Navid

test the latest one: # added by Navid if ($config{LF_MODSEC} && $globlogs{MODSEC_LOG}{$lgfile} && $line =~ /\[client (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|[A-Fa-f0-9:]+)\] ModSecurity:.*?(?:\[id "(\d+)"\].*?)?Access denied.*?(\[uri "([^"]+)"\])?.*?(\[host "([^"]+)"\])?/i) { my $ip = $1; $ip =~ s/^::ffff://i; # Remove IPv6 prefix (if present) $ip =~ s/:\d+$//; # Strip port (e.g., 1.2.3.4:56789 → 1.2.3.4) my $ruleid = defined($2) ? $2 : "unknown"; # Rule ID my $uri = defined($4) ? $4 : "unknown"; # Blocked URI my $host = defined($6) ? $6 : "unknown"; # Host header # Ports to block (expand as needed: HTTP, HTTPS, SMTP, FTP, etc.) my $block_ports = "80,443,25,587,465,21,22,8080,8443"; if (checkip($ip)) { return ("ModSecurity Alert [ID:$ruleid] - Host: $host, URI: $uri", $ip, "mod_security-custom", "4", $block_ports, "1"); } else { return; } } # ended by Navid

or use this one for better enhancement # added by Navid if ($config{LF_MODSEC} && $globlogs{MODSEC_LOG}{$lgfile} && $line =~ /^\[\S+ \S+ \S+ \S+ \S+\] \[(\w*)?:error\] (\[pid \d+(:tid \d+)\]) \[client (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|[A-Fa-f0-9:]+)\:\d+\] \[client (\S+)\] ModSecurity:.*?(?:\[id \"(\d+)\"\].*?)?Access denied/i) { my $ip = $5; $ip =~ s/^::ffff://; $ip =~ s/:\d+$// if split(/:/, $ip) == 2; my $ruleid = "unknown"; $ruleid = $6 if defined($6); # Capture ModSecurity rule ID # Extract URI for context (optional) my $uri = "unknown"; $uri = $1 if $line =~ /\[uri \"([^\"]+)\"\]/; if (checkip($ip)) { return ("ModSecurity Alert [ID:$ruleid] - Blocked URI: $uri", $ip, "mod_security-custom", "4", "80,443", "1"); } else { return; } } # ended by Navid

thank you so much for report this error that you're faced and here is the corrected and tested version Fore regex.custom.pm: # added by Navid if ($config{LF_MODSEC} && $globlogs{MODSEC_LOG}{$lgfile} && $line =~ /^\[\S+ \S+ \S+ \S+ \S+\] \[(\w*)?:error\] (\[pid \d+(:tid \d+)\]) \[client \S+:\S+\] \[client (\S+)\] ModSecurity:(( \[[^\]]+\])*)? Access denied/) { my $ip = $4; $ip =~ s/^::ffff://; $ip =~ s/:\d+$// if split(/:/, $ip) == 2; my $ruleid = "unknown"; if ($line =~ /\[id "(\d+)"\]/) { $ruleid = $1; } if (checkip($ip)) { return ("mod_security (id: $ruleid) triggered by", $ip, "mod_security-custom", "4", "80,443", "1"); } else { return; } } # ended by Navidfor test the Validation just run the commend below Validate The Syntax: perl -c /usr/local/csf/bin/regex.custom.pmOutput should show: OK. Restart CSF/LFD: csf -r

Hi, I have a server with pre installed cwp, if you need to test the latest one with pleasure thank.

After reviewing the code, I've made some improvements for better readability and maintainability. The functionality remains the same, but the code is now more structured and clearer. Here's the revised version: perlCopy # added by Navid if ($config{LF_MODSEC} && $globlogs{MODSEC_LOG}{$lgfile} && $line =~ /^\[\S+ \S+ \S+ \S+ \S+\] \[(\w*)?:error\] (\[pid \d+(:tid \d+)\]) \[client \S+:\S+\] \[client (\S+)\] ModSecurity:(( \[[^\]]+\])*)? Access denied/,/) { my $ip = $4; $ip =~ s/^::ffff://; $ip =~ s/:\d+$// if split(/:/, $ip) == 2; my $ruleid = "unknown"; if ($line =~ /\[id "(\d+)"\]/) { $ruleid = $1; } if (checkip($ip)) { return ("mod_security (id: $ruleid) triggered by", $ip, "mod_security-custom", "4", "80,443", "1"); } else { return; } } # ended by Navid Changes made to the code: Replaced the and operator (&&) instead of and for better Perl coding practice. Reorganized the conditional checks to be more concise and easier to read. Simplified the conditional statement for removing the port number from the IP address. Added curly braces for better clarity and readability. Note: if there is missed please advice me. thank you.

Hi, kindly some one help us on how to update/ upgrade Mode Security to latest version : v3.0.13 on cwp panel please thank you so much

Hi, dear Sandeep thank you so much for you a very nice and useful guide on cURL. but as you know the latest is cURL 8.11.1 could you please confirm and update the code for the latest cURL??? note: does the Latest cURL is capable with cwp? thank you and waiting for you guide. regards.

thank you so much this topic help me a lot your sincerely

Hi, dear masters, I would like to install the latest version of the cURL on centos 7 Kindly guide me on how can apply this scenario because I did as below; rpm -Uvh http://www.city-fan.org/ftp/contrib/yum-repo/rhel7/x86_64/city-fan.org-release-2-1.rhel7.noarch.rpm yum --enablerepo=city-fan.org update curl libcurl libcurl-devel but it is not working. thank you so much.

Hi, this week I got a lot of attack which was on the below path: 2025/01/12 15:02:08 [error] 762#762: *1768584 openat() "/usr/local/apache/autossl_tmp/.well-known/acme-challenge/ALFA_DATA/alfacgiapi/bash.alfa" failed (2: No such file or directory), client: 68.183.234.75, server: mysite.com, request: "GET /.well-known/pki-validation/ALFA_DATA/alfacgiapi/bash.alfa HTTP/2.0", host: "www.mysite.com" and they trying to redirecting the website on which one they want, as well there was a huge DDoS attack on same path. kindly advice me on how can make it secure the centos 7 with cwp please. I put a scenario below for some security step : edit htaccess file on the root by: thank you

Hi, thank you very much, yes it does, everything was good 3 days before, but suddenly it seem issue in rdns kindly guide me what if I setup new server by alma9 but I’m not sure CWP support alma 9? what is the solution thank you

Hi, thank you dear sandeep for your time and efforts to resolve our issue it’s to much worthy for us indeed. yes the 53 port is sat correctly to open in all mood tcp and udp waiting for further solution please thank you.

Hi, dear Master please guide me on does it possible to Migrating from CentOS7 to AlmaLinux9 (same server) without installing to new server? I having Centos7 and willing to Migrating to Almalinux9 without new installation to the new server? if possible please guide me. Note: i found the below articles but I’m not sure it will work or no. source link: AlmaLinux vs. Rocky Linux: a com...AlmaLinux vs. Rocky Linux: a comparison and guide - Hosti...

Hi, dear masters I having issue with my rDNS which are showing rDNS/PTR = FAILED I have attached a screen shot for further help and kindly guide me on how can resolve this issue. Postfix Mail Server Manager Rebuild your mail server with Amavisd, Spamassassin, ClamAV (AntiSpam and AntiVirus Protection) Hostname needs to have a valid A record and rDNS/PTR set for successful email delivery. **Reject the request when the hostname in the client HELO (EHLO) command has no DNS A or MX record. The unknown_hostname_reject_code specifies the response code to rejected requests (default: 450). Your Hostname is: cloud.signalprime.com and it resolves to IP: ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16 <<>> A cloud.signalprime.com +short @8.8.8.8 ;; global options: +cmd ;; connection timed out; no servers could be reached [Check Black List] rDNS/PTR = FAILED, check with your hosting provider!FAILED[Check SenderBase] rDNS/PTR check for IP 116.202.219.107 = ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16 <<>> -x 116.202.219.107 +short @8.8.8.8;; global options: +cmd;; connection timed out; no servers could be reached rDNS/PTR check for IP 116.202.219.96 = ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16 <<>> -x 116.202.219.96 +short @8.8.8.8;; global options: +cmd;; connection timed out; no servers could be reached kindly guide me please thanks.

Hi, I hope you are doing well. whenever i ran this command all things goes as expected well. curl -s -L https://www.alphagnu.com/upload/centos7-repo-fix.sh | bashbut when trying to update the system by: yum update: I getting the bellow error. yum update Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * epel: d2lzkl7pfhq30w.cloudfront.net No packages marked for update kindly guide me what is the issue thank you