Help with a custom rule

Folks

Could someone help me with a custom modsec rule please.
I’ve absolutely no idea where to start.

I have the access to WHM Cpanel login narrowed down to just 2 x IP’s, so I guess it’s impossible to gain SSL Cpanel access to my server, unless calling from one of those IP’s. However, it seems to undeter some hackers.

I’d like to create a custom rule (or if someone esle would, I’d be grateful), that will add the offending IP to CSF based on the following string.

“Dropping connection from xx.xx.xx.xxx because of tcp_wrappers at cpsrvd.pl line 3622.”

Could anyone help ?

Hello keat1963.
You can add custom rule like:

SecRule REMOTE_ADDR "![at]ipMatch X.X.X.X, Y.Y.Y.Y, Z.Z.Z.Z/16, ..." "id:100000, phase:1, t:none, block, log, msg:'COMODO WAF: IP doesn't allowed by policy'"

to CWAF configuration in “CWAF_folder/etc/httpd/custom_user.conf” or, if you uses CWAF plugin for WHM, you can add it in “Userdata” tab in “Custom Rules:” field. Also in “Userdata” tab you can manage “Whitelisted IPs:” and “Blacklisted IPs:”, it also supports ranges of IPs.
X.X.X.X, Y.Y.Y.Y - IPs to be whitelisted and Z.Z.Z.Z/16 - range of IPs to be whitelisted.
Please make sure about unique of your rule ID .
More about ModScurity directives you could know from:

Regards.

Hi Sergie

Looking at the rule you gave, I’m not sure I can see the pattern i’m looking to block.

I had around 50 attempts from 4 different IP’s of someone trying to gain access to either Cpanel or WHM.
I see in my logs the following entries.

“Dropping connection from IP.Address.1 because of tcp_wrappers at cpsrvd.pl line 3622.”
“Dropping connection from IP.Address.2 because of tcp_wrappers at cpsrvd.pl line 3622.”
“Dropping connection from IP.Address.3 because of tcp_wrappers at cpsrvd.pl line 3622.”
“Dropping connection from IP.Address.4 because of tcp_wrappers at cpsrvd.pl line 3622.”

The IP address changes with different attempts of someone trying to gain access.
I was hoping for a custom rule that would maybe took at the string “because of tcp_wrappers at cpsrvd.pl line 3622.” and then add the ascociated IP of that string to CSF.

The given rule was for known bad IPs. ModSecurity doesn’t have access to your logs.