Disabling LF_MODSEC while using Imunify360 alongside with CSF

Issue

CSF's Login Failure Detection and LF_MODSEC threshold are aimed to block IP addresses based on mod_security events. The number of events required to block an IP is defined by the LF_MODSEC variable in csf.conf. By default, it is equal to 5, although alongside with Imunify360 WAF ruleset, if LF_MODSEC is not set to 0, it can result in a high number of false positives.

It is recommended to set the LF_MODSEC variable to 0 and this article will describe the LF_MODSEC impact to address concerns of following this recommendation.

Environment

• Imunify360
• CSF

Solution

While the boolean catch LFD events value defines whether CSF Integration is active and the CSF integration is On, there are two scenarios. 

1. When CSF Integration is switched On Imunify360 will block IPs with Imunify360 IP lists, also deleting blocked IPs from CSF deny file to process such IPs further, for example gathering statistics or presenting a Captcha challenge without dropping those immediately. In this scenario we recommend disabling Login Failure detected by CSF and setting LF_MODSEC to 0 as otherwise CSF will be mistakenly triggered by Imunify rules designed as low severity monitoring rules.
2. When CSF integration is switched off, CSF and Imunify360 work as two independent solutions with redundant modules disabled on the Imunify360 side. Imunify will not edit CSF lists, although CSF may still block IP addresses based on LF_MODSEC, and those will be CSF's separate lists not managed by and not overridden by Imunify360 whitelists.

Both scenarios are considered false positives and WAF ruleset updates or new rules may require increasing the previously set threshold. In case of integration is switched off, it is required to use CSF to whitelist blocked IPs if necessary. Nonetheless, to reduce false positives, it is recommended to set the LF_MODSEC variable to 0. This allows Imunify360 to block IPs based only on high-severity mod_security events only while preserving its WAF ruleset design.

Cause

It is expected CSF to count high severity mod_security events towards the LF_MODSEC threshold, although the rules in Imunify360 WAF ruleset may have different severity levels associated with them depending on their nature. When LF_MODSEC is set to a non-zero value, CSF may count mod_security events that were designed or temporarily introduced for monitoring and potentially leading to false positives. In the meantime, the Imunify360 WAF ruleset is designed in a secure way and doesn't rely on this LFD mechanism.

Useful links

• https://docs.imunify360.com/ids_integration/#csf-integration
• https://cloudlinux.zendesk.com/hc/en-us/articles/4414317039506-IP-addresses-are-not-being-blocked-in-CSF