MOD Security Blocking AND CSF

Portal Home > Knowledgebase > Articles Database > MOD Security Blocking AND CSF

Posted by Dilstar, 07-04-2015, 12:19 PM
Dear All techs, I am working hard to resolve the issue regarding blocking websites owners by using their cpanel and cms dashboards. I am facing that CSF is blocking invalid login attempt, it set to default, i have seen in hostgator and other hosting, we can try lot of times without block, but in default csf, they only allow 3-5. so most of my customer block their ip easily in smtp and cpanel by invalid attempt. Second issue is big one: Mod security do block my customer while using dashboard. problem is that i dont want it to block my customer while using dashboard, i can whitelist the rules by csf mod security controlller, but for that i have to disable rules , and for more peaceful and good way i have to disallow all problematic false positive rule to mod security whitelist. but it will be not good if i disallow the rules. i want to keep all rules, but dont block the ips of genioun workers in cms. Question in my mind: Can i allow CC Allow to my country to resolve all above issue , but it might increase security issues due to it will not block anyone from my country. or i have to do something different,. suggest me. thanks
Posted by sabrina84, 07-04-2015, 12:57 PM
First check modsec log and fix local issue then lock for country base restriction. Last edited by Postbox; 07-04-2015 at 09:48 PM.
Posted by TheSHosting, 07-04-2015, 01:02 PM
CC based locks may not work in every case expected. But you can adjust CSF configuration to manage these issues; CSF provides you enough provision to manage each such blocks. So for eg: you can disable mod_Sec block and set necessary service login attempts to a higher value ( though it is not recommended to upgrade SSH login attempts ).
Posted by Dilstar, 07-04-2015, 04:47 PM
is it mean if we will disable mod sec, then mod security will not provide us security? as it will the ip and user will able to compromise easily. if we will disable mod_sec then wordpress and joomla site could be vulunerables, and able to compromise easily. i think mod security help us against many vulnerable of cms and symlink comromise transfering too what do you think.
Posted by sabrina84, 07-04-2015, 09:05 PM
Dilstar again it depend upon your webserver, how harden it is. There are many servers which are running without modsec but harden with proper policies never ever effected. Last edited by Postbox; 07-04-2015 at 09:49 PM.
Posted by TheSHosting, 07-05-2015, 07:07 AM
I did not mean to disable mod_security. It is not at all recommended and it is one of the best method to defend we b attacks if you properly manage it. I mentioned to disable mod_sec trigger block in CSF configuration. If you need more accurate information, check for below entries in CSF configuration. LF_MODSEC = 0 will disable CSF blocking for mod_sec rule violation. You can also adjust LF_MODSEC_PERM and see how it can help in your case, if you do not wish to stop mod_sec blocking in CSF.
Posted by danami, 07-05-2015, 09:11 AM
You can set CC_IGNORE in /etc/csf/csf.conf to tell the login failure daemon to not block countries that you do business with.
Posted by Dilstar, 07-05-2015, 10:43 AM
what will be the difference in cc allow and cc ignore, both will allow the ip to access?
Posted by Srv24x7, 07-05-2015, 12:53 PM
Hi, You can set all the settings you want in the LF_ sections, for smtp connections and increase them too. LF_ As far the mod security is concerned, if you keep the rules, they will keep blocking. Mod security rules are hard but they scan based on that the query is being generated to deliver. It pretty hard to change them as per your requirement. You can have a ConfigServer modsec installed and whitelist the rules per domain basis.