How to use Fail2ban with modsecurity and CyberPanel

The instructions are based on these outdated instructions.

Go to ModSecurity Conf in CyberPanel, change “SecAuditLogRelevantStatus” to “”. Don’t leave it empty, it won’t let you do that. Commenting out the line in the config file doesn’t work either.

/etc/fail2ban/jail.local:

[lsws-modsec]
enabled = true
port = http,https
filter = lsws-modsec
logpath = /usr/local/lsws/logs/auditmodsec.log
maxretry = 1
backend = pyinotify

/etc/fail2ban/filter.d/lsws-modsec.conf:

# Fail2Ban lsws-modsec filter
#

[INCLUDES]

before = common.conf


[Init]

maxlines = 6
datepattern = %%d/%%b/%%Y:%%H:%%M:%%S %%z

[Definition]
#failregex = \[.*?\]\s[\w.]*\s(?:::f{4,6}:)?(?P<host>[\w\-.^_]*\w)\s.*\n.*\n.*\n.*\nModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d
_lsws_error_client = \[.*?\]\s[\w.]*\s<HOST>\s
failregex = ^%(_lsws_error_client)s.*(\n.*){4}\nModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d

ignoreregex = 

# https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats
# Author: Daniel Black
#         Sergey G. Brester aka sebres (review, optimization)
#	  Thomas Vanvalkinburgh

Then reload Fail2ban, “systemctl reload fail2ban”.

That assumes you already have Fail2ban working. You can find Fail2ban instructions on Google.

I also forgot, Fail2ban only blocks the ports you specify, so it won’t block it to the entire server, unless you configure it that way. Still won’t have to waste resources on modsecurity.

How do I get myself banned? Need to see if the log is even working.

Nope, modsecurity isn’t doing anything now. Guess those really are outdated instructions.

Well, modsecurity works now. And the log isn’t empty, now to see if the apache-modsecurity will work.

There’s no IP address in the line “^ModSecurity:\s+(?:[(?:\w+ \”[^\”]\”|[^]])]\s)Access denied with code”.

The apache doesn’t work, because it’s looking for something with error in it.

Going to have to make my own regex, that’s a bummer.

Finally might of figured out the regex. Haha, don’t replace \n with ^, now it’s banning people and/or bots that didn’t do anything, and it won’t ban me.

It works with PHP, but not Fail2ban. You can’t do it, because the ModSecurity is it’s own line.

Update
Files updated, you need to use maxlines, and whatever “%(_lsws_error_client)s” does. The docs don’t explain very well. To lazy to read the entire Python doc on regex.

You don’t need to change anything in CyberPanel, just use the config from above.

The regex found my IP, but it fails to block me. “fail2ban-regex /usr/local/lsws/logs/auditmodsec.log /etc/fail2ban/filter.d/lsws-modsecurity.conf -v”, shows my IP a bunch.

What’s the point in fail2ban-regex? There’s matches, but the stupid thing isn’t banning anything.

If you are logged in by SSH, will it not ban you? My IP isn’t in the ignore list.

Nope, won’t ban my T-Mobile IP either. Maybe it’s reading the file super slowly.

Removed the extra spaces in the jail.local, still not banned.

Rebooting the server didn’t fix it either.

Using a different backend doesn’t do anything either. I deleted the log again, restarted lsws, and it still won’t ban me. I made a script to run wget on the URL that modsecurity blocks. The script runs till I kill it.

Why would fail2ban-regex find matches, but the actual thing doesn’t seem to care?

fail2ban-client status lsws-modsecurity
Status for the jail: lsws-modsecurity
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/usr/local/lsws/logs/auditmodsec.log
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:	

Google isn’t much help, some say it’s the time, but the time in the file is fine.

Changed the name of the file, that didn’t solve anything.

“Lines: 9243 lines, 0 ignored, 928 matched, 8315 missed”

According to fail2ban-regex.

#!/bin/bash

# Bash Script by https://gist.github.com/mitchellkrogza
# ************************************************************
# This script clears the log file and database of Fail2Ban
# This resets Fail2Ban to a completely clean state
# Useful to use after you have finished testing all your jails 
# and completed your initial setup of Fail2Ban and are now
# putting the server into LIVE mode
# ************************************************************

# Please Set your log file and sqlite db locations
# Locations below are common on Ubuntu and Debian based systems

F2Blog="/var/log/fail2ban.log"
F2Bdb="/var/lib/fail2ban/fail2ban.sqlite3"

# Now let us clean up
echo "Stopping Fail2Ban Service"
systemctl stop fail2ban
echo "Truncating Fail2Ban Log File"
truncate -s 0 $F2Blog
echo "Deleting Fail2Ban SQLite Database"
rm -fr $F2Bdb
echo "Restarting Fail2Ban Service"
systemctl start fail2ban
echo "All Done"

Not sure I’d recommend that, now nothing is banned. Found that from here. Changed it to use systemctl.

Still not banned.

Setting the findtime to 5000, doesn’t work either. It did ban a WordPress brute forcer though. It never says found for anything for the lsws-modsec filter, I changed the name.

I know it can read the log file, when I deleted it, there was an open error in the fail2ban.log. So there’d be an error if it couldn’t read it.

I doubt changing maxlines will do anything, the regex does work, even with 10, might just make it slower.

Did nothing, just like I thought. Making a symlink didn’t change anything either. In case it doesn’t like the /usr folder.

Changed it back. I don’t get why the regex works with fail2ban-regex, but clearly doesn’t with Fail2ban.

“[]\s[\w.]\s(?:::f{4,6}:)?(?P[\w-.^_]\w)\s.(\n.){3}\nModSecurity:\s+(?:[(?:\w+ \”[^\”]\”|[^]])]\s)Access denied with code [45]\d\d”

That’s the regex it’s using. If you try running that with fail2ban-regex, it finds no matches.

Server slowed to a crawl. Need to go to bed.

The new regex it’s using, should work.

^\[.*?\]\s[\w\.]*\s(?:::f{4,6}:)?(?P<host>[\w\-.^_]*\w)*\s.*(\n.*){3}\nModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d

According to pythex.org, with a log entry in it.

Server is to slow to run that now. Of course it didn’t work, I forgot -L 5. Since I wasn’t using the lsws-modse.conf file.

Guess it doesn’t work, regex is fine, just doesn’t read the file or something. I emptied the log file too, in case it was to big.

I put the above regex, that it generated or modified, and it still doesn’t work, it never finds anything. Of course fail2ban-regex works. I’m guessing fail2ban is broken.

I tried every backend, still doesn’t work. Some other site said to use systemd for the backend, that doesn’t work either. Don’t do that, it won’t check files if you do that. Just the journal.

Update
The filter and jail.local have been updated, it works now. Problem is, fail2ban-regex strips blank new lines, Fail2ban itself doesn’t do that, so I needed to do it how I was doing it at first. Almost 6 am, good job Fail2ban, having the regex tester work differently. I got banned, and then I unbanned myself.

I use systemd and a different backend for the stuff that isn’t in the journal, I’m using pyinotify, but polling probably works too, and maybe even gamin, I have all installed. They should fix the regex tester, make it function like the server.

What did I do?

The only thing I can think of, is I was looking at somebody, then they walked through the parking lot, and I didn’t look at them again, or say anything to them.

Surprised that pissed everybody off.

Two different people didn’t hold the elevator for me. Almost nobody says hi to me anymore. If they are waiting for me to say hi to them, they will be waiting a long time.

On another note, I just took a runny dump. Either caused by caffeine, or food. If it was the potato skins I ate, that took like two days for it to do that.

Usually getting the runs from something happens right away.

Philo is better then Hulu

The regular Hulu, not sure about their live TV service, their better DVR is expensive, you need it to fast forward.

Just save all the shows you watch on Philo, then it’ll DVR them, and you can skip commercials. It doesn’t do just new episodes, it does all of them.

Now, I can watch old episodes of South Park, and skip commercials. Is Philo legal?

Will those Linux phones come with a firewall?

That blocks all incoming connections by default? If not, and there’s something listening on a public cell IP, you might find your phone hacked.

Does Android or iOS block incoming connections? If not, then I guess it doesn’t matter. But, I’m paranoid, so I’d install a firewall.

Mythtv needs a delay when starting it

Otherwise, it’ll say you have zero encoders. At least that’s the case with a HDHomeRun. Restarting the service, after logging in, works. But that’s a pain.

Instead add “ExecStartPre=/bin/sleep 30” to /etc/systemd/system/multi-user.target.wants/mythbackend.service.

Does it only start to fast on a NVMe SSD?

Mod Security will speed up your site

Must be blocking a ton of bots. Can you tell Fail2ban to completely block the IPs Mod Security blocks? Then they can’t hit your server at all, just gets dropped by the firewall.

So if your 2 GB VPS, isn’t as fast as it should be for low human traffic sites, install Mod Security.

I deleted the log file, I was following outdated instructions for modsecurity. Doesn’t look like it’s blocking any bots.

There’s a apache-modsecurity.conf in /etc/fail2ban/filter.d/. Don’t know if it works with OpenLiteSpeed.

I’ll just use the outdated instructions. Since there’s nothing in the log, so I can’t see if the apache filter will work.

Bicep hurts

To bad it’s my right one. Is it biceps or bicep? The s would indicate more then one, only one hurts.

Either taking a shower made it hurt, or putting my laundry away, the laundry bag wasn’t very heavy. It hurts on and off.

Well, if it breaks, I’ll get more caregiver hours, I won’t be able to wipe my ass anymore, or get dressed, or take a shower. Actually, I’ll probably go to a nursing home. I’ll run away when they try wiping my ass for me. I don’t want somebody else wiping it for me, unless they are my girlfriend or wife, I’d let her.

No more computers either, I need my right hand to type and use the mouse.

Librem 5 delayed till Q3

I might have enough money by then for one.

It’ll probably get delayed again.

And it doesn’t support one of T-Mobile’s bands. Apparently the PinePhone will.

There’s a video here. On the Phoronix forum, people say the performance looks bad. Looks fine to me, considering the CPU it has.

The PinePhone is apparently upgradable. Since it will most likely be cheaper then the Librem 5, I might buy it. I’ll keep my iPhone 7 too. The PinePhone might cost $200 or less.

To be clear, I am not criticizing RockPro64 or any other products (other than Rpi, they need to bundle up their obnoxious proprietary drivers and leap throw themselves on a raging bonfire).

On this forum post about the PinePhone.

So their Android phone is 100% open source? If not, that’s funny coming from them.

Source

T-Mobile is fast

After 2 am, it’s after 3 am now. I turn my WiFi off when I’m sleeping, or going to go to sleep. Phone likes disconnecting from WiFi, then I wake up with alerts telling me I connected. Somebody could be messing with it. Since I’m not running Kismet anymore, I have no idea. The log might say something, but since I won’t be awake, it’ll require a ton of scrolling.

Might need to replace one or both of my loud ass fans in the front of my case. Making a noise, I only notice it in the bathroom, like it’s spinning, then stops, spins more. I assume it’s one of the front fans, they are the loudest, that’s why I bought them, high RPM. I lowered them to the low setting, probably doesn’t need to be running at the highest RPM when the computer is doing nothing.

Those fans are only 2000 RPM? Well, they are 120mm. Did I ever put one in the rear? Just order three of them, they are $8 on Amazon. Assuming those are the fans.