Jump to content

Solution for returning attackers when restarting CSF


Recommended Posts

Hi Sandeep.

For some reason i have a shitload of cyber terrorist that try to get into my CWP server. At this moment, all blocked ips from the past are permanent in the csf .deny file and in the main config i blocked most countries like China Russia Romania and a few other countries that support cyber criminals.

Since i am experimenting a lot with the cfs firewall options, i have to restart it many times. Most time i use "quick restart firewall" but even i use that, after a few minutes that the firewall has restarted. i get about a 100+ attempts in the mail, of those ip's i have blocked already by country in the main config or in the csf .deny file, trying to get in, and i know the restarting of the firewall or lfd is just a matter of seconds ? so imagine how desperate they are to get in. 

So i was thinking... i have read somewhere that there is a firewall program on a Linux variant... ( but i cant recall anymore nor find where i read it),  that as soon as the firewall or lfd is restarting, it automatically blocks all the inbound connections on the network devices ( you have selected in a cfg file.) so that it is never unprotected during the restart of the firewall. I know that clients will have interruption of the service, but i don't have clients. i use the server as a private server in the public domain. It is only for hosting websites without streams of any kind. 

The option to chose on what network devices to block inbound traffic,  is important so you don't shut / lock yourself out. I have 3 nic's 2 for the public ip's and 1 that's connected to LAN. that one should be excluded so that i don't lose connection/

So my question is, do you know how to achieve this ? can u make easy script that be can used to restart lfd / firewall  that stops inbound traffic or blocks it as long as csf / lfd is not active ?

 

Best Regards,

Mike

Link to comment
Share on other sites

The reply with all possible ways ways including SSH

[LF_BIND] << over 1000 queries per second from 1 ip

[LF_FTPD] << all kind of usernames

[LF_APACHE_404]<< like 200 times in 20 sec

[LF_MODSEC]  << [:error] [pid 2335005:tid 140366300833536] [client 141.98.11.96:52620] [client 141.98.11.96] ModSecurity: Access denied with code 403 (phase 1). Pattern match "^(?:\\\\'\\\\w+?=)?\\\\(\\\\)\\\\s{" at MATCHED_VAR. [file "/usr/local/apache/modsecurity-cwaf/rules/02_Global_Generic.conf"] [line "77"] [id "221260"] [rev "3"] [msg "COMODO WAF: Shellshock Command Injection Vulnerabilities in GNU Bash through 4.3 bash43-026 (CVE-2014-7187, CVE-2014-7186, CVE-2014-7169, CVE-2014-6278, CVE-2014-6277, CVE-2014-6271)||213.127.141.27|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"] 
[LF_SMTPAUTH]  << postfix/smtpd[2690968]: warning: unknown[109.206.237.18]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
[LF_CUSTOMTRIGGER]  <<  10 (XMLRPC)
Link to comment
Share on other sites

first, you can try this mod security csf regex

 

if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+ \S+ \S+ \S+ \S+\] \[(\w*)?:error\] (\[pid \d+(:tid \d+)\]) \[client \S+:\S+\] \[client (\S+)\] ModSecurity:(( \[[^\]]+\])*)? Access denied/)) {
        my $ip = $4;
        $ip =~ s/^::ffff://;
        if (split(/:/,$ip) == 2) {$ip =~ s/:\d+$//}
        my $ruleid = "unknown";
        if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1}
        if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip","mod_security-custom","1","80,443","1")} else {return}
}

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...