The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity show server ip as source instead of attacker ip

Discussion in 'Security' started by seco, Sep 27, 2015.

  1. seco

    seco Member

    Joined:
    Mar 18, 2015
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    Hi
    i upgrade php to 5.5 and after upgrade i found that mod security show the server ip as source of attack instead of attacker ip as before upgrade !!
    as a result csf firewall is not blocking subsequent attacks
    and also cxs is not blocking ip after malicious file upload and there is no upload ip address shown at all !!
    what is wrong ?
    how to make mod security shows the attacker ip instead of server ip?
    thanks in advance.
     
  2. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    275
    Likes Received:
    31
    Trophy Points:
    28
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Hello,

    Are you running another web server on top of Apache like Nginx as a proxy?
     
  3. seco

    seco Member

    Joined:
    Mar 18, 2015
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    yes there is nginx as a proxy
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    CXS file upload scanning is VERY picky, and if anything is wrong with configuration it simply allows the file.

    This is my line in /etc/cxs/cxscgi.sh (only ONE line should be uncommented):

    Code:
    /usr/sbin/cxs --quiet --cgi -Q /home/quarantine --qoptions Mv --logfile /var/log/cxs.log --smtp --mail root "$1"
    
    You must make the quarantine using CSX command line utilities. If not the permissions may be wrong resulting in every file being approved :/

    Code:
    cxs -Q /home/quarantine -qcreate
    
    Then simply make sure this is still in your configuration for Apache/modsecurity:
    Code:
    SecRule "FILES_TMPNAMES" "@inspectFile /etc/cxs/cxscgi.sh"\
    "log,auditlog,deny,severity:2,id:'1010101'"
    
    Restart apache and you should be good (well, for upload scanning at least)
     
  5. seco

    seco Member

    Joined:
    Mar 18, 2015
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    i reinstall nginx and now mod security catches that attacker ip :)
    but i dont know why it was the problem actually !!
    any idea why nginx was the problem ?
    thanks in advance.
     
    #5 seco, Sep 27, 2015
    Last edited: Sep 27, 2015
  6. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    275
    Likes Received:
    31
    Trophy Points:
    28
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
    Maybe you didn't have mod_rpaf installed on the previous install, hard to say.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,852
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    It's difficult to pinpoint any specific reason why it works after reinstalling Nginx. Keep in mind that Nginx, though widely utilized, is not supported by cPanel.

    Thank you.
     
Loading...

Share This Page