The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mod_Sec Detect Server IP

Discussion in 'Security' started by mgilank, Sep 24, 2015.

  1. mgilank

    mgilank Member

    Joined:
    Nov 9, 2012
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi, i dont know if this strange situation or not.
    before my server spec :
    - nginx
    - varnish cache (unixy plugin)
    - fastcgi

    i run this rule from this thread https://forums.cpanel.net/threads/wp-login-php-and-mod-security.430242/#post-1739931
    for blocking wp-login attack.

    but when i access to wp-admin my self . i got error "authorization Required This server could not verify that you are authorized to access the document requested."
    When i check on apache error log it said:
    Code:
    [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 401 (phase 2). Operator GT matched 0 at USER:bf_block.
    [file "/usr/local/apache/conf/modsec2.user.conf"] [line "16"] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."]
    xx.xx.xx.xx = this is my server / shared ip

    Then i used varnish rate limit feature : blog.unixy.net/2013/10/stopping-wordpress-wp-login-php-bot-attacks-with-varnish-page-throttling/

    it's throwing the same result just different error message!

    Is that normal if xx.xx.xx.xx is my shared ip? i guess not! . But how to change that?

    Thanks!
     
    #1 mgilank, Sep 24, 2015
    Last edited by a moderator: Sep 24, 2015
  2. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    275
    Likes Received:
    31
    Trophy Points:
    28
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Hello,

    This is most likely because nginx is being used as a reverse proxy so its sitting in front of Apache on port 80, when the request comes in, its making it look like its coming from your server IP since its being forwarded from Nginx. Your apache access logs are most likely flooded with requests from your server IP(Nginx) so essentially anyone brute forcing or failing to log in is basically all doing it from your server IP and resulting in ALL requests being blocked.

    You need to implement this into Nginx:

    https://rtcamp.com/tutorials/nginx/forwarding-visitors-real-ip/

    This should resolve your issue.
     
    mgilank and quizknows like this.
  3. mgilank

    mgilank Member

    Joined:
    Nov 9, 2012
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi, i got it work when install mod_rpaf, now the mod_sec work well.
    but i got other issue.
    i used LiveZilla as web chat and it's desktop client tell server ip when visitor come. So i make simple php script
    Code:
    <?php
    echo $_SERVER["REMOTE_ADDR"]; echo"<br>";
    echo $_SERVER["SERVER_ADDR"]; echo"<br>";
    echo $_SERVER["HTTP_X_FORWARDED_FOR"];
    ?>
    That 3 code above showing my server ip. what is wrong?

    Thanks!
     
  4. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    275
    Likes Received:
    31
    Trophy Points:
    28
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
  5. mgilank

    mgilank Member

    Joined:
    Nov 9, 2012
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I have done that before,
    Now the issue is : I have client that have dedicated ip, let said 12.12.12.12 and shared ip 11.11.11.11
    when i access to that script into my client ip it show all of that is 12.12.12.12
    but when i put that script into client who's on shared ip, $_SERVER["REMOTE_ADDR"]; it showed visitor ip.

    How to solve this?

    Thanks!
     
  6. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    275
    Likes Received:
    31
    Trophy Points:
    28
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Sorry you will have to better explain what you mean when you say
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Please also keep in mind that Nginx is not natively supported by cPanel, so workarounds to these types of issues typically come from users with similar environments instead of staff.

    Thank you.
     
    Hoang Quy likes this.
Loading...

Share This Page