Known Member
PartnerNOC
Nov 25, 2011
66
58
68
cPanel Access Level
DataCenter Provider
LFD is definitely running. We are actually having this same issue on all our servers using the cPanel/OWASP rules. MODSEC_LOG is also set correctly...
 

CanSpace

Well-Known Member
PartnerNOC
Nov 25, 2011
66
58
68
cPanel Access Level
DataCenter Provider
Ah great - thanks for investigating. I'll go ahead and make that change and open a ticket with the csf guys... I imagine a lot of people will be having this issue.
 

plove79

Member
Feb 26, 2016
6
0
51
New York, USA
cPanel Access Level
Website Owner
Did this break again? I'm noticing that on my server, LF_MODSEC is set to 8, and particular IPs are having a field day - breaking OWASP rules left and right .. for a few hours at a time. My 'managed support' was only able to suggest that I add LF_APACHE_404 ... to block IPs when they trigger too many 404s.