Posted May 7May 7 comment_967 Hi Sandeep. For some reason i have a shitload of cyber terrorist that try to get into my CWP server. At this moment, all blocked ips from the past are permanent in the csf .deny file and in the main config i blocked most countries like China Russia Romania and a few other countries that support cyber criminals. Since i am experimenting a lot with the cfs firewall options, i have to restart it many times. Most time i use "quick restart firewall" but even i use that, after a few minutes that the firewall has restarted. i get about a 100+ attempts in the mail, of those ip's i have blocked already by country in the main config or in the csf .deny file, trying to get in, and i know the restarting of the firewall or lfd is just a matter of seconds ? so imagine how desperate they are to get in. So i was thinking... i have read somewhere that there is a firewall program on a Linux variant... ( but i cant recall anymore nor find where i read it), that as soon as the firewall or lfd is restarting, it automatically blocks all the inbound connections on the network devices ( you have selected in a cfg file.) so that it is never unprotected during the restart of the firewall. I know that clients will have interruption of the service, but i don't have clients. i use the server as a private server in the public domain. It is only for hosting websites without streams of any kind. The option to chose on what network devices to block inbound traffic, is important so you don't shut / lock yourself out. I have 3 nic's 2 for the public ip's and 1 that's connected to LAN. that one should be excluded so that i don't lose connection/ So my question is, do you know how to achieve this ? can u make easy script that be can used to restart lfd / firewall that stops inbound traffic or blocks it as long as csf / lfd is not active ? Best Regards, Mike
May 7May 7 Author comment_969 The reply with all possible ways ways including SSH [LF_BIND] << over 1000 queries per second from 1 ip [LF_FTPD] << all kind of usernames [LF_APACHE_404]<< like 200 times in 20 sec [LF_MODSEC] << [:error] [pid 2335005:tid 140366300833536] [client 141.98.11.96:52620] [client 141.98.11.96] ModSecurity: Access denied with code 403 (phase 1). Pattern match "^(?:\\\\'\\\\w+?=)?\\\\(\\\\)\\\\s{" at MATCHED_VAR. [file "/usr/local/apache/modsecurity-cwaf/rules/02_Global_Generic.conf"] [line "77"] [id "221260"] [rev "3"] [msg "COMODO WAF: Shellshock Command Injection Vulnerabilities in GNU Bash through 4.3 bash43-026 (CVE-2014-7187, CVE-2014-7186, CVE-2014-7169, CVE-2014-6278, CVE-2014-6277, CVE-2014-6271)||213.127.141.27|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"] [LF_SMTPAUTH] << postfix/smtpd[2690968]: warning: unknown[109.206.237.18]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 [LF_CUSTOMTRIGGER] << 10 (XMLRPC)
May 7May 7 comment_970 first, you can try this mod security csf regex : if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+ \S+ \S+ \S+ \S+\] \[(\w*)?:error\] (\[pid \d+(:tid \d+)\]) \[client \S+:\S+\] \[client (\S+)\] ModSecurity:(( \[[^\]]+\])*)? Access denied/)) { my $ip = $4; $ip =~ s/^::ffff://; if (split(/:/,$ip) == 2) {$ip =~ s/:\d+$//} my $ruleid = "unknown"; if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1} if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip","mod_security-custom","1","80,443","1")} else {return} }
May 7May 7 Author comment_973 OK thank you. can you briefly explain what it is doing ? as i am less then a noob with regex. it totally makes no sense to me.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now