API tools faq
paste
Advertisement
kamaok

mod-security-csf-ban

kamaok
Nov 12th, 2022 (edited)
1,194
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 16.27 KB | None | 0 0
raw download clone embed print report
  1. As we can see blocking IP-address was caused by OWASP rule with identificator 949110
  2.  
  3. # grep 156.213.8.2  /var/log/lfd.log
  4. Nov  9 09:34:58 hosting1 lfd[1449]: (mod_security) mod_security (id:949110) triggered by 156.213.8.2 (EG/Egypt/host-156.213.2.8-static.tedata.net): 5 in the last 3600 secs - *Blocked in csf* [LF_MODSEC]
  5.  
  6.  
  7. Rule/Access leads to ip-address block
  8. # grep 156.213.8.2 /usr/local/apache/logs/modsec_audit.log | grep 949110
  9. Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2tzxVOFdJSF0jADjRY-lgAAAAU"]
  10.  
  11. Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0CsjLWHjz3YKYgGA6vQAAAAk"]
  12.  
  13. Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0JMjLWHjz3YKYgGA6vgAAAAk"]
  14.  
  15. Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0MUV5Gbd0TMN3oXtVegAAAA0"]
  16.  
  17. Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0PcSWlv27gYwZWPWu9wAAAAc"]
  18.  
  19. CSF(configure server firewall) is confgiured to use mod-security and block ip-address whether 5 mod-security block in 1 hour
  20.  
  21. 5 mod-security block it isn't the same as score mode-security (which in our case equal  5  as well)
  22.  
  23.  
  24.  
  25. But blocking ip-adress (with rule id: 949110) it is only a result that user requests exceeded score(it is above mentined mode-security score)
  26. Each matching rule increases an 'anomaly score'.
  27. At the conclusion of the inbound rules, and again at the conclusion of the
  28. outbound rules, the anomaly score is checked, and the blocking evaluation rules apply a disruptive action, by default returning an error 403
  29.  
  30. All logs in mod_security audit concerning blocked ip-address(including rule with id "949110")
  31.  
  32.  
  33. In mod-security logs we can see what exactly check add score to total score
  34. "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=5
  35. So we can see total score = 5 and it consists only from score SESS=5
  36.  
  37. What about SESS:
  38.  
  39. 2022-11-09 09:34:53     languageversion.easy-trademarks.com     156.213.8.2         500
  40. Request: GET /en/stripe-success?aa=222&session_id=cs_test_a19WkMENn3sVcKaa4CiI9SK8BRIzKxzyt9DYFzpX3t0tHmadUNOsnDab1Y
  41. Action Description: Warning.
  42. Justification: Operator GE matched 5 at TX:inbound_anomaly_score.
  43.  
  44.  
  45. Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity:
  46. Warning. Operator GE matched 5 at TX:inbound_anomaly_score.
  47. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"]
  48. [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=5):
  49. Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [tag "event-correlation"]
  50. [hostname "languageversion.easy-trademarks.com"] [uri "/index.php"] [unique_id "Y2tzxVOFdJSF0jADjRY-lgAAAAU"]
  51.  
  52. SQLI    SQL injection
  53. XSS cross-site scripting
  54. RFI remote file inclusion
  55. LFI local file inclusion
  56. RCE remote code execution
  57. PHPI    PHP injection
  58. HTTP    HTTP violation
  59. SESS    session fixation
  60.  
  61. Possible Session Fixation Attack: SessionID Parameter Name with No Referer
  62.  
  63. So it looks like this is the reason of score SESS=5 and as result Total Score=5 and as result block mod-security
  64. and after 5 such blocks mod-securuty CSF(configure server firewall) blocks ip-address
  65.  
  66.  
  67. # grep 156.213.8.2 /usr/local/apache/logs/modsec_audit.log
  68.  
  69. [09/Nov/2022:09:32:54 +0000] Y2tzxVOFdJSF0jADjRY-lgAAAAU 156.213.8.2 58862 176.9.70.216 80
  70. Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"] [line "38"] [id "943120"] [rev "2"] [msg "Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [data "Matched Data: session_id found within REQUEST_HEADERS: 0"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "2"] [accuracy "7"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-fixation"] [tag "OWASP_CRS/WEB_ATTACK/SESSION_FIXATION"] [tag "WASCTC/WASC-37"] [tag "CAPEC-61"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2tzxVOFdJSF0jADjRY-lgAAAAU"]
  71.  
  72. Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2tzxVOFdJSF0jADjRY-lgAAAAU"]
  73.  
  74. Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=5): Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [tag "event-correlation"] [hostname "languageversion.easy-trademarks.com"] [uri "/index.php"] [unique_id "Y2tzxVOFdJSF0jADjRY-lgAAAAU"]
  75.  
  76. [09/Nov/2022:09:34:03 +0000] Y2t0CsjLWHjz3YKYgGA6vQAAAAk 156.213.8.2 58940 176.9.70.216 80
  77. Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"] [line "38"] [id "943120"] [rev "2"] [msg "Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [data "Matched Data: session_id found within REQUEST_HEADERS: 0"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "2"] [accuracy "7"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-fixation"] [tag "OWASP_CRS/WEB_ATTACK/SESSION_FIXATION"] [tag "WASCTC/WASC-37"] [tag "CAPEC-61"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0CsjLWHjz3YKYgGA6vQAAAAk"]
  78.  
  79. Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0CsjLWHjz3YKYgGA6vQAAAAk"]
  80.  
  81. Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=5): Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [tag "event-correlation"] [hostname "languageversion.easy-trademarks.com"] [uri "/index.php"] [unique_id "Y2t0CsjLWHjz3YKYgGA6vQAAAAk"]
  82.  
  83. [09/Nov/2022:09:34:28 +0000] Y2t0JMjLWHjz3YKYgGA6vgAAAAk 156.213.8.2 58939 176.9.70.216 80
  84. Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"] [line "38"] [id "943120"] [rev "2"] [msg "Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [data "Matched Data: session_id found within REQUEST_HEADERS: 0"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "2"] [accuracy "7"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-fixation"] [tag "OWASP_CRS/WEB_ATTACK/SESSION_FIXATION"] [tag "WASCTC/WASC-37"] [tag "CAPEC-61"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0JMjLWHjz3YKYgGA6vgAAAAk"]
  85.  
  86. Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0JMjLWHjz3YKYgGA6vgAAAAk"]
  87.  
  88. Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=5): Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [tag "event-correlation"] [hostname "languageversion.easy-trademarks.com"] [uri "/index.php"] [unique_id "Y2t0JMjLWHjz3YKYgGA6vgAAAAk"]
  89.  
  90. [09/Nov/2022:09:34:42 +0000] Y2t0MUV5Gbd0TMN3oXtVegAAAA0 156.213.8.2 58965 176.9.70.216 80
  91. Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"] [line "38"] [id "943120"] [rev "2"] [msg "Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [data "Matched Data: session_id found within REQUEST_HEADERS: 0"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "2"] [accuracy "7"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-fixation"] [tag "OWASP_CRS/WEB_ATTACK/SESSION_FIXATION"] [tag "WASCTC/WASC-37"] [tag "CAPEC-61"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0MUV5Gbd0TMN3oXtVegAAAA0"]
  92.  
  93. Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0MUV5Gbd0TMN3oXtVegAAAA0"]
  94.  
  95. Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=5): Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [tag "event-correlation"] [hostname "languageversion.easy-trademarks.com"] [uri "/index.php"] [unique_id "Y2t0MUV5Gbd0TMN3oXtVegAAAA0"]
  96.  
  97. [09/Nov/2022:09:34:53 +0000] Y2t0PcSWlv27gYwZWPWu9wAAAAc 156.213.8.2 58982 176.9.70.216 443
  98. Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"] [line "38"] [id "943120"] [rev "2"] [msg "Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [data "Matched Data: session_id found within REQUEST_HEADERS: 0"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "2"] [accuracy "7"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-fixation"] [tag "OWASP_CRS/WEB_ATTACK/SESSION_FIXATION"] [tag "WASCTC/WASC-37"] [tag "CAPEC-61"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0PcSWlv27gYwZWPWu9wAAAAc"]
  99.  
  100. Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "30"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "languageversion.easy-trademarks.com"] [uri "/en/stripe-success"] [unique_id "Y2t0PcSWlv27gYwZWPWu9wAAAAc"]
  101. Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 156.213.8.2] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "37"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=5): Possible Session Fixation Attack: SessionID Parameter Name with No Referer"] [tag "event-correlation"] [hostname "languageversion.easy-trademarks.com"] [uri "/index.php"] [unique_id "Y2t0PcSWlv27gYwZWPWu9wAAAAc"]
  102.  
  103.  
  104. I have changed blocking time caused by mod_security rules from permanent(forever) to 3 hours
  105. So after 3 hours IP-address will be unblocked automatically
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!