Posted May 7, 2024May 7 Hi Sandeep. For some reason i have a shitload of cyber terrorist that try to get into my CWP server. At this moment, all blocked ips from the past are permanent in the csf .deny file and in the main config i blocked most countries like China Russia Romania and a few other countries that support cyber criminals. Since i am experimenting a lot with the cfs firewall options, i have to restart it many times. Most time i use "quick restart firewall" but even i use that, after a few minutes that the firewall has restarted. i get about a 100+ attempts in the mail, of those ip's i have blocked already by country in the main config or in the csf .deny file, trying to get in, and i know the restarting of the firewall or lfd is just a matter of seconds ? so imagine how desperate they are to get in. So i was thinking... i have read somewhere that there is a firewall program on a Linux variant... ( but i cant recall anymore nor find where i read it), that as soon as the firewall or lfd is restarting, it automatically blocks all the inbound connections on the network devices ( you have selected in a cfg file.) so that it is never unprotected during the restart of the firewall. I know that clients will have interruption of the service, but i don't have clients. i use the server as a private server in the public domain. It is only for hosting websites without streams of any kind. The option to chose on what network devices to block inbound traffic, is important so you don't shut / lock yourself out. I have 3 nic's 2 for the public ip's and 1 that's connected to LAN. that one should be excluded so that i don't lose connection/ So my question is, do you know how to achieve this ? can u make easy script that be can used to restart lfd / firewall that stops inbound traffic or blocks it as long as csf / lfd is not active ? Best Regards, Mike
May 7, 2024May 7 Author The reply with all possible ways ways including SSH [LF_BIND] << over 1000 queries per second from 1 ip [LF_FTPD] << all kind of usernames [LF_APACHE_404]<< like 200 times in 20 sec [LF_MODSEC] << [:error] [pid 2335005:tid 140366300833536] [client 141.98.11.96:52620] [client 141.98.11.96] ModSecurity: Access denied with code 403 (phase 1). Pattern match "^(?:\\\\'\\\\w+?=)?\\\\(\\\\)\\\\s{" at MATCHED_VAR. [file "/usr/local/apache/modsecurity-cwaf/rules/02_Global_Generic.conf"] [line "77"] [id "221260"] [rev "3"] [msg "COMODO WAF: Shellshock Command Injection Vulnerabilities in GNU Bash through 4.3 bash43-026 (CVE-2014-7187, CVE-2014-7186, CVE-2014-7169, CVE-2014-6278, CVE-2014-6277, CVE-2014-6271)||213.127.141.27|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"] [LF_SMTPAUTH] << postfix/smtpd[2690968]: warning: unknown[109.206.237.18]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 [LF_CUSTOMTRIGGER] << 10 (XMLRPC)
May 7, 2024May 7 first, you can try this mod security csf regex : if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+ \S+ \S+ \S+ \S+\] \[(\w*)?:error\] (\[pid \d+(:tid \d+)\]) \[client \S+:\S+\] \[client (\S+)\] ModSecurity:(( \[[^\]]+\])*)? Access denied/)) { my $ip = $4; $ip =~ s/^::ffff://; if (split(/:/,$ip) == 2) {$ip =~ s/:\d+$//} my $ruleid = "unknown"; if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1} if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip","mod_security-custom","1","80,443","1")} else {return} }
May 7, 2024May 7 Author OK thank you. can you briefly explain what it is doing ? as i am less then a noob with regex. it totally makes no sense to me.
January 31Jan 31 Sandeep,I was using the additional code so LFD would just send the 1 paragraph out to the blacklists, but when I switch to OWASP latest it stopped working.Any ideas?Thanks
January 31Jan 31 19 hours ago, Starburst said:Sandeep,I was using the additional code so LFD would just send the 1 paragraph out to the blacklists, but when I switch to OWASP latest it stopped working.Any ideas?ThanksTo check it against PCRE, could you post just one line from your logs not being catched..?!Regards,Netino
February 5Feb 5 So it seems by default CWP send out 3 paragraphs with attacks, and the above code, cut it down to 1 paragraph.Which in turn sites like AbuseIPDB can accept automatically.
February 12Feb 12 On 5/8/2024 at 12:23 AM, Sandeep B. said:first, you can try this mod security csf regex : if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+ \S+ \S+ \S+ \S+\] \[(\w*)?:error\] (\[pid \d+(:tid \d+)\]) \[client \S+:\S+\] \[client (\S+)\] ModSecurity:(( \[[^\]]+\])*)? Access denied/)) { my $ip = $4; $ip =~ s/^::ffff://; if (split(/:/,$ip) == 2) {$ip =~ s/:\d+$//} my $ruleid = "unknown"; if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1} if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip","mod_security-custom","1","80,443","1")} else {return} } After reviewing the code, I've made some improvements for better readability and maintainability. The functionality remains the same, but the code is now more structured and clearer. Here's the revised version:perlCopy# added by Navid if ($config{LF_MODSEC} && $globlogs{MODSEC_LOG}{$lgfile} && $line =~ /^\[\S+ \S+ \S+ \S+ \S+\] \[(\w*)?:error\] (\[pid \d+(:tid \d+)\]) \[client \S+:\S+\] \[client (\S+)\] ModSecurity:(( \[[^\]]+\])*)? Access denied/,/) { my $ip = $4; $ip =~ s/^::ffff://; $ip =~ s/:\d+$// if split(/:/, $ip) == 2; my $ruleid = "unknown"; if ($line =~ /\[id "(\d+)"\]/) { $ruleid = $1; } if (checkip($ip)) { return ("mod_security (id: $ruleid) triggered by", $ip, "mod_security-custom", "4", "80,443", "1"); } else { return; } } # ended by Navid Changes made to the code:Replaced the and operator (&&) instead of and for better Perl coding practice.Reorganized the conditional checks to be more concise and easier to read.Simplified the conditional statement for removing the port number from the IP address.Added curly braces for better clarity and readability.Note: if there is missed please advice me.thank you.
Create an account or sign in to comment