ModSecurity Vendors OWASP generates a lot of errors in APACHE

[nadav123]

Hey, i experience a lot of errors in the APACHE log from the OWASP 3.0 cPanel vendor.

This is my apache log:

Log Messages
[Sun Sep 05 05:26:38.981372 2021][:error] [pid 13467:tid 47640012740352] [client 45.146.164.110:0] [client 45.146.164.110] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "198.46.88.63"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "198.46.88.63"] [uri "/"] [unique_id "YTSNTi0AZDjcZz_Q1_nymAAAAMY"] [Sun Sep 05 05:26:38.891279 2021] [:error] [pid 13397:tid 47640002234112] [client 45.146.164.110:0] [client 45.146.164.110] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "198.46.88.63"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "198.46.88.63"] [uri "/_ignition/execute-solution"] [unique_id "YTSNTlym1HRkmy6xhGgslQAAAIE"] [Sun Sep 05 05:26:38.618408 2021] [:error] [pid 13332:tid 47640002234112] [client 45.146.164.110:0] [client 45.146.164.110] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "198.46.88.63"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "198.46.88.63"] [uri "/Autodiscover/Autodiscover.xml"] [unique_id "YTSNTsqWFjVSrKVZWg_pWwAAAEE"] [Sun Sep 05 05:26:38.574010 2021] [:error] [pid 13308:tid 47640004335360] [client 45.146.164.110:0] [client 45.146.164.110] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "198.46.88.63"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "198.46.88.63"] [uri "/console/"] [unique_id "YTSNTtagryVXEO6t6D_h7QAAAAI"] [Sun Sep 05 05:26:38.341683 2021] [:error] [pid 13528:tid 47640006436608] [client 45.146.164.110:0] [client 45.146.164.110] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^0?$" against "REQUEST_HEADERS:Content-Length" required. [file "/etc/apache2/conf.d/imh-modsec/01_base_rules.conf"] [line "10"] [id "960011"] [msg "GET or HEAD requests with bodies"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/EVASION"] [hostname "198.46.88.63"] [uri "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"] [unique_id "YTSNTmY6Y9ZH99jP5WBmyQAAAQM"] [Sun Sep 05 05:26:38.304811 2021] [:error] [pid 13467:tid 47640002234112] [client 45.146.164.110:0] [client 45.146.164.110] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "198.46.88.63"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "198.46.88.63"] [uri "/wp-content/plugins/wp-file-manager/readme.txt"] [unique_id "YTSNTi0AZDjcZz_Q1_nymAAAAME"] [Sun Sep 05 05:26:38.068236 2021] [:error] [pid 13397:tid 47640050562816] [client 45.146.164.110:0] [client 45.146.164.110] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "198.46.88.63"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "198.46.88.63"] [uri "/"] [unique_id "YTSNTlym1HRkmy6xhGgslQAAAJg"] [Sun Sep 05 05:26:38.042065 2021] [:error] [pid 13332:tid 47640000132864] [client 45.146.164.110:0] [client 45.146.164.110] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=5,HTTP=0,SESS=0): individual paranoia level scores: 8, 0, 0, 0"] [ver "OWASP_CRS/3.3.2"] [tag "event-correlation"] [hostname "198.46.88.63"] [uri "/403.shtml"] [unique_id "YTSNTsqWFjVSrKVZWg_pWwAAAEA"] [Sun Sep 05 05:26:38.041258 2021] [:error] [pid 13332:tid 47640000132864] [client 45.146.164.110:0] [client 45.146.164.110] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "198.46.88.63"] [uri "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"] [unique_id "YTSNTsqWFjVSrKVZWg_pWwAAAEA"] [Sun Sep 05 05:26:38.040793 2021] [:error] [pid 13332:tid 47640000132864] [client 45.146.164.110:0] [client 45.146.164.110] ModSecurity: Warning. Pattern match "(?:<\\\\?(?:[^x]|x[^m]|xm[^l]|xml[^\\\\s]|xml$|$)|<\\\\?php|\\\\[(?:\\\\/|\\\\\\\\)?php\\\\])" at ARGS_NAMES:

I see another guy gets errors very similar to mine:

OWASP rule set blocking smtp

Hi, we enabled OWASP ModSecurity Core Rule Set V3.0 yesterday and got people contacting support today saying they could not send email. To get email working again we had to disable rule 949 below: ******* REQUEST-949-BLOCKING-EVALUATION The rules in this configuration file blocks traffic that...

forums.cpanel.net

_____________________________

I got confused,
cPanel create Vendor rules will generate errors non-stop on his own log? is not make sense.

or do these errors actually need to appear in the log?

I don't know is not make sense.


Is looking to you normal to get all the errors because of the OWASP rules set? every 5 seconds in the log?

I don't think so, I a little bit wirred.

need guidance guys.


Please help.

 

[cPRex]

Hey there! The logs for ModSecurity track all incoming connections that trigger a rule, so it's not something that would be happening by itself. You'll see the client address is listed in that log entry you provided.

The reason the error is appearing so frequently is likely due to an issue with a specific page. The best thing to do when this happens would be the remove that specific rule. Details on how to do that can be found here: How can I disable a ModSecurity rule?

 

[nadav123]

Thank you cPRex.

but you sure is not some attack on the server?
I gonna turn it off anyway.

but you sure all these IPs try to get in is not kind of attacks?

btw this all the rules i found in the Apache log:
920350
980130
949110
920220
933150
960011

Are you sure to turn off all these rules?

 

[nadav123]

I Disable them, the log is new
bro, thanks.

but you sure is not was attacks? (only recheck is fine you know after all i not pro)

 

[cPRex]

It could definitely be an attack, especially if the source IP was the same in many of the entries. If the IP address changed, it was likely not an attack on the machine.

 

[nadav123]

have both.

so what to do???
turn it off?
turn it on?
I can turn it on and adjust the apache log to receive only critical errors.
it is a kind of option as well?

errors got away after disabling these 7 rules.
but if you said is attacks.
maybe it needs to be there?

or is not serious because it is only 7 rules? ( have 400 rules more... ).

 

[cPRex]

Were you seeing all of these requests coming from one IP address?

 

[nadav123]

both... is in apache log (httpd log)

and have rule i turn off and after a 5 min he activates himself back:
932105

and yes, sometimes in the same IP, and sometimes is change ips to other, have a couple you see more couple you see less.

now i have an error in the log again for some reason one rule activates itself again.


what to do? cPRex maybe is a good error? huh, have something like that?

 

[cPRex]

I would say that if you're seeing the same IPs frequently triggering the same rule, it would be best to block that IP in the firewall so it can't make any connection to your server.

I would not expect a rule to reactivate itself after you've turned it off through WHM.

 

[nadav123]

you right my mistake. this is a new rule now got error in the log.

So this all the IDS i found until now on the log:
933150
933180
933151
980130
949110
9005100
920220
920350
930130

and now i see this too:
932105

so eventually all this is good? and i believe be more.
I can activate all back, but what about the apache log?

he gets a lot of errors.
I can put him on "critical" notes.
what did you recommend?

I activate all back? and change the APACHE LOG warning? or not recommend this method?

 

[cPRex]

It's normal for them to all get written to the Apache logs. Is that causing an issue?

 

[nadav123]

No, from interface or performance don't have any difference.
but the log gets full very fast with these rules active ( like a lot of errors, EVREY 10 SEC 20 SEC NEW ERROR / BLOCK ).

now have errors from time to time. (Much least)
as i said i can activate all of them back
and put the log on critical notes.

Then, i will not see all these errors.
and the vendor will block them without fill up the log.

but i don't know if cPanel recommended this option... :/

 

[cPRex]

I think it's fine to disable specific rules if they are causing an issue for a web page.

I would not disable a rule just because it's filling up the log. I would check that page to make sure there isn't an issue (such as filling out a form, or the page not loading content properly - just make sure it's working) and then if the rule is still being tripped you might need to work with the designer of the site to fix it, or block the IP.

 

[nadav123]

cPRex, all these errors not triggering because of my pages.
they tried to get inside ports and ips, let's say:
[client 45.146.164.110] [line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "198.46.88.63"] [severity "WARNING"]

this guy tried this:
198.46.88.63:80
or
198.46.88.63:8080

198.46.88.63
is the IP of my nameserver.
ns2.locksmithunit.com

this IP:
45.146.164.110
is the Russian federation don't know what is it, but i am for sure not in Russia...
they do not get inside pages.
pages and forms work perfectly without any problem,
let's say:

Locksmith Aloma, FL | Locksmith Unit®

Locksmith Aloma, FL: Call us at +1 (407) 267-5817 or just type in your information below and your nearest locksmith will contact you within minutes.

locksmithunit.com

you can even send an email i check it already.

but yes the rules generate a lot of errors.
again, they tried to get inside IPs and the URL is not excited.

Anyway. I activate the rules back.

 

[cPRex]

I would recommend blocking those IPs then so they can't connect at all.

 

[nadav123]

I did,
but all this in the log:

Log Messages
    [Tue Sep 07 17:00:00.138273 2021] [mpm_worker:notice] [pid 28549:tid 47943559283776] AH00292: Apache/2.4.48 (cPanel) OpenSSL/1.1.1l mod_bwlimited/1.4 mod_fcgid/2.3.9 Phusion_Passenger/6.0.10 configured -- resuming normal operations
    [Tue Sep 07 16:59:27.677942 2021] [:error] [pid 28669:tid 47944021780224] [client 45.33.96.205:0] [client 45.33.96.205] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "198.46.88.63"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "198.46.88.63"] [uri "/"] [unique_id "YTfSr26ns2WxGqoSkXk52QAAAA4"]
    [Tue Sep 07 16:58:41.738390 2021] [:error] [pid 28771:tid 47944017577728] [client 193.118.53.210:0] [client 193.118.53.210] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 8, 0, 0, 0"] [ver "OWASP_CRS/3.3.2"] [tag "event-correlation"] [hostname "198.46.88.63"] [uri "/403.shtml"] [unique_id "YTfSgV3nFOBHTVeQbcUpfwAAAMw"]
    [Tue Sep 07 16:58:41.737207 2021] [:error] [pid 28771:tid 47944017577728] [client 193.118.53.210:0] [client 193.118.53.210] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "198.46.88.63"] [uri "/Telerik.Web.UI.WebResource.axd"] [unique_id "YTfSgV3nFOBHTVeQbcUpfwAAAMw"]
    [Tue Sep 07 16:58:41.736619 2021] [:error] [pid 28771:tid 47944017577728] [client 193.118.53.210:0] [client 193.118.53.210] ModSecurity: Warning. String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1034"] [id "920440"] [msg "URL file extension is restricted by policy"] [data ".axd"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "198.46.88.63"] [uri "/Telerik.Web.UI.WebResource.axd"] [unique_id "YTfSgV3nFOBHTVeQbcUpfwAAAMw"]
    [Tue Sep 07 16:58:41.736522 2021] [:error] [pid 28771:tid 47944017577728] [client 193.118.53.210:0] [client 193.118.53.210] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "198.46.88.63"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "198.46.88.63"] [uri "/Telerik.Web.UI.WebResource.axd"] [unique_id "YTfSgV3nFOBHTVeQbcUpfwAAAMw"]
    [Tue Sep 07 16:57:47.432703 2021] [:error] [pid 28701:tid 47944017577728] [client 144.86.173.84:0] [client 144.86.173.84] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/etc/apache2/conf.d/imh-modsec/01_base_rules.conf"] [line "64"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname "ns2.locksmithunit.com"] [uri "/"] [unique_id "YTfSSw1D6VSIhA8dq3-FFwAAAIw"]
    [Tue Sep 07 16:51:14.325892 2021] [:error] [pid 28771:tid 47944007071488] [client 107.155.104.162:0] [client 107.155.104.162] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "199.250.199.48"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "199.250.199.48"] [uri "/autodiscover/autodiscover.json"] [unique_id "YTfQwl3nFOBHTVeQbcUpfwAAAMc"]
    [Tue Sep 07 16:48:40.475119 2021] [:error] [pid 28669:tid 47944002868992] [client 180.241.44.73:0] [client 180.241.44.73] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "23.235.206.148"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "23.235.206.148"] [uri "/"] [unique_id "YTfQKG6ns2WxGqoSkXk52QAAAAU"]
    [Tue Sep 07 16:36:55.165377 2021] [:error] [pid 28669:tid 47944034387712] [client 172.105.161.246:0] [client 172.105.161.246] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "198.46.88.63"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "198.46.88.63"] [uri "/"] [unique_id "YTfNZ26ns2WxGqoSkXk52AAAABQ"]
    [Tue Sep 07 16:29:50.338446 2021] [:error] [pid 28771:tid 47944025982720] [client 191.100.10.128:0] [client 191.100.10.128] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "23.235.206.148"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "23.235.206.148"] [uri "/"] [unique_id "YTfLvl3nFOBHTVeQbcUpfgAAANA"]
    [Tue Sep 07 16:27:13.942203 2021] [:error] [pid 28670:tid 47944023881472] [client 199.19.224.165:0] [client 199.19.224.165] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "198.46.88.63"] [severity "WARNING"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "198.46.88.63"] [uri "/config/getuser"] [unique_id "YTfLIcUvT5XooOb3TB5dOwAAAE8"]
    [Tue Sep 07 16:11:35.304955 2021] [mpm_worker:notice] [pid 28549:tid 47943559283776] AH00292: Apache/2.4.48 (cPanel) OpenSSL/1.1.1l mod_bwlimited/1.4 mod_fcgid/2.3.9 Phusion_Passenger/6.0.10 configured -- resuming normal operations

is a lot.
this is in 1 minute.
soo... my server is under attack?
my only option not to flood my apache log is to move it from a warning to "critical" notes.

 

[nadav123]

or maybe to block these IPs in CSF?
until I clean all the errors?

or have another way to get rid of these blocks in the apache log?

 

[nadav123]

I tried from WHM>ModSecurity configuration but is not work as well :/
the only way i see now not to flood the apache log is to put it on critical notes,

I have CSF or maybe you know to get rid of the log flood "naturaly"

 

[cPRex]

At this point it might be best if you submitted a ticket to our team so we could check the server directly. If you are able to do that, please post the ticket number here so I can follow along and keep this thread updated.

 

[nadav123]

I did.
nobody responds to me.

cPanel

support.cpanel.net

is before 3 days.

and have another one before a week ago.
nobody responds.