CSF Blocking - PHP Warning

carlos_tlewis

Member
Apr 10, 2020
12
0
1
UK
cPanel Access Level
Root Administrator
Hello,

I have a few clients getting blocked on a website. They get blocked by CSF. I had a look on the error log and this is pretty much repeated:

Code:
[Fri May 08 15:50:12.128269 2020] [:error] PHP Warning:  session_start(): Cannot start session when headers already sent in /home/****/public_html/index.php on line 3
[Fri May 08 15:50:12.163156 2020] [:error] ModSecurity: Warning. Operator GE matched 4 at TX:outgoing_points. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/20_Outgoing_FiltersEnd.conf"] [line "38"] [id "214940"] [rev "2"] [msg "COMODO WAF: Outbound Points Exceeded| Total Points: 4|****|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "FiltersEnd"] [hostname "****"] [uri "/index.php"] [unique_id "****"]
[Fri May 08 15:50:12.611659 2020] [:error] PHP Warning:  session_start(): Cannot start session when headers already sent in /home/****/public_html/index.php on line 3, referer: https://****/
[Fri May 08 15:50:12.630987 2020] [:error] ModSecurity: Warning. Operator GE matched 4 at TX:outgoing_points. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/20_Outgoing_FiltersEnd.conf"] [line "38"] [id "214940"] [rev "2"] [msg "COMODO WAF: Outbound Points Exceeded| Total Points: 4|****|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "FiltersEnd"] [hostname "****"] [uri "/index.php"] [unique_id "****"], referer: https://****/
I've had a look but can't really see any where that explains what it is. It seems to be linked to a Wordpress Plugin (or so similar posts would suggest). Does that mean the client that has the website has problems with their website?

Is there something I can do?

Cheers for the help!
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,739
301
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
You need to look in the modsecuroty tools area and search on their IP to see what rule they are triggering and most likely you'll just want to disable that rule.
 
  • Like
Reactions: carlos_tlewis

carlos_tlewis

Member
Apr 10, 2020
12
0
1
UK
cPanel Access Level
Root Administrator
Hi GOT,

Thanks for the reply! Sorry I'm not sure where I can find which rule is triggering it, I've had a look around but can only find:

Code:
May  8 23:50:06 server lfd[30446]: (mod_security) mod_security (id:214420) triggered by ***IP*** (****): 5 in the last 3600 secs - *Blocked in csf* [LF_MODSEC]
Sorry to be a pain! If you could point me in the right direction I would really appreciate it.
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,739
301
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
Sorry I was not more specific. In WHM click on ModeSecurity Tools and in the search bar, search on the IP that is getting blocked. That will show you what rule is being trigged and from there you can click on the rrule and disable it.
 
  • Like
Reactions: carlos_tlewis

fuzzylogic

Well-Known Member
Nov 8, 2014
149
89
78
cPanel Access Level
Root Administrator
@carlos_tlewis
Your initial post showed the rule ID that was causing the 403 response.
It is [id "214940"] but you should NOT disable this rule.
To do so would allow all outgoing rule violations.

Rule 214940 is triggered by the value of the variable TX:OUTGOING_POINTS being greater than tx.outgoing_points_limit
The TX:OUTGOING_POINTS variable will have been loaded by earlier rule hits for rule violations in the http RESPONSE

Due to the PHP Warning that was also in your initial post I suspect that the string
<b>Warning:</b>
was in the RESPONSE_BODY
This would have triggered outgoing rules 214420 and 217800 loading TX:OUTGOING_POINTS with 6 points, enough to trigger rule 214940

To verify this search:
/usr/local/apache/logs/modsec_audit.log
for the [unique_id "****"] value that was anonymized in your first post.
If you want more detailed assistance post what is in the modsec_audit.log for this request.

If rules 214420 and 217800 were the ones hit then I would try...
Disabling rule 214420
It only looks for the string <b>Warning:</b>
where rule 217800 looks for 215 strings the first one being <b>Warning:</b>