Mod Sec ran against the server IP - is that normal?

[WorkinOnIt]

Hi

I am running mod security on my server. I was working on a client website when I noticed a heavy load and discovered in the error logs that Mod Sec had started blocking "itself" in other words, the mod sec rule was being triggered even though the IP was the server IP. Here is an example (there were hundreds) of the mod sec rule log

[Thu Oct 14 18:12:36.426473 2021] [:error] [pid 20665] [client 123.456.789.10:0] ModSecurity: Access denied with code 406 (phase 2). Operator GT matched 10 at IP:maxlimit. [file "/etc/apache2/conf.d/modsec/modsec2.user.conf"] [line "44"] [id "350202"] [msg "wp-xmlrpc: denying 123.456.789.10 (12 connection attempts)"] [hostname "clientdomain.com"] [uri "/xmlrpc.php"] [unique_id "YWe8RLWJXIPwUniXydfdgfdfdgghhjgjhjghjUvOCwAAAAY"], referer: https://clientdomain.com/xmlrpc.php

Do I need to add my own server IP to the mod sec whitelist? I would have thought mod sec would automatically whitelist the server IP ? Granted the above is a custom modsec rule, but just wanting to ask here for clarification.

 

[cPRex]

Hey there! I'm wondering if the custom rule is causing issues, but in general, I believe it is safe to whitelist the server's IP address - there's some interesting discussion on this here:

Downsides to whitelisting localhost in mod_security?

I've just enabled mod_security on my CentOS server via WHM with OWASP ModSecurity Core Rule Set. I've seen some very useful stuff so far but also some very annoying, not very useful things such as...

stackoverflow.com