ModSecurity false-positive with ConfigServer cXs ModSecurity rule

mttdl

Registered
Sep 15, 2020
1
0
0
Genova
cPanel Access Level
Root Administrator
Hello,
into my server I have many cases of false-positive, how can I solve? (one hundred by hours sometimes).
I searched online but nothing, this is a case of false-positive.

Thanks for support.
Matteo


This is a sample:
"
Scanning web upload script file...
Time : Mon, 14 Sep 2020 09:48:58 +0200
Web referer URL :
Local IP : 185.31.65.34
Web upload script user : nobody (99)
Web upload script owner: ()
Web upload script path : /home/---/public_html/2020
Web upload script URL : https://---.fr//2020//wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php
Remote IP : 192.95.30.59
Upload data md5sum : da4b6ccd2702858d185e3ef600eeaeef
Deleted : No
Quarantined : No


NOTE: This alert may be a ModSecurity false-positive as /home/---/public_html/2020 does not exist
"
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,738
300
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
Only thing to do really is disable the rule that is triggering the false positive. Go to modsecurity tools, and search the logs for the IP that is causing the hit, then use the rule number to search in the rules list and there you can disable the rule.
 
  • Like
Reactions: keat63

keat63

Well-Known Member
Nov 20, 2014
1,763
199
93
cPanel Access Level
Root Administrator
Mod security doesn't work for everyone straight out of the box.
I guess each domain/server is different.
Different software etc may trigger different results.

I agree with @GOT
You'll probably have to disable a few rules to fine tune it for your needs.
 

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
13,041
1,206
313
Houston
As has been said already, like almost everything ModSecurity and custom rulesets need to be tweaked to suite your preferences. You may want to contact ConfigServer for issues with their ruleset as well.