We usually use the Comodo WAF ruleset:
Or we use Imunify360 which is a fantastic product.
Or we use Imunify360 which is a fantastic product.
The last rules update was from November 2020:
Rules Updates: Changelog - Free Modsecurity rules - Comodo Web Application Firewall | Page 15
New rules released Version 0.35 - 2014.01.28 - CVE-2013-7187 - False positives fixed: Joomla WHMCS Silverstripe CMS Wordpr
forums.comodo.com
I can recommend
OWASP ModSecurity Core Rule Set (CRS)
docs.cpanel.net
OWASP ModSecurity Core Rule Set (CRS)
OWASP® ModSecurity CRS | cPanel & WHM Documentation
The OWASP (Open Web Application Security Project) ModSecurity CRS (Core Rule Set) is a set of rules that Apache®'s ModSecurity® module can use to help protect your server.
docs.cpanel.net
We disable the following rules for Wordpress CMS because of numerous false positives
949110 General post update issues in conjunction with WP Bakery
941160 General post update issues in conjunction with WP Bakery
941100 General post update issues in conjunction with WP Bakery
980130 Issue with Duplicator backups causing invalid request when downloading files
We haven't had to disable any other for 500+ CMS clients in 6 or so years
Be sure to check however if you have any of these showing up as false positive on your end.
Last edited:
It could be normal for your system. Do you also have mod_security installed? If so, that could be related:
owasp-modsecurity-core-rule-set.owasp.narkive.com
[Owasp-modsecurity-core-rule-set] rule 920350 - "host header is a numeric ip address" - redirect loop using default 3.0.0 conf
yes,i install modsecurity and enable owasp from whm.It could be normal for your system. Do you also have mod_security installed? If so, that could be related:
[Owasp-modsecurity-core-rule-set] rule 920350 - "host header is a numeric ip address" - redirect loop using default 3.0.0 conf
Hi,
it is "920350: Host header is a numeric IP address" with following
Request: GET /favicon.ico
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
Request: GET /img-sys/powered_by_cpanel.svg
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
Request: GET /img-sys/server_misconfigured.png
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
Request: GET /img-sys/error-bg-left.png
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
Request: GET /img-sys/server_moved.png
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
Request: GET /img-sys/IP_changed.png
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
Request: GET /cgi-sys/defaultwebpage.cgi
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
Request: GET /favicon.ico
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
Request: GET /
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
Request: GET /cgi-sys/defaultwebpage.cgi
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
Request: GET /cgi-sys/defaultwebpage.cgi
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
Request: GET /
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
thanks
it is "920350: Host header is a numeric IP address" with following
Request: GET /favicon.ico
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
Request: GET /img-sys/powered_by_cpanel.svg
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
Request: GET /img-sys/server_misconfigured.png
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
Request: GET /img-sys/error-bg-left.png
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
Request: GET /img-sys/server_moved.png
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
Request: GET /img-sys/IP_changed.png
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
Request: GET /cgi-sys/defaultwebpage.cgi
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
Request: GET /favicon.ico
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
Request: GET /
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
Request: GET /cgi-sys/defaultwebpage.cgi
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
Request: GET /cgi-sys/defaultwebpage.cgi
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
Request: GET /
Action Description: Access denied with code 200 (phase 2).
Justification: Test 'REQUEST_HEADERS:Host' against '@rx ^[\d.:]+$' is true.
thanks
Hi,
It is the function of the rule 920350 that signals if you connect to the IP
SecRule REQUEST_HEADERS:Host "@rx ^[\d.:]+$" \
"id:920350,\
phase:2,\
block,\
t:none,\
msg:'Host header is a numeric IP address',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.2',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
It is the function of the rule 920350 that signals if you connect to the IP
SecRule REQUEST_HEADERS:Host "@rx ^[\d.:]+$" \
"id:920350,\
phase:2,\
block,\
t:none,\
msg:'Host header is a numeric IP address',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.2',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
Thanks for the details - it's probably best to just whitelist/remove that rule as you'll get many false positives.
Hi,
do you mean redirect all ip access to hostname ?
because it is shared hosting server.
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| J | What is recommended way to detect IP addresses that make junk httpd requests? | Security | 7 | |
| Y | CSF Firewall recommendations | Security | 1 | |
| D | Recommendations on Linux SIEM tools? | Security | 6 | |
|
Recommended Shell Access setting | Security | 5 | |
| V | Recommendation on security notifications from cpanel | Security | 1 |