Skip to content

Confusing LF_MODSEC_PERM configuration leads to security misconfiguration? #59

New issue
New issue
Open
Open
Confusing LF_MODSEC_PERM configuration leads to security misconfiguration?#59
Labels
› ImprovementEnhance an existing feature
@jjnxpct

Description

@jjnxpct
jjnxpct
opened on Nov 13, 2025

Problem

The LF_MODSEC_PERM configuration parameter is extremely confusing and leads to serious security misconfigurations. The current behavior is:

  • LF_MODSEC_PERM = "1"Permanent block (special value)
  • LF_MODSEC_PERM = "3"3 seconds temporary block (not 3 attempts!)
  • LF_MODSEC_PERM = "3600" → 1 hour temporary block (3600 seconds)

Security Impact

Many administrators (including myself) misinterpret "3" as:

  • "Block after 3 attempts", or
  • "Block for 3 minutes"

Reality: Attackers are only blocked for 3 seconds and can immediately retry attacks.

Real-world example

My server configuration had:

LF_MODSEC = "10"           # 10 violations within 1 hour
LF_MODSEC_PERM = "3"       # I thought: "permanent after 3 times"

What actually happened:

Nov 13 11:17:28 - *Blocked in csf* for 3 secs [LF_MODSEC]
Nov 13 11:17:33 - temporary block removed
Nov 13 11:17:38 - *Blocked in csf* for 3 secs [LF_MODSEC]
Nov 13 11:17:43 - temporary block removed

An attacker from Indonesia performed 10+ RCE attacks within minutes, getting blocked for only 3 seconds each time, then continuing their attack.

Root cause

  1. No units specified - nowhere does it say "seconds"
  2. Counterintuitive special value - "1" means permanent (why not "0"?)
  3. Misleading variable name - _PERM suggests "permanent" but can be temporary
  4. Poor inline documentation - the comment doesn't clearly explain the "1" special case

Suggested improvements

Option 1: Better documentation in csf.conf

# LF_MODSEC_PERM: Block duration for ModSecurity violations
# Special value:
#   "1"     = PERMANENT block (added to csf.deny)
# Any other value = TEMPORARY block duration in SECONDS:
#   "60"    = 1 minute temporary block
#   "3600"  = 1 hour temporary block
#   "86400" = 24 hours temporary block
# 
# WARNING: "3" means only 3 SECONDS, NOT 3 attempts or 3 minutes!
# RECOMMENDED: Use "1" for permanent blocks on security violations
LF_MODSEC_PERM = "1"

Option 2: More logical values

# "0" or "permanent" = permanent
# Any positive number = seconds
LF_MODSEC_PERM = "0"  # permanent (instead of "1")

Option 3: Add validation/warning
Show a warning during csf -r if LF_MODSEC_PERM is set to a very low value like "3":

WARNING: LF_MODSEC_PERM is set to 3 seconds. 
This is extremely short and may not effectively block attackers.
Recommended: "1" (permanent) or "3600" (1 hour)

Environment

  • CSF Version: v15.02 (DirectAdmin)
  • Distribution: CentOS with DirectAdmin
  • Attack type that exposed this: ModSecurity RCE detection triggers

Metadata

Metadata

Assignees

No one assigned

    Labels

    › ImprovementEnhance an existing feature

    Projects

    ConfigServer Security & Firewall

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions