Hello
thank you for the idea
I looked under
/usr/local/apache/conf/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf
and seems like the following rules use IP collections: 900018, 900020, 900021
After disabling these rules, the "Failed to access DBM file "/var/cpanel/secdatadir/ip" errors stopped.
I would rather disable a few rules and have at least partial security than disabling mod_security globally.
note: mod_ruid2 is enabled.
thank you for the idea
I looked under
/usr/local/apache/conf/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf
and seems like the following rules use IP collections: 900018, 900020, 900021
After disabling these rules, the "Failed to access DBM file "/var/cpanel/secdatadir/ip" errors stopped.
I would rather disable a few rules and have at least partial security than disabling mod_security globally.
note: mod_ruid2 is enabled.
Code:
#
# -- [[ Global and IP Collections ]] -----------------------------------------------------
#
# Create both Global and IP collections for rules to use
# There are some CRS rules that assume that these two collections
# have already been initiated.
#
SecRule REQUEST_HEADERS:User-Agent "^(.*)$" "id:'900018', phase:1, t:none,t:sha1,t:hexEncode, setvar:tx.ua_hash=%{matched_var}, nolog, pass"
SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" "id:'900019', phase:1, t:none, capture, setvar:tx.real_ip=%{tx.1}, nolog, pass"
SecRule &TX:REAL_IP "[email protected] 0" "id:'900020', phase:1, t:none, initcol:global=global, initcol:ip=%{tx.real_ip}_%{tx.ua_hash}, nolog, pass"
SecRule &TX:REAL_IP "@eq 0" "id:'900021', phase:1, t:none, initcol:global=global, initcol:ip=%{remote_addr}_%{tx.ua_hash}, setvar:tx.real_ip=%{remote_addr}, nolog, pass"
#
# Set the SecCollectionTimeout directive to a lower setting (default
# is 1 hour). Reducing this setting increases performance by cleaning
# out old/stale entries.
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecCollectionTimeout
# Using 600 (10 mins).
SecCollectionTimeout 600
Last edited: