Dutch_Mike Posted May 7 Share Posted May 7 Hi Sandeep. For some reason i have a shitload of cyber terrorist that try to get into my CWP server. At this moment, all blocked ips from the past are permanent in the csf .deny file and in the main config i blocked most countries like China Russia Romania and a few other countries that support cyber criminals. Since i am experimenting a lot with the cfs firewall options, i have to restart it many times. Most time i use "quick restart firewall" but even i use that, after a few minutes that the firewall has restarted. i get about a 100+ attempts in the mail, of those ip's i have blocked already by country in the main config or in the csf .deny file, trying to get in, and i know the restarting of the firewall or lfd is just a matter of seconds ? so imagine how desperate they are to get in. So i was thinking... i have read somewhere that there is a firewall program on a Linux variant... ( but i cant recall anymore nor find where i read it), that as soon as the firewall or lfd is restarting, it automatically blocks all the inbound connections on the network devices ( you have selected in a cfg file.) so that it is never unprotected during the restart of the firewall. I know that clients will have interruption of the service, but i don't have clients. i use the server as a private server in the public domain. It is only for hosting websites without streams of any kind. The option to chose on what network devices to block inbound traffic, is important so you don't shut / lock yourself out. I have 3 nic's 2 for the public ip's and 1 that's connected to LAN. that one should be excluded so that i don't lose connection/ So my question is, do you know how to achieve this ? can u make easy script that be can used to restart lfd / firewall that stops inbound traffic or blocks it as long as csf / lfd is not active ? Best Regards, Mike Link to comment Share on other sites More sharing options...
Sandeep B. Posted May 7 Share Posted May 7 Hi they are trying with ssh port or any other port? Link to comment Share on other sites More sharing options...
Dutch_Mike Posted May 7 Author Share Posted May 7 The reply with all possible ways ways including SSH [LF_BIND] << over 1000 queries per second from 1 ip [LF_FTPD] << all kind of usernames [LF_APACHE_404]<< like 200 times in 20 sec [LF_MODSEC] << [:error] [pid 2335005:tid 140366300833536] [client 141.98.11.96:52620] [client 141.98.11.96] ModSecurity: Access denied with code 403 (phase 1). Pattern match "^(?:\\\\'\\\\w+?=)?\\\\(\\\\)\\\\s{" at MATCHED_VAR. [file "/usr/local/apache/modsecurity-cwaf/rules/02_Global_Generic.conf"] [line "77"] [id "221260"] [rev "3"] [msg "COMODO WAF: Shellshock Command Injection Vulnerabilities in GNU Bash through 4.3 bash43-026 (CVE-2014-7187, CVE-2014-7186, CVE-2014-7169, CVE-2014-6278, CVE-2014-6277, CVE-2014-6271)||213.127.141.27|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"] [LF_SMTPAUTH] << postfix/smtpd[2690968]: warning: unknown[109.206.237.18]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 [LF_CUSTOMTRIGGER] << 10 (XMLRPC) Link to comment Share on other sites More sharing options...
Sandeep B. Posted May 7 Share Posted May 7 first, you can try this mod security csf regex : if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+ \S+ \S+ \S+ \S+\] \[(\w*)?:error\] (\[pid \d+(:tid \d+)\]) \[client \S+:\S+\] \[client (\S+)\] ModSecurity:(( \[[^\]]+\])*)? Access denied/)) { my $ip = $4; $ip =~ s/^::ffff://; if (split(/:/,$ip) == 2) {$ip =~ s/:\d+$//} my $ruleid = "unknown"; if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1} if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip","mod_security-custom","1","80,443","1")} else {return} } Link to comment Share on other sites More sharing options...
Dutch_Mike Posted May 7 Author Share Posted May 7 where do i post / add that ? Link to comment Share on other sites More sharing options...
Sandeep B. Posted May 7 Share Posted May 7 in csf regex file : /etc/csf/regex.custom.pm Link to comment Share on other sites More sharing options...
Dutch_Mike Posted May 7 Author Share Posted May 7 OK thank you. can you briefly explain what it is doing ? as i am less then a noob with regex. it totally makes no sense to me. Link to comment Share on other sites More sharing options...
Sandeep B. Posted May 8 Share Posted May 8 This regex works with mod security and upon 403 the ips are blocked Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now