OWASP mod_security rules not triggering CSF IP block anymore...

That seems odd. Have you ensured the log entries are still being made in the apache error log? Perhaps you're suffering from the upcp bug? http://forums.cpanel.net/f185/case-161501-owasp-mod-security-disabled-upcp-452802.html

 

If the hits are showing in error_log, check your CSF config. LFD actively parses the error_log. It's unlikely this is wrong, but ensure this setting is correct in /etc/csf/csf.conf:

MODSEC_LOG = "/usr/local/apache/logs/error_log"

Also ensure that LFD is running; for some reason csf -r doesn't restart lfd. If you're in doubt just run "csf -x ; csf -e" to quickly disable and re-enable CSF/LFD.

I'm taking a look to see if maybe CSF isn't parsing the apache logs correctly for the OWASP rules... I'll edit this in a minute with what I figure out.

EDIT: Ok, so, if I trip rules in my custom rule set (which is also still included) then CSF blocks the IP. But, if I trip rules in the OWASP rule set, it doesn't block the ip in CSF. So, it seems this has to do with CSF's processing of the error log itself.

The logs do look a bit different between the two types of hits (custom basic deny rule, and the OWASP XSS rule):
(note to mods, I used quote instead of "code" on purpose so that lines wrap)

It appears to be CSF mishandling it. Let's look at their regex.pm for ModSecurity:

Code:

#mod_security v2 (apache)
        if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[(\w*:)?error\] (\[pid \d+(:tid \d+)?\] )?\[client (\S+)\] (\w+: )?ModSecurity:(( \[[^]]+\])*)? Access denied with (code|connection)/)) { ***SNIP***

So the issue here is the regex that LFD is using only covers log lines containing "Access denied with code" or "Access denied with connection." It would need to be (code|connection|redirection) to work with rules that redirect the attacker like the OWASP rules.

You should report this as a bug to configserver. In the mean time if you go into the file /usr/local/csf/bin/regex.pm you can make the edit to change (code|connection) to (code|connection|redirection) and it will work. I just tested this and it works great after restarting CSF/LFD.

 

I just edited my above post with an explanation for you.

 

Hi,

New CSF 7.62

New csf v7.62 | ConfigServer Services Blog

 

Looks like they fixed it as soon as you reported it on the forum

 

The Latest version of CSF 7.62 seems to have fixed the problem.