ModSecurity false-positive with ConfigServer cXs ModSecurity rule

[mttdl]

Hello,
into my server I have many cases of false-positive, how can I solve? (one hundred by hours sometimes).
I searched online but nothing, this is a case of false-positive.

Thanks for support.
Matteo


This is a sample:
"
Scanning web upload script file...
Time : Mon, 14 Sep 2020 09:48:58 +0200
Web referer URL :
Local IP : 185.31.65.34
Web upload script user : nobody (99)
Web upload script owner: ()
Web upload script path : /home/---/public_html/2020
Web upload script URL : https://---.fr//2020//wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php
Remote IP : 192.95.30.59
Upload data md5sum : da4b6ccd2702858d185e3ef600eeaeef
Deleted : No
Quarantined : No


NOTE: This alert may be a ModSecurity false-positive as /home/---/public_html/2020 does not exist
"

 

[GOT]

Only thing to do really is disable the rule that is triggering the false positive. Go to modsecurity tools, and search the logs for the IP that is causing the hit, then use the rule number to search in the rules list and there you can disable the rule.

 

[keat63]

Mod security doesn't work for everyone straight out of the box.
I guess each domain/server is different.
Different software etc may trigger different results.

I agree with @GOT
You'll probably have to disable a few rules to fine tune it for your needs.

 

[cPanelLauren]

As has been said already, like almost everything ModSecurity and custom rulesets need to be tweaked to suite your preferences. You may want to contact ConfigServer for issues with their ruleset as well.