We previously had atomicorp modsec rules running, these were automatically blocked, as soon as I substituted in the Comodo rules the automatic block feature stopped working.
CSF is reporting the ID as ‘unknown’, CMC also displays the ID identified as ‘Unknown’.
Example:
XXX.XXX.XXX.XXX # lfd: (mod_security) mod_security (id:unknown) triggered by XXX.XXX.XXX.XXX (US/United States/-): 1 in the last 3600 secs - Sat Jul 19 15:54:26 2014
Due to the way LSWS logs ModSecurity entries to error_log, you need to create a custom regex in CSF to have it track these log entries.
Open the file /etc/csf/regex.custom.pm and add the code below between the 2nd and 3rd comment areas. This should be line 36, unless the file was modified:
if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[error\] \[client (\S+)\] ModSecurity: Access denied with code 403/)) {
$ip = $1; $acc = ""; $ip =~ s/^::ffff://;
if (&checkip($ip)) {return ("mod_security triggered by","$ip|$acc","mod_security")} else {return}
}
Save the file, restart CSF+LFD and see if it works.
LiteSpeed was also set to ‘INFO’ instead of ‘DEBUG’ as suggested, what I noticed that was weird is that both Config Mod Control and Config Server Firewall (csf.deny) both report the id as ‘unknown’.
LiteSpeed was also set to 'INFO' instead of 'DEBUG' as suggested, what I noticed that was weird is that both Config Mod Control and Config Server Firewall (csf.deny) both report the id as 'unknown'.
If you see IPs banned in csf.deny because of mod_security, then the custom regex works and CSF detects ModSecurity rule triggers.
What's your LF_MODSEC_PERM setting? If you want IPs to be blocked permanently, set this option to 1. For temporary blocks, you should enter the number of seconds instead.
As for the unknown ID, you should find it within the log entry:
The regex command isn’t needed, CSF detects the modsecurity rules without the regex.
The CSF block is working correctly, this isn’t the problem here.
Thank you, I am aware of that however the question was directly relative to CSF. When CSF blocks the IP address it stores an entry in the csf.deny file.
XXX.XXX.XXX.XXX # lfd: (mod_security) mod_security (id:unknown) triggered by XXX.XXX.XXX.XXX (US/United States/-): 1 in the last 3600 secs - Sat Jul 19 15:54:26 2014
To my original question, is there anyway of telling CSF what the ‘id’ is - instead of ‘unknown’, actually list the id?