Author Topic: CSF/LDF + MODSEC dont work!!!  (Read 530 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
CSF/LDF + MODSEC dont work!!!
« on: March 29, 2017, 07:48:28 AM »
I have CWPPRO version 7 and the locks with the CSF / LDF firewall do not work

In my CWPPRO 6 they work perfectly, compare some configurations with the new CWP7 and it looks all the same, can you help me please.

Offline
*
Re: CSF/LDF + MODSEC dont work!!!
« Reply #1 on: April 11, 2017, 07:38:05 AM »
any?

Offline
**
Re: CSF/LDF + MODSEC dont work!!!
« Reply #2 on: April 11, 2017, 04:48:19 PM »
I have read that there are problems with centos 7 and cwp, so better to use centos 6 and cwp6...
Anyway centos 7 uses to much resources comparing to centos 6, but thats my opinion...

Offline
*
Re: CSF/LDF + MODSEC dont work!!!
« Reply #3 on: April 11, 2017, 04:56:11 PM »
I have read that there are problems with centos 7 and cwp, so better to use centos 6 and cwp6...
Anyway centos 7 uses to much resources comparing to centos 6, but thats my opinion...

CWP7 Works like a charm, only have this problem.


Offline
*
Re: CSF/LDF + MODSEC dont work!!!
« Reply #4 on: April 11, 2017, 10:31:10 PM »
all should work fine in centos 7 including firewall, you need to specify all details (errors) when asking questions about some possible issue.
AntiDDoS Protection (web + mail)
http://centos-webpanel.com/website-ddos-protection-proxy

Join our Development Team and get paid !
http://centos-webpanel.com/develope-modules-for-cwp


Services Monitoring & RBL Monitoring
http://centos-webpanel.com/services-monitor


Do you need Fast and FREE Support included for your CWP linux server?
http://centos-webpanel.com/noc-partner-list
Installation Instructions
http://centos-webpanel.com/installation-instructions
Get Fast Support Here
http://centos-webpanel.com/support-services

Offline
*
Re: CSF/LDF + MODSEC dont work!!!
« Reply #5 on: April 12, 2017, 04:54:40 AM »
all should work fine in centos 7 including firewall, you need to specify all details (errors) when asking questions about some possible issue.

In CWP6-PRO CSF / LFD + MODSEC blocks attacks through logging in "/usr/local/apache/logs/error_log"

With this setting in "/etc/csf/csf.conf"

Code: [Select]
# [*]Enable failure detection of repeated Apache mod_security rule triggers
LF_MODSEC = "3"
LF_MODSEC_PERM = "1"
HTACCESS_LOG = "/usr/local/apache/logs/error_log"
MODSEC_LOG = "/usr/local/apache/logs/error_log"

MODSEC CWP6-PRO errors are mirrored in this way and blocks them perfectly in CSF + LDF

Code: [Select]
[Tue Apr 11 22:03:04 2017] [error] [client 171.5.3.224] ModSecurity: Access denied with code 403 (phase 2). Pattern match "/wp-login.php" at REQUEST_URI. [file "/usr/local/apache/userdata/pcrcl/pcready.cl/modsec.conf"] [line "1"] [id "17265002"] [hostname "www.pcready.cl"] [uri "/wp-login.php"] [unique_id "WO18yH8AAAEAACmefUIAAAAF"]
In CWP7-PRO I have exactly the same configuration as in CWP6-PRO in "/etc/csf/csf.conf", this is my configuration in CWP7-PRO

Code: [Select]
# [*]Enable failure detection of repeated Apache mod_security rule triggers
LF_MODSEC = "3"
LF_MODSEC_PERM = "1"
HTACCESS_LOG = "/usr/local/apache/logs/error_log"
MODSEC_LOG = "/usr/local/apache/logs/error_log"

But the CWP7-PRO errors of MODSEC are reflected in this way and do not block them

Code: [Select]
[Wed Apr 12 01:40:37.485934 2017] [:error] [pid 28383:tid 139994855077632] [client 201.214.115.114:30016] [client 201.214.115.114] ModSecurity: Access denied with code 403 (phase 2). Pattern match "/wp-login.php" at REQUEST_URI. [file "/usr/local/apache/userdata/instruva/instruvalve.cl/modsec.conf"] [line "15"] [id "17265002"] [hostname "www.instruvalve.cl"] [uri "/wp-login.php"] [unique_id "WO2vxQW9kbkAAG7fYFsAAABA"]
There is a clear difference in how the log is reflected in "/usr/local/apache/logs/error_log" maybe that's why it is not able to detect the errors and block them

The rule in CWP6-PRO and CWP7-PRO is exactly the same, but only works in CWP6-PRO.

Look for information and some people talked about the forna in which the text was read from the log, if it did not contain a recognizable "regex" for "CSF + LFD" it would not block it, since it would not be able to interpret it correctly to extract information.

But CSF + LFD if it is working because it blocks the SSH and FTP errors, the problem is only with MODSEC.

If you need any other information do not hesitate to ask me please.

Can you help me please, thank you.

Offline
*
Re: CSF/LDF + MODSEC dont work!!!
« Reply #6 on: April 25, 2017, 05:24:17 AM »
żż??

Offline
*
Re: CSF/LDF + MODSEC dont work!!!
« Reply #7 on: April 25, 2017, 08:46:06 AM »

Offline
*
Re: CSF/LDF + MODSEC dont work!!!
« Reply #8 on: April 28, 2017, 01:47:48 PM »
Anybody?