modsecurity

  1. cPAdminsMichael

    Experience with the new OWASP ModSecurity CRS 3.3?

    Hi guys, Does any of you have any experience yet with the newly released OWASP ModSecurity Core Rule Set v3.3 that was released last month? (OWASP ModSecurity Core Rule Set – The 1st Line of Defense Against Web Application Attacks) Worth trying out?
  2. L

    Modsecurity - Configure Individual Domains

    G'day All, Does anyone know where the notation is made within the modsec configuration when a user disables modsecurity for all or any domain within their cPanel? I've looked in the expected locations (/etc/apache2/conf.d/userdata etc.) without success. We just need to be able to produce a...
  3. A

    OWASP ModSecurity Core Rule Set V3.0 breaks after every update

    When I run "/usr/local/cpanel/scripts/modsec_vendor update OWASP3" I get the following errors: The system failed to update the vendor from the URL http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP3.yaml warn [modsec_vendor] The system failed to update the vendor from the URL...
  4. A

    How to Remove ModSecurity?

    Hi! I've searched this for thousands of topics and haven't found it, oddly enough. I would like to know from any of you how can I clear ModSecurity logs? I already deleted modsec_audit.log, but the logs continue. In my case I have more than 20,000 pages of logs.
  5. J

    In Progress [CPANEL-27532] /scripts/modsec_vendor update failed

    All of our servers are reporting identical update failures: The cPanel & WHM update process failed for the following reason: Maintenance ended; however, it did not exit cleanly (256). The following events were logged: “scripts/modsec_vendor”. Review the update logs to determine why the update...
  6. joaosavioli

    Limiting ModSecurity rule to specific files?

    Hi! Please, how could I limit the action of this rule only in wp-login.php and xmlrpc.php? SecRule REQUEST_HEADERS:User-Agent "@contains gecko" "id:5000501,t:none,t:lowercase,deny,nolog,msg:'BAD BOT - Detected and Blocked. '" Thank you! Joao
  7. weblinks

    Comodo WAF ModSecurity ruleset leading to large secdatadir cache files

    CLOUDLINUX 7.6 [] v78.0.23 Hi, I am getting this alert Time: Mon May 20 04:00:08 2019 +0500 ModSecurity persistent IP database (/var/cpanel/secdatadir/ip.pag) size is 51.73GB This requires further investigation otherwise it will start to affect server performance. but when I am checking...
  8. J

    SOLVED mod_security rule not working

    Trying to stop a bad bot from accessing server using mod_security rules. I have the following but it's not working. SecRule REQUEST_HEADERS:User-Agent "@rx ^(?:Datanyze)$" "msg:'Datanyze blocked',phase:1,log,id:777777,t:none,block,status:403" the word "Datanyze" is contained in the User...
  9. jonh

    Collections_remove_stale...

    I'm getting this error in ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/global": Permission denied I don't have mod_druid2 enabled. All info says this is the issue, but I don't have this mod loaded/enabled. Causing not to be able to access admin ajax...
  10. cuzzmunger

    ModSecurity - Domain listed not mine

    Hi There, I'm sorry to ask such a silly question but I'm seeing hits on my server through ModSecurity - Tools from other domains or blank altogether with just an IP. I'm not hosting the domain so why am I seeing these hits along with my ones? Any help appreciated. Kim. OWASP3 Hits List...
  11. S

    SOLVED Modsec found critical issue, but did nothing about it?

    I guess I don't understand how modsec works. How did it log this error, but seemingly do nothing about it? Message: Warning. Matched phrase "masscan" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-913-SCANNER-DETECTION.conf"] [line "33"] [id...
  12. O

    Disabling several mod_security rules due to 403 response to POST request?

    I upgraded to WHM 76 and started having an issue where mod_security was blocking form submits that included code. It seemed that whenever the server received a POST request that contained a lot of triangle brackets and matched some code rules/regex and took me to a 403 Forbidden error This was...
  13. S

    SOLVED modsec version?

    I'm running cPanel v74.0.12. It has modsecurity installed with Apache. How do I find out the version of modsec I have? I looked everywhere and cannot find a single thing about version.
  14. M

    Advice on modsecurity response when rule is hit

    Hi, I've been playing with modsecurity past few days. My experiment mostly is posting illegal requests to a website and checking audit log for rule HIT. I am confused on how ModSecurity should work. For example: I do simple GET...
  15. T

    Update hangs due to 3rd Party ModSec Rules

    Updating cPanel/WHM via WebUI -- when using 3rd party ModSecurity ruleset provider malware.expert WebUI process sticks at 94% and never progresses past this point. If I leave the UI page and come back, it reports it is still in progress and shows me the log file with the same contents -- up to...
  16. M

    SOLVED [EA-8081] ModSecurity v2.9.3 update

    I read ModSecurity has released v2.9.3 This should fix some major issues with modruid2 and permissions on folders modsecurity needed. Any idea when this update will be released for Easy Apache 4 / cPanel users? Or is there a manual update method suggested ? Thanks
  17. Q

    A Guide to ModSecurity in 2018, for administrators

    I have worked in web hosting for nearly 10 years. If you know me, please, now is not the time :) I have found some good community works which help for monitoring ModSec attacks in a live and manageable fashion. I much prefer to use RPM to manage rules (opposed to YAML) because versioning is...
  18. V

    ModSecurity add & remove rule for a domain

    Hi. I have multiple domains on my server protected with ModSecurity tools. I use a rule (Default HTTP policy: restricted_extensions rule 900240) in ModSecurity that I wish to remove for a single domain BUT replace it with another rule that is very similar and allows access to a certain file...
  19. P

    SOLVED Error when installing mod_security via WHM >> EA4

    when i am trying to update mod_security2 via easyapache 4 in whm then i am receiving following errors: Update Error: Error: Package: ea-apache24-mod_security2-2.9.2-9.9.13.cpanel.x86_64 (EA4) Requires: ea-apr-util(x86-64) Available: ea-apr-util-1.6.1-1.1.1.cpanel.x86_64 (EA4)...
  20. joaosavioli

    Brute force wp-login.php modsecurity

    Hi! Today morning I had a problem about an attack against some websties hosted in my server. This caused apache very slow and high load. A lot of IP address (about 900 address) trying to access wp-login.php of some websites (about 20 websites), at the same time. Do you have any way to block...