Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Modsec & Wordpress

Discussion in 'Security' started by Rockforduk, May 13, 2016.

  1. Rockforduk

    Rockforduk Member

    Joined:
    May 5, 2016
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London
    cPanel Access Level:
    Root Administrator
    Hi Everyone,
    I have moved to a new server and my Modsec is playing havoc with my Wordpress websites. I have whitelisted and awful lot of rules but one in particular is causing a problem. I use the Wordpress App on my phone to update my blog but Modsec is still blocking it even after i have whitelisted the rule how can i fix his please?

    240335 [13/May/2016:23:41:29 +0100]
    Operator EQ matched 0 at IP. [file "/var/cpanel/cwaf/rules/32_Apps_OtherApps.conf"] [line "1204"] [id "240335"] [rev "3"] [msg "COMODO WAF: XML-RPC Attack Identified from My IP Address (+1 hits since last alert) (CVE-2013-0235)"]


    Request: POST /xmlrpc.php
    Action Description: Access denied with code 403 (phase 2).
    Justification: Operator EQ matched 0 at IP.

    Any help would be much appreciated on this.

    Thanks

    Rockforduk
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    I'm wondering if that rule is overly restrictive on xmlrpc.php. Since xmlrpc.php is so heavily attacked I would not be surprised.

    Also, it is possible that IP data is logged in /var/cpanel/secdatadir/ip.dir and ip.pag. If those files exist you can clear temp data by deleting them and restarting apache. This will reset counts on brute force based rules.

    Taking a look at the 32_Apps_OtherApps.conf file, there is a section for xmlrpc but I don't see how it accounts for legitimate requests. Mind you I'm only taking a quick look at it, however, you may need to whitelist some other rule IDs.

    Sadly since you're on a phone I'm assuming you don't have a static IP address. It would be safer / more preferable to do an IP based whitelist but that is probably not an option.

    If it were me, I would whitelist the rules 240334 and 240336 as well, clear out ip.dir / ip.pag, restart apache, and see where that gets you.
     
    #2 quizknows, May 16, 2016
    Last edited: May 16, 2016
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,793
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Feel free to update this thread with the outcome after trying the solution suggested by quizknows in the previous response.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice