Hi
I run two servers:
Server1)
Server1 (according to the logs) is doing a wonderful job of blocking the brute force attacks to wp-login and the xmlrpc.
However server 2 is producing the following errors;
I have googled and searched but don't appear to be able to solve this issue. Can anyone please provide some assistance to explain what might be happening here? The permissions on the folder /var/cpanel/secdatadir/ are set to 777
I run two servers:
Server1)
- CENTOS 6.8 x86_64
- WHM 58.0 (build 26)
- mod security
- Easy Apache3
- CLOUDLINUX 6.8 x86_64
- WHM 58.0 (build 27)
- mod security
- Easy Apache4
Code:
## Custom Mod Sec rules (mostly for wordpress)
SecDataDir /var/log/apache2/ipdata
#permissions on the above must be 777
SecResponseBodyAccess On
SecResponseBodyLimitAction ProcessPartial
SecResponseBodyMimeType text/xml
# 5000135 Block bad wp-logins
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134
# Setup brute force detection.
<Locationmatch "/wp-login.php">
# React if block flag has been set.
SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'denying %{REMOTE_ADDR} ip address blocked for 15 minutes, more than 10 login attempts in 3 minutes.'"
# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=900,setvar:ip.bf_counter=0"
</locationmatch>
#900 = 15 minutes
ErrorDocument 401 default
# check bots by user agent and match to included file
# block bad bots
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/apache2/conf.d/blackbots.txt" "id:980001,rev:1,severity:2,log,msg:'Bot Rule: Black Bot detected.'"
# Block attacks to xmlrpc.php
# See http://alzabo.io/modsecurity/2014/09/15/wordpress-xml-rpc-brute-force.html
# SecStreamInBodyInspection requires ModSecurity 2.6.0 or greater
SecStreamInBodyInspection On
SecAction "phase:1,nolog,pass,id:19300,\
initcol:ip=%{REMOTE_ADDR}"
<FilesMatch "xmlrpc.php">
SecRule RESPONSE_BODY "faultString" "id:19301,nolog,phase:4,\
t:none,t:urlDecode,setvar:ip.xmlrpc_bf_counter=+1,\
deprecatevar:ip.xmlrpc_bf_counter=1/300,pass"
SecRule STREAM_INPUT_BODY "<methodCall>wp\." "id:19302,log,chain,\
deny,status:406,phase:4,t:none,t:urlDecode,\
msg:'Temporary block due to multiple XML-RPC method call failures'"
SecRule ip:xmlrpc_bf_counter "@gt 4" "t:none,t:urlDecode,\
t:removeWhitespace
</FilesMatch>
#disabled old rules
#SecRule REQUEST_LINE "POST .*xmlrpc.*" "pass,initcol:ip=%{REMOTE_ADDR},setvar:ip.maxlimit=+1,deprecatevar:ip.maxlimit=1/600,nolog,id:350201"
#SecRule IP:MAXLIMIT "@gt 10" "log,deny,id:350202,msg:'wp-xmlrpc: denying %{REMOTE_ADDR} (%{ip.maxlimit} connection attempts)'"
Include /etc/apache2/conf.d/modsec2.whitelist.confHowever server 2 is producing the following errors;
Code:
[client 333.33.33.93] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied
[hostname "www.userdomainname.com"] [uri "/cgi-sys/ea-php56/wordpress/wp-login.php"]
[client 333.33.33.93] ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "www.userdomainname.com"] [uri "/cgi-sys/ea-php56/index.php"]I have googled and searched but don't appear to be able to solve this issue. Can anyone please provide some assistance to explain what might be happening here? The permissions on the folder /var/cpanel/secdatadir/ are set to 777
Last edited by a moderator:
