Issue
After installing Imunify360 to the server with DirectAdmin and BFM service activated, CSF\BFM started blocking a lot of legitimate connections using events that were triggered by our ModSecurity rules:
- In CSF deny.log, the following entries appear:
19.x.116.x # BFM: mod_security1=5 (NL/Netherlands/testdomain.com) - Sat Aug 5 00:20:42 2023
13.x.100.x # BFM: mod_security1=10 (SE/Sweden/testdomain.com) - Sat Aug 5 00:20:43 2023
46.x.x.42 # BFM: mod_security1=4 (LV/Latvia/testdomain.com) - Sat Aug 5 00:24:42 2023
28.x.120.x # BFM: mod_security1=3 (US/United States/testdomain.com) - Sat Aug 5 00:53:42 2023
- Actions like logging into WHMCS trigger the rules and block the user's IP despite the fact the correct password has been used.
Environment
- Imunify360
- DirectAdmin
- Imunify360 WAF Ruleset
- Brute Force Monitor (BFM) feature is ON
Solution
Since Imunify360 performs the same function – provides the ability to protect against brute force, – but has no compatibility mode with BFM provided at the moment, it's recommended to disable the Brute Force Monitor plugin to avoid false-positive cases.
To disable BFM:
1. Open the `directadmin.conf` file and set all the below values to `0`
# cat /usr/local/directadmin/conf/directadmin.conf |grep brute
bruteforce=1
brute_force_scan_mod_security_logs=1
brute_force_log_scanner=1
so they are looking in the following way:
bruteforce=0
brute_force_scan_mod_security_logs=0
brute_force_log_scanner=0
NB! A part of these directives can be absent in `directadmin.conf`.
Completely disabling BFM is possible with these two directives set to `0`:
bruteforce=0
brute_force_log_scanner=0
2. Restart the service to apply:
service directadmin restart
Cause
The Brute Force Monitor plugin takes information from the ModSecurity logs with our WAF ruleset installed and interprets it in a different way that leads to false positivity and IP address blocking even if it triggered the non-blocking rules and caused by actions that are not related to brute-force activity.
Useful links
- https://forum.directadmin.com/threads/how-to-disable-bfm-in-directadmin.66243/
- https://forum.directadmin.com/threads/bfm-mod_security2-exim-dovecot1.67586/
- https://docs.directadmin.com/directadmin/general-usage/directories-and-locations.html
Comments
0 comments
Please sign in to leave a comment.