Author Topic: Help with a custom rule  (Read 377 times)

Offline keat1963

  • Newbie
  • *
  • Posts: 2
Help with a custom rule
« on: January 31, 2018, 04:09:29 AM »
Folks

Could someone help me with a custom modsec rule please.
I've absolutely no idea where to start.

I have the access to WHM Cpanel login narrowed down to just 2 x IP's, so I guess it's impossible to gain SSL Cpanel access to my server, unless calling from one of those IP's. However, it seems to undeter some hackers.

I'd like to create a custom rule (or if someone esle would, I'd be grateful), that will add the offending IP to CSF based on the following string.

"Dropping connection from xx.xx.xx.xxx because of tcp_wrappers at cpsrvd.pl line 3622."

Could anyone help ?

Offline SergeiP

  • Moderator
  • Comodo Loves me
  • *****
  • Posts: 160
Re: Help with a custom rule
« Reply #1 on: February 05, 2018, 09:22:49 AM »
Hello keat1963.
You can add custom rule like:

    SecRule REMOTE_ADDR "![at]ipMatch X.X.X.X, Y.Y.Y.Y, Z.Z.Z.Z/16, ..." "id:100000, phase:1, t:none, block, log, msg:'COMODO WAF: IP doesn't allowed by policy'"

to CWAF configuration in "CWAF_folder/etc/httpd/custom_user.conf" or, if you uses CWAF plugin for WHM, you can add it in "Userdata" tab in "Custom Rules:" field. Also in "Userdata" tab you can manage "Whitelisted IPs:" and "Blacklisted IPs:", it also supports ranges of IPs.
X.X.X.X, Y.Y.Y.Y - IPs to be whitelisted and Z.Z.Z.Z/16 - range of IPs to be whitelisted.
Please make sure about unique of your rule ID .
More about ModScurity directives you could know from:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual
Regards.

« Last Edit: February 05, 2018, 09:33:13 AM by SergeiP »

Offline keat1963

  • Newbie
  • *
  • Posts: 2
Re: Help with a custom rule
« Reply #2 on: February 12, 2018, 03:34:27 AM »
Hi Sergie


Looking at the rule you gave, I'm not sure I can see the pattern i'm looking to block.

I had around 50 attempts from 4 different IP's of someone trying to gain access to either Cpanel or WHM.
I see in my logs the following entries.

"Dropping connection from IP.Address.1 because of tcp_wrappers at cpsrvd.pl line 3622."
"Dropping connection from IP.Address.2 because of tcp_wrappers at cpsrvd.pl line 3622."
"Dropping connection from IP.Address.3 because of tcp_wrappers at cpsrvd.pl line 3622."
"Dropping connection from IP.Address.4 because of tcp_wrappers at cpsrvd.pl line 3622."

The IP address changes with different attempts of someone trying to gain access.
I was hoping for a custom rule that would maybe took at the string "because of tcp_wrappers at cpsrvd.pl line 3622." and then add the ascociated IP of that string to CSF.
« Last Edit: February 12, 2018, 03:36:54 AM by keat1963 »

Offline SergeiP

  • Moderator
  • Comodo Loves me
  • *****
  • Posts: 160
Re: Help with a custom rule
« Reply #3 on: February 14, 2018, 08:48:23 AM »
The given rule was for known bad IPs. ModSecurity doesn't have access to your logs.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek