Brute Force Monitor: modsec_audit.log Mod_Security (TEMPLATES)

Version 1.61.4


The BFM will now scan the modsecurity "modsec_audit.log" files (under /var/log/httpd or /var/log/nginx), when each line is json encoded, to block IPs. ---------------- DIRECTADMIN.CONF This will be OFF by default in the internal directadmin.conf: brute_force_scan_mod_security_logs=0 This is to allow for more testing, although we not had any issues with the json log parser. ---------------- ENABLE: ./directadmin set brute_force_scan_mod_security_logs 1 service directadmin restart ---------------- The entry shown on the BFM page will only show a select number of entries from the full log. - host: domain that was attacked (taken from the Host header) - id: ModSecurity's unique log ID. - uri: /the/bad?request=../etc/passwd Note that there are 2 versions of ModSecurity (apache vs nginx), and the json log info varies slightly. DA figures this out automatically based on the 2 different brute_filters.conf entries, but will still try and place the ~same data into the 3 vars above, even if the uri format may differ slightly. ============= LOGS either: /var/log/httpd/modsec_audit.log or /var/log/nginx/modsec_audit.log ============= CUSTOMBUILD DA only parses those logs if the custombuild/options.conf has: modsecurity=yes ============= DIVISOR The brute_filter.list now supports: count_divisor=## which lets you lower the max count needed in order to have it trigger. In this case, we've set it to 2, meaning it will require 1/2 the total number of hits to block. Eg: the default hit count is 100, so this would only need 50 hits to trigger a block. ============= TEMPLATE brute_filter.conf, 2 new entries: mod_security1=type=json&ip_tree=transaction:client_ip&host_tree=transaction:request:headers:host&uri_tree=transaction:request:uri&id_tree=transaction:unique_id&count_divisor=2 mod_security2=type=json&ip_tree=transaction:remote_address&host_tree=request:headers:Host&uri_tree=request:request_line&id_tree=transaction:transaction_id&count_divisor=2 which are type=json lines. The host/id/uri values are take based on the *_tree vars, where the values are those variables are levels down into the json array, the last value being a string. ============= Compile time: Sep 11 2020 at 17:29:43

Interested to try DirectAdmin? Get a 30-day Free Trial!