ModSecurity show server ip as source instead of attacker ip

seco

Member
Mar 18, 2015
6
0
1
Egypt
cPanel Access Level
Root Administrator
Hi
i upgrade php to 5.5 and after upgrade i found that mod security show the server ip as source of attack instead of attacker ip as before upgrade !!
as a result csf firewall is not blocking subsequent attacks
and also cxs is not blocking ip after malicious file upload and there is no upload ip address shown at all !!
what is wrong ?
how to make mod security shows the attacker ip instead of server ip?
thanks in advance.
 

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
806
156
168
New Jersey
cPanel Access Level
DataCenter Provider
Hello,

Are you running another web server on top of Apache like Nginx as a proxy?
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
CXS file upload scanning is VERY picky, and if anything is wrong with configuration it simply allows the file.

This is my line in /etc/cxs/cxscgi.sh (only ONE line should be uncommented):

Code:
/usr/sbin/cxs --quiet --cgi -Q /home/quarantine --qoptions Mv --logfile /var/log/cxs.log --smtp --mail root "$1"
You must make the quarantine using CSX command line utilities. If not the permissions may be wrong resulting in every file being approved :/

Code:
cxs -Q /home/quarantine -qcreate
Then simply make sure this is still in your configuration for Apache/modsecurity:
Code:
SecRule "FILES_TMPNAMES" "@inspectFile /etc/cxs/cxscgi.sh"\
"log,auditlog,deny,severity:2,id:'1010101'"
Restart apache and you should be good (well, for upload scanning at least)
 

seco

Member
Mar 18, 2015
6
0
1
Egypt
cPanel Access Level
Root Administrator
i reinstall nginx and now mod security catches that attacker ip :)
but i dont know why it was the problem actually !!
any idea why nginx was the problem ?
thanks in advance.
 
Last edited:

Jcats

Well-Known Member
PartnerNOC
May 25, 2011
806
156
168
New Jersey
cPanel Access Level
DataCenter Provider
Maybe you didn't have mod_rpaf installed on the previous install, hard to say.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
Hello :)

It's difficult to pinpoint any specific reason why it works after reinstalling Nginx. Keep in mind that Nginx, though widely utilized, is not supported by cPanel.

Thank you.