ModSecurity Hits List Status Code

plove79

Member
Feb 26, 2016
6
0
51
New York, USA
cPanel Access Level
Website Owner
I have a ModSecurity rule that blocks several countries.
Code:
SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:1,drop,log,msg:'Blocking Countries'"
SecRule GEO:COUNTRY_CODE "@pm XX YY ZZ"
However, on the ModSecurity Hits List, while I am seeing status codes of 403 and 404, I am also seeing status codes of 302 and 200. When I click on 'More', it says "Access denied with connection close (phase 1). Justification Matched phrase "XX" at GEO-COUNTRY_CODE."


I am still seeing these hits show up in my Wordfence logs and apache logs.

If these requests were in fact Dropped, shouldn't (1) All Status Codes = 40x? (2) nothing show up in apache logs and (3) Definitely nothing shows up in WordFence live logs on Wordpress?

Thanks!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello,

Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

linux4me2

Well-Known Member
Aug 21, 2015
259
78
78
USA
cPanel Access Level
Root Administrator
I may be wrong, but if you have the log action included in your rule, you're going to get an entry in your Apache error log and ModSecurity audit log. I don't know where Wordfence pulls the data in its log.

I would try the following modifications to your rule, which sets the status to 403, includes a status of "INFO", and does not log the entry, but it will still include a message in your Hits list, including the country code of the country that is blocked:
Code:
SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:1,drop,severity:INFO,status:403,msg:'Blocking %{geo.country_code}'"
SecRule GEO:COUNTRY_CODE "@pm XX YY ZZ"