Control Web Panel
Security => CSF Firewall => Topic started by: belrpr on July 03, 2018, 09:27:44 AM
-
With the default csf config the
LF_POP3D = "0"
LF_POP3D_PERM = "0"
So it doesn't block attacks.
Enabling the LF_POP3D = "1" doesn't change anything.
The attack still continue without a ban.
-
Already found a fault in the csf.conf
The log location is wrong:
POP3D_LOG = "/var/log/maillog"
IMAPD_LOG = "/var/log/maillog"
should be
/var/log/dovecot-info.log
The log contains auth failures for pop3 and imap.
But the bans still don't work
-
you should use the correct configuration from the wiki
http://wiki.centos-webpanel.com/csflfd-firewall-configuration
-
Yeah that fixes things.
But why is the default config not correct. It isn't the basic csf config because the regex.custom has some CWP login checks.
-
you should use the correct configuration from the wiki
http://wiki.centos-webpanel.com/csflfd-firewall-configuration
But, in this rule if activated, blocked server http and mail traffic, ssh work ok.
Custom regex for mod security, file /etc/csf/regex.custom.pm :
#mod_security
if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+ \S+ \S+ \S+ \S+\] \[(\w*)?:error\] (\[pid \d+(:tid \d+)\]) \[client \S+:\S+\] \[client (\S+)\] ModSecurity:(( \[[^\]]+\])*)? Access denied/)) {
my $ip = $4;
$ip =~ s/^::ffff://;
if (split(/:/,$ip) == 2) {$ip =~ s/:\d+$//}
my $ruleid = "unknown";
if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1}
if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip","mod_security-custom","4","80,443","1")} else {return}
}