Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity Hits List Status Code

Discussion in 'Security' started by plove79, Jan 2, 2017.

Tags:
  1. plove79

    plove79 Member

    Joined:
    Feb 26, 2016
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    New York, USA
    cPanel Access Level:
    Website Owner
    I have a ModSecurity rule that blocks several countries.
    Code:
    SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:1,drop,log,msg:'Blocking Countries'"
    SecRule GEO:COUNTRY_CODE "@pm XX YY ZZ"
    
    However, on the ModSecurity Hits List, while I am seeing status codes of 403 and 404, I am also seeing status codes of 302 and 200. When I click on 'More', it says "Access denied with connection close (phase 1). Justification Matched phrase "XX" at GEO-COUNTRY_CODE."


    I am still seeing these hits show up in my Wordfence logs and apache logs.

    If these requests were in fact Dropped, shouldn't (1) All Status Codes = 40x? (2) nothing show up in apache logs and (3) Definitely nothing shows up in WordFence live logs on Wordpress?

    Thanks!
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  3. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    168
    Likes Received:
    36
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I may be wrong, but if you have the log action included in your rule, you're going to get an entry in your Apache error log and ModSecurity audit log. I don't know where Wordfence pulls the data in its log.

    I would try the following modifications to your rule, which sets the status to 403, includes a status of "INFO", and does not log the entry, but it will still include a message in your Hits list, including the country code of the country that is blocked:
    Code:
    SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:1,drop,severity:INFO,status:403,msg:'Blocking %{geo.country_code}'"
    SecRule GEO:COUNTRY_CODE "@pm XX YY ZZ"
    
     
Loading...

Share This Page