The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OWASP mod_security rules not triggering CSF IP block anymore...

Discussion in 'Security' started by CanSpace, Feb 9, 2015.

  1. CanSpace

    CanSpace Member

    Joined:
    Nov 25, 2011
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    www.canspace.ca
    cPanel Access Level:
    DataCenter Provider
    CSF has the option to ban an IP address after multiple mod_security triggers:

    [*]Enable failure detection of repeated Apache mod_security rule triggers
    LF_MODSEC = Default: 5 [0-100]
    LF_MODSEC_PERM = Default: 1 [0-604800]

    This was working fine across all of our servers when we were using a custom version of the AtomiCorp delayed rules, but we've recently switched to the new OWASP rules provided by cPanel and the CSF detection seems to no longer be working - multiple triggers no longer result in an IP ban.

    Anyone else encountered this?
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
  3. CanSpace

    CanSpace Member

    Joined:
    Nov 25, 2011
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    www.canspace.ca
    cPanel Access Level:
    DataCenter Provider
    We were suffering from the upcp bug but I've since re-enabled the rules. I'm seeing hits in the ModSecurity Tools page, and they are indeed showing up in the error_log

    Is anyone else successfully using the csf modsecurity trigger with the new owasp rules?
     
    #3 CanSpace, Feb 9, 2015
    Last edited: Feb 9, 2015
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    If the hits are showing in error_log, check your CSF config. LFD actively parses the error_log. It's unlikely this is wrong, but ensure this setting is correct in /etc/csf/csf.conf:

    MODSEC_LOG = "/usr/local/apache/logs/error_log"

    Also ensure that LFD is running; for some reason csf -r doesn't restart lfd. If you're in doubt just run "csf -x ; csf -e" to quickly disable and re-enable CSF/LFD.

    I'm taking a look to see if maybe CSF isn't parsing the apache logs correctly for the OWASP rules... I'll edit this in a minute with what I figure out.

    EDIT: Ok, so, if I trip rules in my custom rule set (which is also still included) then CSF blocks the IP. But, if I trip rules in the OWASP rule set, it doesn't block the ip in CSF. So, it seems this has to do with CSF's processing of the error log itself.

    The logs do look a bit different between the two types of hits (custom basic deny rule, and the OWASP XSS rule):
    (note to mods, I used quote instead of "code" on purpose so that lines wrap)
    It appears to be CSF mishandling it. Let's look at their regex.pm for ModSecurity:

    Code:
    #mod_security v2 (apache)
            if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[(\w*:)?error\] (\[pid \d+(:tid \d+)?\] )?\[client (\S+)\] (\w+: )?ModSecurity:(( \[[^]]+\])*)? Access denied with (code|connection)/)) { ***SNIP***
    
    So the issue here is the regex that LFD is using only covers log lines containing "Access denied with code" or "Access denied with connection." It would need to be (code|connection|redirection) to work with rules that redirect the attacker like the OWASP rules.

    You should report this as a bug to configserver. In the mean time if you go into the file /usr/local/csf/bin/regex.pm you can make the edit to change (code|connection) to (code|connection|redirection) and it will work. I just tested this and it works great after restarting CSF/LFD.
     
    #4 quizknows, Feb 9, 2015
    Last edited: Feb 9, 2015
  5. CanSpace

    CanSpace Member

    Joined:
    Nov 25, 2011
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    www.canspace.ca
    cPanel Access Level:
    DataCenter Provider
    LFD is definitely running. We are actually having this same issue on all our servers using the cPanel/OWASP rules. MODSEC_LOG is also set correctly...
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I just edited my above post with an explanation for you.
     
  7. CanSpace

    CanSpace Member

    Joined:
    Nov 25, 2011
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    www.canspace.ca
    cPanel Access Level:
    DataCenter Provider
    Ah great - thanks for investigating. I'll go ahead and make that change and open a ticket with the csf guys... I imagine a lot of people will be having this issue.
     
  8. ciao70

    ciao70 Member

    Joined:
    Nov 3, 2006
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
  10. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    The Latest version of CSF 7.62 seems to have fixed the problem.
     
  11. CanSpace

    CanSpace Member

    Joined:
    Nov 25, 2011
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    www.canspace.ca
    cPanel Access Level:
    DataCenter Provider
    Geez that was fast. Thanks for all the help guys!
     
  12. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Thanks, ConfigServer!
     
Loading...

Share This Page