Please, how could I limit the action of this rule only in wp-login.php and xmlrpc.php?
SecRule REQUEST_HEADERS:User-Agent "@contains gecko" "id:5000501,t:none,t:lowercase,deny,nolog,msg:'BAD BOT - Detected and Blocked. '"
CLOUDLINUX 7.6  v78.0.23
I am getting this alert
Time: Mon May 20 04:00:08 2019 +0500
ModSecurity persistent IP database (/var/cpanel/secdatadir/ip.pag) size is 51.73GB
This requires further investigation otherwise it will start to affect server performance.
but when I am checking...
Trying to stop a bad bot from accessing server using mod_security rules. I have the following but it's not working.
SecRule REQUEST_HEADERS:User-Agent "@rx ^(?:Datanyze)$" "msg:'Datanyze blocked',phase:1,log,id:777777,t:none,block,status:403"
the word "Datanyze" is contained in the User...
I'm getting this error in ModSecurity:
collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/global": Permission denied
I don't have mod_druid2 enabled. All info says this is the issue, but I don't have this mod loaded/enabled. Causing not to be able to access admin ajax...
I'm sorry to ask such a silly question but I'm seeing hits on my server through ModSecurity - Tools from other domains or blank altogether with just an IP. I'm not hosting the domain so why am I seeing these hits along with my ones?
Any help appreciated.
I guess I don't understand how modsec works. How did it log this error, but seemingly do nothing about it?
Message: Warning. Matched phrase "masscan" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-913-SCANNER-DETECTION.conf"] [line "33"] [id...
I upgraded to WHM 76 and started having an issue where mod_security was blocking form submits that included code.
It seemed that whenever the server received a POST request that contained a lot of triangle brackets and matched some code rules/regex and took me to a 403 Forbidden error
I've been playing with modsecurity past few days.
My experiment mostly is posting illegal requests to a website and checking audit log for rule HIT.
I am confused on how ModSecurity should work.
I do simple GET...
Updating cPanel/WHM via WebUI -- when using 3rd party ModSecurity ruleset provider malware.expert
WebUI process sticks at 94% and never progresses past this point. If I leave the UI page and come back, it reports it is still in progress and shows me the log file with the same contents -- up to...
I read ModSecurity has released v2.9.3
This should fix some major issues with modruid2 and permissions on folders modsecurity needed.
Any idea when this update will be released for Easy Apache 4 / cPanel users?
Or is there a manual update method suggested ?
I have worked in web hosting for nearly 10 years. If you know me, please, now is not the time :)
I have found some good community works which help for monitoring ModSec attacks in a live and manageable fashion.
I much prefer to use RPM to manage rules (opposed to YAML) because versioning is...
Hi. I have multiple domains on my server protected with ModSecurity tools.
I use a rule (Default HTTP policy: restricted_extensions rule 900240) in ModSecurity that I wish to remove for a single domain BUT replace it with another rule that is very similar and allows access to a certain file...
when i am trying to update mod_security2 via easyapache 4 in whm then i am receiving following errors:
Error: Package: ea-apache24-mod_security2-2.9.2-9.9.13.cpanel.x86_64 (EA4)
Available: ea-apr-util-1.6.1-1.1.1.cpanel.x86_64 (EA4)...
Today morning I had a problem about an attack against some websties hosted in my server. This caused apache very slow and high load.
A lot of IP address (about 900 address) trying to access wp-login.php of some websites (about 20 websites), at the same time.
Do you have any way to block...
EA3 WHM v72.0.11 stable CentOS 6
ConfigServer cmc: v3.01 is installed.
Get an build error with EA3 and mod security.
!! The “/usr/local/apache/bin/httpd” command (process 15970) reported error number 1 when it ended.
Configuration problem detected on line 3 of file...
We recently found some scripts that look pretty nasty.. Any body have any idea what this person was trying to do?
I have seen lots of bots accessing my websites on my VPS. For now i just block IPs temporarily using CSF, but i would like to have a better and global solution.
So, i'm thinking in 2 options...
Apache Configuration -> Include Editor -> “Pre Main Include”