Does any of you have any experience yet with the newly released OWASP ModSecurity Core Rule Set v3.3 that was released last month?
(OWASP ModSecurity Core Rule Set – The 1st Line of Defense Against Web Application Attacks)
Worth trying out?
Does anyone know where the notation is made within the modsec configuration when a user disables modsecurity for all or any domain within their cPanel?
I've looked in the expected locations (/etc/apache2/conf.d/userdata etc.) without success.
We just need to be able to produce a...
When I run "/usr/local/cpanel/scripts/modsec_vendor update OWASP3" I get the following errors:
The system failed to update the vendor from the URL http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP3.yaml
warn [modsec_vendor] The system failed to update the vendor from the URL...
I've searched this for thousands of topics and haven't found it, oddly enough.
I would like to know from any of you how can I clear ModSecurity logs?
I already deleted modsec_audit.log, but the logs continue. In my case I have more than 20,000 pages of logs.
All of our servers are reporting identical update failures:
The cPanel & WHM update process failed for the following reason:
Maintenance ended; however, it did not exit cleanly (256). The following events were logged: “scripts/modsec_vendor”. Review the update logs to determine why the update...
Please, how could I limit the action of this rule only in wp-login.php and xmlrpc.php?
SecRule REQUEST_HEADERS:User-Agent "@contains gecko" "id:5000501,t:none,t:lowercase,deny,nolog,msg:'BAD BOT - Detected and Blocked. '"
CLOUDLINUX 7.6  v78.0.23
I am getting this alert
Time: Mon May 20 04:00:08 2019 +0500
ModSecurity persistent IP database (/var/cpanel/secdatadir/ip.pag) size is 51.73GB
This requires further investigation otherwise it will start to affect server performance.
but when I am checking...
Trying to stop a bad bot from accessing server using mod_security rules. I have the following but it's not working.
SecRule REQUEST_HEADERS:User-Agent "@rx ^(?:Datanyze)$" "msg:'Datanyze blocked',phase:1,log,id:777777,t:none,block,status:403"
the word "Datanyze" is contained in the User...
I'm getting this error in ModSecurity:
collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/global": Permission denied
I don't have mod_druid2 enabled. All info says this is the issue, but I don't have this mod loaded/enabled. Causing not to be able to access admin ajax...
I'm sorry to ask such a silly question but I'm seeing hits on my server through ModSecurity - Tools from other domains or blank altogether with just an IP. I'm not hosting the domain so why am I seeing these hits along with my ones?
Any help appreciated.
I guess I don't understand how modsec works. How did it log this error, but seemingly do nothing about it?
Message: Warning. Matched phrase "masscan" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-913-SCANNER-DETECTION.conf"] [line "33"] [id...
I upgraded to WHM 76 and started having an issue where mod_security was blocking form submits that included code.
It seemed that whenever the server received a POST request that contained a lot of triangle brackets and matched some code rules/regex and took me to a 403 Forbidden error
I've been playing with modsecurity past few days.
My experiment mostly is posting illegal requests to a website and checking audit log for rule HIT.
I am confused on how ModSecurity should work.
I do simple GET...
Updating cPanel/WHM via WebUI -- when using 3rd party ModSecurity ruleset provider malware.expert
WebUI process sticks at 94% and never progresses past this point. If I leave the UI page and come back, it reports it is still in progress and shows me the log file with the same contents -- up to...
I read ModSecurity has released v2.9.3
This should fix some major issues with modruid2 and permissions on folders modsecurity needed.
Any idea when this update will be released for Easy Apache 4 / cPanel users?
Or is there a manual update method suggested ?
I have worked in web hosting for nearly 10 years. If you know me, please, now is not the time :)
I have found some good community works which help for monitoring ModSec attacks in a live and manageable fashion.
I much prefer to use RPM to manage rules (opposed to YAML) because versioning is...
Hi. I have multiple domains on my server protected with ModSecurity tools.
I use a rule (Default HTTP policy: restricted_extensions rule 900240) in ModSecurity that I wish to remove for a single domain BUT replace it with another rule that is very similar and allows access to a certain file...
when i am trying to update mod_security2 via easyapache 4 in whm then i am receiving following errors:
Error: Package: ea-apache24-mod_security2-2.9.2-9.9.13.cpanel.x86_64 (EA4)
Available: ea-apr-util-1.6.1-1.1.1.cpanel.x86_64 (EA4)...
Today morning I had a problem about an attack against some websties hosted in my server. This caused apache very slow and high load.
A lot of IP address (about 900 address) trying to access wp-login.php of some websites (about 20 websites), at the same time.
Do you have any way to block...