1. A

    Google bot triggering OWASP modsecurity rule 949110

    Last few days we have been noticing that Google crawler IP's (i.e. have stared being blocked by the OWASP modsecurity rules. This is not an isolated case, we have many servers and the same issues has been seen across all of them. Previously we had no issues like this related to...
  2. leonep

    modsecurity 3 update

    Hello, looking page Modsecurity 3 cpanel Docs I noticed that modsecurity3 is still on experimental. since the page on this page is on July 13, 2022 I was wondering if maybe it's been released or if you know when it will be done. thank you !!
  3. bejbi

    ModSecurity OWASP blocking GTMetrix

    If you are using OWASP rules v. 3.3.4 you can experience problem with GTmetrix service. All requests will serve 403 error. It is interesting becouse probably GTmetrix sends forbidden header. GTmetrix is blocked by 3 rules: 920450 - request protocol enforcement 949110 - request blocking...
  4. ljj3

    In Progress CPANEL-41695 - Modsecurity Geo Database

    Is GeoLite2-Country-Locations-en.csv the file that ModSecurity needs to have Geolocation Database pointed to? I'm confused... My GeoIP.dat is very old, but the MAXMIND list of databases are al GeoIP2 which are not compatible with ModSecurity...
  5. C

    Modsecurity 2.9.6 [Fix Security]

    Mod Security 2.9.6 security update released. Is it possible to update Mod security from 2.9.3 to 2.9.6? it is necessary in order to update CRS to 3.3.4
  6. I

    ModSecurity Tools showing server ip as source ip

    I am running Apache behind Nginx. Over the ModSecurity tools page under the "source" column it's only the main IP address of the server. What do I need to do to get the actual attacker IP?
  7. webmastergreg

    OWASP 3.3.2 and "ping" with rules 932150 and 1234123447

    Hello FYI I was confronted with the blocking of an interface following modsecurity blocking by rule N°1234123447 Precisely the request: "?_wblapi=/forsef/v1/ping" Triggers rule N°1234123447 because of the term "ping" In bold just below. ModSecurity: Access denied with code 501, [Rule: 'ARGS'...
  8. M

    [SOLVED] Update OWASP CRS?

    Is it possible to get the most updated OWASP Core Rule Set on CentOS? We would like to implement ModSecurity rules that are available on the latest versions. We’re on version 3.0 and the current stable version is 3.3. Are there compatibility issues with cPanel for the latest version?
  9. PeteS

    Error in ModSecurity transfer

    On transferring Service Configurations, ModSecurity completed with one failure: Failed: (XID 2chkk6) The WHM API v1 call “modsec_make_config_inactive” failed: The following configuration is not active: modsec_vendor_configs/OWASP3/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf Upon retrying it...
  10. leonep

    ModSecurity Traditional Mode or Anomaly Score

    Hi guys, based on your experience in a shared hosting environment it is preferable to set modsecurity to traditional mode or anomaly score? I am running on traditional but i have frequent false-positive. the good in traditional mode is less load on server. what do you think? thanks
  11. G

    Using ModSecurity

    I've installed mod_security2 and read the cPanel docs: but I have a few other questions. 1. Should I install OWASP? What does it do? 2. I see under "Configuration" that I can provide a link to a MaxMind database...
  12. A

    ModSecurity SQL Injection

    Hi, the last few days i've been battling with one specific website (out of many on the same server) which wont render correctly. When inspecting, the site loads as plain HTML and the console shows a load of 403 or 404 errors for every image, CSS file or JS script. I have finally got it narrowed...
  13. leonep

    Modsecurity hit internal

    HI, I am wondering what are this hit from from modsecurity. I have a lot of triggering event about 920340: Request Containing Content, but Missing Content-Type header 933150: PHP Injection Attack: High-Risk PHP Function Name Found 930130: Restricted File Access Attempt 920170: GET or...
  14. X

    SOLVED ModSecurity

    Is there a way to make ModSecurity send alert emails for every rule triger?
  15. rinkleton

    httpd crashing almost daily - log messages for modsecurity

    For about a week or so, httpd has been crashing about once a day. In the "Log Messages" section of the cpanel service failure notification email, it lists a bunch of modsecurity hits in red. Nothing stands out about them, just the run of the mill malicious bots. Maybe only the quantity...
  16. J

    SOLVED mod_security logs HUGE and Failed to access DBM file entries

    Hello. I hope everyone is safe and healthy and taking care of themselves and their loved ones. In my /var/log/apache/error_log file as of today the beginning entry is May 18, 2021. When I search for information about trimming this file (if it's okay to do so) I see reports that there should...
  17. DennisMidjord

    Blocking web crawlers. ModSecurity or in vhost?

    Lately, a lot of our customers' websites has been crawled by a lot of bots. Yesterday, a single website was crawled by 4 different bots at the same time. All of the bots were bad bots. We want to block these bots but I'm wondering which method is the best performance wise or if it really doesn't...
  18. benito

    No ModSecurity™ Domain Manager in cPanel

    Hello! A customer needed to disable ModSecurity. We found that in one server, none of our customers have ModSecurity™ Domain Manager icon in their cPanel. Looks installed and enabled in Feature Manager. I tried to reinstall and the problem persist. Any tip? Regards,
  19. R

    Debugging Modsec & Litespeed Server

    Hello Everyone, I have a strange one here, I have setup a new WordPress site/Directory and all of a sudden I am getting 404 errors on css and image file loading on this particular website. So, I can only think either ModSec is blocking this file types (they are not being triggered in the main...
  20. J

    modsec_audit always empty

    Hello. In my attempt to track down a malicious IP address attacking the server I've been looking at logs. Not only cannot I not find the malicious IP address in any logs which I know was attacking because a different service has logged it in it's application and it shows in that database -...