cPanel ModSecurity False Positives & Missing Data...

Operating System & Version
CentOS 7 (CloudLinux 7.9)
cPanel & WHM Version
94.0.5

RyanR

Active Member
Jul 22, 2020
33
4
8
London
cPanel Access Level
Root Administrator
Hi,

My server runs the following ModSecurity Rules:
  • Imunify360 LiteSpeed Rule Set (Minimized ModSec Ruleset)
  • COMODO ModSecurity LiteSpeed Rule Set
I had to disable the following rule set because it was causing a LOT off false positives within our WordPress websites, to the extent that we couldn't publish any pages
  • OWASP ModSecurity Core Rule Set V3.0
  • I'd like to be able to re-enable the above ruleset if I could get those false positives fixed with the providers.
I've also had to disable all of the following rules globally:
  • 17350
  • 210380
  • 210492
  • 25178
  • 28292
  • 60050
  • 62100
Most of those were because whenever we published pages with Elementor it was throwing 403 errors...

One particular site required the following rules to be disabled because it too was throwing 403 errors when editing pages, this time though it wasn't using Elementor.
  • 941100
  • 941160
How should I report these false positives, and to who? We'd like to get them resolved so we can have the protection of those rules.

--------------------------------------------------

All of those above false positives threw up notifications from within /usr/local/apache/logs/modsec_audit.log, however most of them did NOT throw up notifications from within the ModSecurity™ Tools "Hits List" page... which made them rather annoying to find and fix.

They do however appear in ConfigServer's Security & Firewall plugin, which was better but not perfect.

How can I make ModSecurity Tools "Hits List" show all of the notifications?

Regards
~ Ryan
 

cPDavidL

Linux Analyst II
Oct 15, 2012
79
18
133
cPanel Access Level
Root Administrator
Hello Ryan,

Ruleset publishers will have contact instructions for issues with false positives.


For Imunify360 rules, contact Imunify360 support

There should not be a situation in which the hits are not listed in the UI. Please use the link in my signature to open a ticket with our staff, so we can investigate that condition further.
 

RyanR

Active Member
Jul 22, 2020
33
4
8
London
cPanel Access Level
Root Administrator
Hi,

Did you check your link regarding Comodo? It's for their standalone WAF, not the integrated rulesets within WHM/cPanel. I can't find a report location online without posting to their forums and I would rather not post the contents publically
Thanks
 

RyanR

Active Member
Jul 22, 2020
33
4
8
London
cPanel Access Level
Root Administrator
Just like when you take a car to the mechanic...............

If you could post the ticket number here I can follow along and make sure this thread stays updated.
1. Ticket ID: 94321305

2. Did You/David have a link/resource for submitting to Comodo? I still haven't found one.

3. As for the ModSecurity log issue, it was happening to nearly every single 403 false positive and I was having to search the logs with grep until I found ModSecurity ModSecurity had it's own log reader... I wonder if one of the updates since has fixed it for me.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,440
1,004
313
cPanel Access Level
Root Administrator
Thanks for providing that ticket number - I'm following along there in case that has any more updates in the future.

I'm not seeing a specific point of contact for a ModSec issue on their end when I looked just now. However, they do have a thread here that they are actively monitoring that has been open for several years:


An update fixing this is always a possibility I suppose!