The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_security issue blocking good ip's

Discussion in 'Security' started by Cloud9, Oct 6, 2012.

  1. Cloud9

    Cloud9 Active Member

    Joined:
    Sep 17, 2012
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hi

    On my server i have mod_security with the default config file installed and csf firewall

    I am getting around 6-10 good UK Ips being blocked by csf through mod_security

    Can anyone tell me why they are being blocked and what i can do to edit the config to fix this ?

    Here is the csf block

    IP ADDY HERE # lfd: (mod_security) mod_security triggered by IP ADDY HERE (GB/United Kingdom/-): 5 in the last 300 secs - Fri Oct 5 07:31:44 2012

    And here is the apache log

    [Fri Oct 05 07:30:58 2012] [error] [client IP ADDY HERE] ModSecurity: Access denied with code 406 (phase 2). Found 1 byte(s) in ARGS:pages[template] outside range: 1-255. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "34"] [id "960901"] [msg "Invalid character in request"] [severity "WARNING"] [hostname "MY WEB URL"] [uri "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"] [unique_id "UG5@ok31RAUAABwqDvUAAAAJ"]

    Any thoughts and advice appreciated
     
  2. PlotHost

    PlotHost Well-Known Member

    Joined:
    Apr 29, 2011
    Messages:
    253
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    US
    cPanel Access Level:
    Root Administrator
    Twitter:
    If the IPs are blocked by the same rule - like [id "960901"] - you can disable the rule.
    You should also install configserver.com/cp/cmc.html
     
  3. kpmedia

    kpmedia Well-Known Member

    Joined:
    Feb 13, 2011
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA, Europe
    cPanel Access Level:
    Root Administrator
    Are you 100% sure those are "good IPs" and not simply UK IPs that you hope/think are good?

    Because the response is quite clear: the post contained invalid characters (according to the rule). Don't assume all UK traffic is good simply because it's from UK. That would be a mistake on your part.
     
Loading...

Share This Page