The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod Security Question

Discussion in 'Security' started by wafaa, Jul 2, 2014.

  1. wafaa

    wafaa Well-Known Member

    Joined:
    May 14, 2013
    Messages:
    62
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Reseller Owner
    Hello,

    Can you please help me to understand the source of these errors related to mod_security and how can I solve it :
    Code:
    [Fri Jun 27 11:58:40 2014] [error] [client X.X.X.X] ModSecurity: Warning. Pattern match "200" at RESPONSE_STATUS. [file "/var/cpanel/cwaf/rules/cwaf_02.conf"] [line "326"] [id "212100"] [msg "COMODO WAF: Failed login attempt"] [severity "WARNING"] [tag "no_ar"] [hostname "MonDomaine.net"] [uri "/wp-login.php"] [unique_id "U63a-bAfDzIACD2AQooA0000"]
     
    #1 wafaa, Jul 2, 2014
    Last edited: Jul 2, 2014
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The message is letting you know a pattern matched one of the custom rules you have configured for Mod_Security and thus the request was blocked. You can search for the referenced rule number in /var/cpanel/cwaf/rules/cwaf_02.conf to see what specific rule was triggered.

    Thank you.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    wp-login.php returns a 200 for a failed login, a successful login is 302 redirected into the wp-admin area. This rule is saying someone got a 200 response status at that URI, indicating a failed login, and thus ModSecurity logs an error to tell you someone provided a wrong password for wordpress.

    If you are getting this error when you provide the right password for wordpress there may be an issue with the rule logic. If you can post the rule in its entirety I could tell you more.
     
  4. wafaa

    wafaa Well-Known Member

    Joined:
    May 14, 2013
    Messages:
    62
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Reseller Owner
    it's not [id "212100"] ?
    if not where can i have it plz
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you elaborate a little more on this response? I'm not sure I fully understand it.

    Thank you.
     
  6. wafaa

    wafaa Well-Known Member

    Joined:
    May 14, 2013
    Messages:
    62
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Reseller Owner
    Can u explain me what is the rule id "212100" ?
     
    #6 wafaa, Jul 3, 2014
    Last edited: Jul 3, 2014
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Every ModSecurity rule has a unique numeric ID used to identify the rule.

    In your file /var/cpanel/cwaf/rules/cwaf_02.conf you should be able to find the actual rule by searching for id:212100

    I do not see this rule ID in the latest set of comodo rules that I just downloaded.
     
Loading...

Share This Page