modsecurity

I'm running tests on Centos 8.2 and Cpanel v92. When I install mod_security v3 and want to add custom rules from the edit rules section, I see the following error. None of the SecConnEngine, SecRuleEngine, SecRule codes are recognized. Error: The system could not validate the new Apache...

Hi, i want to add Geolocation db in modsecurity config... looking to the description: so it appears ModSecurity accepts only GeoIp v1 format in the maxmind i found only Geoip2 database... any suggestions please??thanks a lot

Hello, I know cPanel is loaded with questions similar to what I'm seeing. But I started using (just today/yesterday) modsecurity rules. I'm seeing some permission denied errors for GeoIP and other and I think it is because I don't have a db path in the configuration section for modsecurity...

Are modsec rule ID's sequential? Like is their preference linear? If I want to whitelist an IP does my ID have to be as low as possible (eg. 1 thru say 200)? Or can I make it like 60000 and it will still work?

Hi guys, Does any of you have any experience yet with the newly released OWASP ModSecurity Core Rule Set v3.3 that was released last month? (OWASP ModSecurity Core Rule Set – The 1st Line of Defense Against Web Application Attacks) Worth trying out?

G'day All, Does anyone know where the notation is made within the modsec configuration when a user disables modsecurity for all or any domain within their cPanel? I've looked in the expected locations (/etc/apache2/conf.d/userdata etc.) without success. We just need to be able to produce a...

When I run "/usr/local/cpanel/scripts/modsec_vendor update OWASP3" I get the following errors: The system failed to update the vendor from the URL http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP3.yaml warn [modsec_vendor] The system failed to update the vendor from the URL...

Hi! I've searched this for thousands of topics and haven't found it, oddly enough. I would like to know from any of you how can I clear ModSecurity logs? I already deleted modsec_audit.log, but the logs continue. In my case I have more than 20,000 pages of logs.

All of our servers are reporting identical update failures: The cPanel & WHM update process failed for the following reason: Maintenance ended; however, it did not exit cleanly (256). The following events were logged: “scripts/modsec_vendor”. Review the update logs to determine why the update...

Hi! Please, how could I limit the action of this rule only in wp-login.php and xmlrpc.php? SecRule REQUEST_HEADERS:User-Agent "@contains gecko" "id:5000501,t:none,t:lowercase,deny,nolog,msg:'BAD BOT - Detected and Blocked. '" Thank you! Joao

CLOUDLINUX 7.6 [] v78.0.23 Hi, I am getting this alert Time: Mon May 20 04:00:08 2019 +0500 ModSecurity persistent IP database (/var/cpanel/secdatadir/ip.pag) size is 51.73GB This requires further investigation otherwise it will start to affect server performance. but when I am checking...

Trying to stop a bad bot from accessing server using mod_security rules. I have the following but it's not working. SecRule REQUEST_HEADERS:User-Agent "@rx ^(?:Datanyze)$" "msg:'Datanyze blocked',phase:1,log,id:777777,t:none,block,status:403" the word "Datanyze" is contained in the User...

I'm getting this error in ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/global": Permission denied I don't have mod_druid2 enabled. All info says this is the issue, but I don't have this mod loaded/enabled. Causing not to be able to access admin ajax...

Hi There, I'm sorry to ask such a silly question but I'm seeing hits on my server through ModSecurity - Tools from other domains or blank altogether with just an IP. I'm not hosting the domain so why am I seeing these hits along with my ones? Any help appreciated. Kim. OWASP3 Hits List...

I guess I don't understand how modsec works. How did it log this error, but seemingly do nothing about it? Message: Warning. Matched phrase "masscan" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-913-SCANNER-DETECTION.conf"] [line "33"] [id...

I upgraded to WHM 76 and started having an issue where mod_security was blocking form submits that included code. It seemed that whenever the server received a POST request that contained a lot of triangle brackets and matched some code rules/regex and took me to a 403 Forbidden error This was...

I'm running cPanel v74.0.12. It has modsecurity installed with Apache. How do I find out the version of modsec I have? I looked everywhere and cannot find a single thing about version.

Hi, I've been playing with modsecurity past few days. My experiment mostly is posting illegal requests to a website and checking audit log for rule HIT. I am confused on how ModSecurity should work. For example: I do simple GET...

Updating cPanel/WHM via WebUI -- when using 3rd party ModSecurity ruleset provider malware.expert WebUI process sticks at 94% and never progresses past this point. If I leave the UI page and come back, it reports it is still in progress and shows me the log file with the same contents -- up to...

I read ModSecurity has released v2.9.3 This should fix some major issues with modruid2 and permissions on folders modsecurity needed. Any idea when this update will be released for Easy Apache 4 / cPanel users? Or is there a manual update method suggested ? Thanks