modsecurity

I sometimes struggle to understand what is going on with the logs of mod_sec so I can best thwart them. So I asked ChatGPT. It came up with a python script to send alerts and breakdown in plain language the alert. Here it is below. I haven't used it yet but thought it interesting enough to...

I will preface this with saying that to my knowledge, this problem started after upgrading to AlmaLinux 8 and/or enabling the nginx reverse proxy. Feeling that modsec 2 was not working, I followed the modsec 3 guide, found here...

Q1: It appears that the default modsec in cPanel does not allow PATCH or DELETE (only GET HEAD POST OPTIONS, per rule 901160). Is this the case, and if so, why? # Default HTTP policy: allowed_methods (rule 900200) SecRule &;TX:allowed_methods "@eq 0" \...

Hi. I'm not convinced that all hits to mod_security are showing up in ModSecurity Tools > Hits List. There are lots of results in there, but I'm fairly sure not all. Is that possible?

Hello, I get the following error when adding from rule "https://waf.comodo.com/doc/meta_comodo_litespeed.yaml". Error: API failure: The vendor metadata does not contain an entry for your version of ModSecurity, “2.9.6”. The only versions of ModSecurity this rule set supports are “2.7.5”...

Last few days we have been noticing that Google crawler IP's (i.e. 66.249.xxx.xxx) have stared being blocked by the OWASP modsecurity rules. This is not an isolated case, we have many servers and the same issues has been seen across all of them. Previously we had no issues like this related to...

Hello, looking page Modsecurity 3 cpanel Docs I noticed that modsecurity3 is still on experimental. since the page on this page is on July 13, 2022 I was wondering if maybe it's been released or if you know when it will be done. thank you !!

If you are using OWASP rules v. 3.3.4 you can experience problem with GTmetrix service. All requests will serve 403 error. It is interesting becouse probably GTmetrix sends forbidden header. GTmetrix is blocked by 3 rules: 920450 - request protocol enforcement 949110 - request blocking...

Is GeoLite2-Country-Locations-en.csv the file that ModSecurity needs to have Geolocation Database pointed to? I'm confused... My GeoIP.dat is very old, but the MAXMIND list of databases are al GeoIP2 which are not compatible with ModSecurity...

Mod Security 2.9.6 security update released. Is it possible to update Mod security from 2.9.3 to 2.9.6? it is necessary in order to update CRS to 3.3.4 https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/

I am running Apache behind Nginx. Over the ModSecurity tools page under the "source" column it's only the main IP address of the server. What do I need to do to get the actual attacker IP?

Hello FYI I was confronted with the blocking of an interface following modsecurity blocking by rule N°1234123447 Precisely the request: "?_wblapi=/forsef/v1/ping" Triggers rule N°1234123447 because of the term "ping" In bold just below. ModSecurity: Access denied with code 501, [Rule: 'ARGS'...

Is it possible to get the most updated OWASP Core Rule Set on CentOS? We would like to implement ModSecurity rules that are available on the latest versions. We’re on version 3.0 and the current stable version is 3.3. Are there compatibility issues with cPanel for the latest version?

On transferring Service Configurations, ModSecurity completed with one failure: Failed: (XID 2chkk6) The WHM API v1 call “modsec_make_config_inactive” failed: The following configuration is not active: modsec_vendor_configs/OWASP3/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf Upon retrying it...

Hi guys, based on your experience in a shared hosting environment it is preferable to set modsecurity to traditional mode or anomaly score? I am running on traditional but i have frequent false-positive. the good in traditional mode is less load on server. what do you think? thanks

I've installed mod_security2 and read the cPanel docs: https://blog.cpanel.com/how-to-install-and-configure-modsecurity-in-cpanel/ but I have a few other questions. 1. Should I install OWASP? What does it do? 2. I see under "Configuration" that I can provide a link to a MaxMind database...

Hi, the last few days i've been battling with one specific website (out of many on the same server) which wont render correctly. When inspecting, the site loads as plain HTML and the console shows a load of 403 or 404 errors for every image, CSS file or JS script. I have finally got it narrowed...

HI, I am wondering what are this hit from 127.0.0.1 from modsecurity. I have a lot of triggering event about 920340: Request Containing Content, but Missing Content-Type header 933150: PHP Injection Attack: High-Risk PHP Function Name Found 930130: Restricted File Access Attempt 920170: GET or...

Is there a way to make ModSecurity send alert emails for every rule triger?

For about a week or so, httpd has been crashing about once a day. In the "Log Messages" section of the cpanel service failure notification email, it lists a bunch of modsecurity hits in red. Nothing stands out about them, just the run of the mill malicious bots. Maybe only the quantity...