Mod Sec ran against the server IP - is that normal?

WorkinOnIt

Well-Known Member
Aug 3, 2016
227
30
78
UK
cPanel Access Level
Root Administrator
Hi

I am running mod security on my server. I was working on a client website when I noticed a heavy load and discovered in the error logs that Mod Sec had started blocking "itself" in other words, the mod sec rule was being triggered even though the IP was the server IP. Here is an example (there were hundreds) of the mod sec rule log

[Thu Oct 14 18:12:36.426473 2021] [:error] [pid 20665] [client 123.456.789.10:0] ModSecurity: Access denied with code 406 (phase 2). Operator GT matched 10 at IP:maxlimit. [file "/etc/apache2/conf.d/modsec/modsec2.user.conf"] [line "44"] [id "350202"] [msg "wp-xmlrpc: denying 123.456.789.10 (12 connection attempts)"] [hostname "clientdomain.com"] [uri "/xmlrpc.php"] [unique_id "YWe8RLWJXIPwUniXydfdgfdfdgghhjgjhjghjUvOCwAAAAY"], referer: https://clientdomain.com/xmlrpc.php

Do I need to add my own server IP to the mod sec whitelist? I would have thought mod sec would automatically whitelist the server IP ? Granted the above is a custom modsec rule, but just wanting to ask here for clarification.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,027
313
cPanel Access Level
Root Administrator
Hey there! I'm wondering if the custom rule is causing issues, but in general, I believe it is safe to whitelist the server's IP address - there's some interesting discussion on this here: